Machine Synopsis

Phoenix is a hard Linux machine that features with a `WordPress` site. Enumerating the website an attacker is able to find that a plugin vulnerable to SQL injection is installed. Unfortunately, the SQL injection is a `blind time-based` attack, which takes a long time to complete. To avoid spending a lot of time the attacker has to make very specific queries to dump only the data he needs to progress further. Dumping the credentials for the `Phoenix` user, which is an administrator, allows the attacker to authenticate but there is a two factor authentication plugin in place which prevents further access. Since the attacker has access to the WordPress database, the secret key to generate valid `One Time Password` can be retrieved and decrypted, thus allowing him to bypass the two factor authentication mechanism. Having access to the Administrator's panel another vulnerbale plugin is discovered. This time, an attacker is able to upload and execute `.phtml` malicious files in order to get a reverse shell on the remote machine as the `wp_user`. Once on the machine, the attacker is able to enumerate the database further without any constraints on the queries. This enumeration step reveals that the credentials for the WordPress user `Jsmith` are the same for the machine user `editor`. Trying to establish an SSH connection as the user `editor` reveals that there is another two factor authentication mechanism in place. To bypass it this time the attacker needs to investigate the SSH pam authentication mechanism. It is discovered that connections from a specific local subnet are allowed to authenticate without providing a verification password. So, if the attacker makes an SSH connection to the remote machine on the specific subnet he is able to authenticate as the `editor` user. Enumerating the remote machine as the `editor` user reveals a peculiar file with the `.sh.x` extension inside the `PATH`. It turns out that this file is an encrypted compiled shell script. Using `pspy` the clear text source code of this script can be extracted. It turns out it's a backup script that's executed every three minutes by the user `root` and it's vulnerable to wildcard injection attacks. Leveraging this vulnerability the attacker is able to get a reverse shell as the user `root`.