# Nmap 7.91 scan initiated Mon May 23 03:41:30 2022 as: nmap -sC -sV -oA nmap/paper 10.10.11.143
Nmap scan report for 10.10.11.143
Host is up (0.078s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 2048 10:05:ea:50:56:a6:00:cb:1c:9c:93:df:5f:83:e0:64 (RSA)
| 256 58:8c:82:1c:c6:63:2a:83:87:5c:2f:2b:4f:4d:c3:79 (ECDSA)
|_ 256 31:78:af:d1:3b:c4:2e:9d:60:4e:eb:5d:03:ec:a0:22 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2021-07-03T08:52:34
|_Not valid after: 2022-07-08T10:32:34
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 23 03:41:50 2022 -- 1 IP address (1 host up) scanned in 20.74 seconds
We can see there are pot 80 and 443 open
There is nothing interesting here. After poking around for a while, I curl the page and found out we need to supply the domain name to the /etc/hosts file.
After that, we can see that we will get an entirely new page that has been made by WordPress.
By reading one of the posts on the forum, we may see the replies at one of the posts that might hint us something
There is a way to manipulate the URL to show unauthenticated posts by supplying the following variable.
Putting asc as the value for the order does not work, but desc does.
We are able to see the "hidden" post now.
If we look closely, we are able to find the secret registration of the chat system URL address.
After registering the account, we are able to access the chat system of the organization.
It says that we are able to interact with the bots named "recyclops" by supplying commands.
2 most interesting commands right here.
After playing with the bot for a bit, I am able to list the /etc/passwd and /self/proc/environ files that are able to help me to further the process of exploitation.
We can see the password for the bot is Queenofblad3s!23, then we proceed to login as dwight as he is the developer of this bot.
User
Privilege Escalation
Use LinPeas to scan for vulnerability!
Clone the repository and run it on the victim machine!
