Difference between revisions of "CTF Stapler: Walkthrough"

From OnnoWiki
Jump to navigation Jump to search
Line 491: Line 491:
 
Scan menggunakan,
 
Scan menggunakan,
  
  wpscan --url https://192.168.0.61:12380/blogblog/ --enumerate
+
  wpscan --url https://192.168.0.61:12380/blogblog/ -e u --disable-tls-checks
 +
wpscan --url https://192.168.0.61:12380/blogblog/ -e ap --disable-tls-checks
  
 
Hasilnya,
 
Hasilnya,
 +
 +
_______________________________________________________________
 +
          __          _______  _____
 +
          \ \        / /  __ \ / ____|
 +
          \ \  /\  / /| |__) | (___  ___  __ _ _ __ ®
 +
            \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
 +
            \  /\  /  | |    ____) | (__| (_| | | | |
 +
              \/  \/  |_|    |_____/ \___|\__,_|_| |_| 
 +
 +
          WordPress Security Scanner by the WPScan Team
 +
                          Version 3.8.22
 +
        Sponsored by Automattic - https://automattic.com/
 +
        @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
 
  _______________________________________________________________
 
  _______________________________________________________________
        __          _______  _____                 
 
        \ \        / /  __ \ / ____|               
 
          \ \  /\  / /| |__) | (___  ___  __ _ _ __ 
 
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
 
            \  /\  /  | |    ____) | (__| (_| | | | |
 
            \/  \/  |_|    |_____/ \___|\__,_|_| |_|
 
 
   
 
   
        WordPress Security Scanner by the WPScan Team
+
[+] URL: https://192.168.0.61:12380/blogblog/ [192.168.0.61]
                        Version 2.9.1
+
  [+] Started: Mon Jan 23 03:19:59 2023
          Sponsored by Sucuri - https://sucuri.net
 
    @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
 
  _______________________________________________________________
 
 
   
 
   
  [+] URL: https://192.168.1.13:12380/blogblog/
+
  Interesting Finding(s):
[+] Started: Tue Oct  4 20:09:24 2016
 
 
   
 
   
  [!] The WordPress 'https://192.168.1.13:12380/blogblog/readme.html' file exists exposing a version number
+
  [+] Headers
  [+] Interesting header: DAVE: Soemthing doesn't look right here
+
  | Interesting Entries:
  [+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
+
  |  - Server: Apache/2.4.18 (Ubuntu)
[!] Registration is enabled: https://192.168.1.13:12380/blogblog/wp-login.php?action=register
+
  |  - Dave: Soemthing doesn't look right here
[+] XML-RPC Interface available under: https://192.168.1.13:12380/blogblog/xmlrpc.php
+
  | Found By: Headers (Passive Detection)
[!] Upload directory has directory listing enabled: https://192.168.1.13:12380/blogblog/wp-content/uploads/
+
  | Confidence: 100%
[!] Includes directory has directory listing enabled: https://192.168.1.13:12380/blogblog/wp-includes/
+
 +
[+] XML-RPC seems to be enabled: https://192.168.0.61:12380/blogblog/xmlrpc.php
 +
  | Found By: Headers (Passive Detection)
 +
  | Confidence: 100%
 +
  | Confirmed By:
 +
  |  - Link Tag (Passive Detection), 30% confidence
 +
  |  - Direct Access (Aggressive Detection), 100% confidence
 +
  | References:
 +
  |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 +
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 +
  |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 +
  | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 +
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
 +
 +
  [+] WordPress readme found: https://192.168.0.61:12380/blogblog/readme.html
 +
  | Found By: Direct Access (Aggressive Detection)
 +
  | Confidence: 100%
 +
 +
[+] Registration is enabled: https://192.168.0.61:12380/blogblog/wp-login.php? action=register  
 +
  | Found By: Di rect Access (Aggressive Detection)
 +
  | Confidence:  100%
 +
 +
[+] Upload directory has listing enabled: https://192.168.0.61:12380/blogblog/wp- content/uploads/
 +
  | Found By: Direct Access (Aggressive Detection)
 +
  | Confidence: 100%
 +
 +
[+] The external WP-Cron seems to be enabled: https://192.168.0.61:12380/blogblog/wp-cron.php
 +
  | Found By: Direct Access (Aggressive Detection)
 +
  | Confidence: 60%
 +
  | References:
 +
  |  - https://www.iplocation.net/defend-wordpress-from-ddos
 +
  |  - https://github.com/wpscanteam/wpscan/issues/1299
 +
 +
[+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27).
 +
  | Found By: Rss Generator (Passive Detection)
 +
  |  - https://192.168.0.61:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
 +
  |  - https://192.168.0.61:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
  
[+] WordPress version 4.2.1 identified from advanced fingerprinting (Released on 2015-04-27)
+
[+] WordPress theme in use: bhost
[!] 23 vulnerabilities identified from the version number
+
  | Location: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/
 +
  | Last Updated: 2022-10-30T00:00:00.000Z
 +
  | Readme: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/readme.txt
 +
  | [!] The version is out of date, the latest version is 1.6
 +
  | Style URL: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1
 +
  | Style Name: BHost
 +
  | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
 +
  | Author: Masum Billah
 +
  | Author URI: http://getmasum.net/
 +
  |
 +
  | Found By: Css Style In Homepage (Passive Detection)
 +
  |
 +
  | Version: 1.2.9 (80% confidence)
 +
  | Found By: Style (Passive Detection)
 +
  |  - https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, Match: 'Version: 1.2.9'
 +
 +
[+] Enumerating Users (via Passive and Aggressive Methods)
 +
  Brute Forcing Author IDs - Time: 00:00:00
 +
<====================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
 +
 +
[i] User(s) Identified:
 +
 +
[+] John Smith
 +
  | Found By: Author Posts - Display Name (Passive Detection)
 +
  | Confirmed By: Rss Generator (Passive Detection)
 +
 +
[+] john
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[+] garry
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[+] barry
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[+] elly
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[+] peter
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[+] heather
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[+] harry
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[+] scott
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[+] kathy
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[+] tim
 +
  | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 +
  | Confirmed By: Login Error Messages (Aggressive Detection)
 +
 +
[!] No WPScan API Token given, as a result vulnerability data has not been output.
 +
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
 +
 +
[+] Finished: Mon Jan 23 03:20:02 2023
 +
[+] Requests Done: 23
 +
[+] Cached Requests: 55
 +
[+] Data Sent: 7.361 KB
 +
[+] Data Received: 49.097 KB
 +
[+] Memory used: 193.543 MB
 +
[+] Elapsed time: 00:00:03
  
[!] Title: WordPress 4.1-4.2.1 - Genericons Cross-Site Scripting (XSS)
 
    Reference: https://wpvulndb.com/vulnerabilities/7979
 
    Reference: https://codex.wordpress.org/Version_4.2.2
 
[i] Fixed in: 4.2.2
 
  
[!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
+
Hasil -e ap
    Reference: https://wpvulndb.com/vulnerabilities/8111
+
_______________________________________________________________
    Reference: https://wordpress.org/news/2015/07/wordpress-4-2-3/
+
          __          _______  _____
    Reference: https://twitter.com/klikkioy/status/624264122570526720
+
          \ \        / /  __ \ / ____|
    Reference: https://klikki.fi/adv/wordpress3.html
+
          \ \  /\  / /| |__) | (___  ___  __ _ _ __ ®
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
+
            \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
+
            \  /\  /  | |    ____) | (__| (_| | | | |
[i] Fixed in: 4.2.3
+
              \/  \/  |_|    |_____/ \___|\__,_|_| |_|
 +
 +
          WordPress Security Scanner by the WPScan Team
 +
                          Version 3.8.22
 +
        Sponsored by Automattic - https://automattic.com/
 +
        @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
 +
_______________________________________________________________
 +
 +
[+] URL: https://192.168.0.61:12380/blogblog/ [192.168.0.61]
 +
[+] Started: Mon Jan 23 03:23:24 2023
 +
 +
Interesting Finding(s):
 +
 +
[+] Headers
 +
  | Interesting Entries:
 +
  |  - Server: Apache/2.4.18 (Ubuntu)
 +
  |  - Dave: Soemthing doesn't look right here
 +
  | Found By: Headers (Passive Detection)
 +
  | Confidence: 100%
 +
 +
[+] XML-RPC seems to be enabled: https://192.168.0.61:12380/blogblog/xmlrpc.php
 +
  | Found By: Headers (Passive Detection)
 +
  | Confidence: 100%
 +
  | Confirmed By:
 +
  |  - Link Tag (Passive Detection), 30% confidence
 +
  |  - Direct Access (Aggressive Detection), 100% confidence
 +
  | References:
 +
  |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 +
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 +
  |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 +
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 +
  |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
 +
 +
[+] WordPress readme found: https://192.168.0.61:12380/blogblog/readme.html
 +
  | Found By: Direct Access (Aggressive Detection)
 +
  | Confidence: 100% 
 +
 +
[+] Registration is enabled: https://192.168.0.61:12380/blogblog/wp-login.php? action=register
 +
  | Found By: Direct Access (Aggressive Detection)
 +
  | Confidence: 100%
 +
 +
[+] Upload directory has listing enabled: https://192.168.0.61:12380/blogblog/wp-content/uploads/
 +
  | Found By: Direct Access (Aggressive Detection)
 +
  | Confidence: 100%
 +
 +
[+] The external WP-Cron seems to be enabled: https://192.168.0.61:12380/blogblog/wp-cron.php
 +
  | Found By: Direct Access (Aggressive Detection)
 +
  | Confidence: 60%
 +
  | References:
 +
  |  - https://www.iplocation.net/defend-wordpress-from-ddos
 +
  |  - https://github.com/wpscanteam/wpscan/issues/1299
 +
 +
[+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27).
 +
  | Found By: Rss Generator (Passive Detection)
 +
  |  - https://192.168.0.61:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
 +
  |  - https://192.168.0.61:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
  
[!] Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
+
[+] WordPress theme in use: bhost
    Reference: https://wpvulndb.com/vulnerabilities/8126
+
  | Location: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/
    Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
+
  | Last Updated: 2022-10-30T00:00:00.000Z
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213
+
  | Readme: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/readme.txt
[i] Fixed in: 4.2.4
+
  | [!] The version is out of date, the latest version is 1.6
 
+
  | Style URL: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1
[!] Title: WordPress <= 4.2.3 - Timing Side Channel Attack
+
  | Style Name: BHost
    Reference: https://wpvulndb.com/vulnerabilities/8130
+
  | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
    Reference: https://core.trac.wordpress.org/changeset/33536
+
  | Author: Masum Billah
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730
+
  | Author URI: http://getmasum.net/
[i] Fixed in: 4.2.4
+
  |
 
+
  | Found By: Css Style In Homepage (Passive Detection)
[!] Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
+
  |
    Reference: https://wpvulndb.com/vulnerabilities/8131
+
  | Version: 1.2.9 (80% confidence)
    Reference: https://core.trac.wordpress.org/changeset/33529
+
  | Found By: Style (Passive Detection)
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732
+
  |  - https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1,
[i] Fixed in: 4.2.4
+
Match: 'Version: 1.2.9'
 
+
[!] Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
+
[+] Enumerating All Plugins (via Passive Methods)
    Reference: https://wpvulndb.com/vulnerabilities/8132
+
    Reference: https://core.trac.wordpress.org/changeset/33541
+
[i] No plugins Found.
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733
+
   
[i] Fixed in: 4.2.4
+
  [!] No WPScan API Token given, as a result vulnerability data has not been output.
 
+
  [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[!] Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
 
    Reference: https://wpvulndb.com/vulnerabilities/8133
 
    Reference: https://core.trac.wordpress.org/changeset/33549
 
    Reference: https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734
 
[i] Fixed in: 4.2.4
 
 
 
[!] Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
 
    Reference: https://wpvulndb.com/vulnerabilities/8186
 
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
 
    Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
 
    Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
 
[i] Fixed in: 4.2.5
 
 
 
[!] Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
 
    Reference: https://wpvulndb.com/vulnerabilities/8187
 
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
 
    Reference: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989
 
[i] Fixed in: 4.2.5
 
 
 
[!] Title: WordPress <= 4.3 - Publish Post & Mark as Sticky Permission Issue
 
    Reference: https://wpvulndb.com/vulnerabilities/8188
 
    Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
 
    Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
 
    Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715
 
[i] Fixed in: 4.2.5
 
 
 
[!] Title: WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
 
    Reference: https://wpvulndb.com/vulnerabilities/8358
 
    Reference: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
 
    Reference: https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
 
[i] Fixed in: 4.2.6
 
 
 
[!] Title: WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)
 
    Reference: https://wpvulndb.com/vulnerabilities/8376
 
    Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
 
    Reference: https://core.trac.wordpress.org/changeset/36435
 
    Reference: https://hackerone.com/reports/110801
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2222
 
[i] Fixed in: 4.2.7
 
 
 
[!] Title: WordPress 3.7-4.4.1 - Open Redirect
 
    Reference: https://wpvulndb.com/vulnerabilities/8377
 
    Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
 
    Reference: https://core.trac.wordpress.org/changeset/36444
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2221
 
[i] Fixed in: 4.2.7
 
 
 
[!] Title: WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses
 
    Reference: https://wpvulndb.com/vulnerabilities/8473
 
    Reference: https://codex.wordpress.org/Version_4.5
 
    Reference: https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4029
 
[i] Fixed in: 4.5
 
 
 
[!] Title: WordPress <= 4.4.2 - Reflected XSS in Network Settings
 
    Reference: https://wpvulndb.com/vulnerabilities/8474
 
    Reference: https://codex.wordpress.org/Version_4.5
 
    Reference: https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6634
 
[i] Fixed in: 4.5
 
 
 
[!] Title: WordPress <= 4.4.2 - Script Compression Option CSRF
 
    Reference: https://wpvulndb.com/vulnerabilities/8475
 
    Reference: https://codex.wordpress.org/Version_4.5
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6635
 
[i] Fixed in: 4.5
 
 
 
[!] Title: WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)
 
    Reference: https://wpvulndb.com/vulnerabilities/8488
 
    Reference: https://wordpress.org/news/2016/05/wordpress-4-5-2/
 
    Reference: https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36
 
    Reference: https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4567
 
[i] Fixed in: 4.5.2
 
 
 
[!] Title: WordPress <= 4.5.1 - Pupload Same Origin Method Execution (SOME)
 
    Reference: https://wpvulndb.com/vulnerabilities/8489
 
    Reference: https://wordpress.org/news/2016/05/wordpress-4-5-2/
 
    Reference: https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8
 
    Reference: https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e
 
    Reference: http://avlidienbrunn.com/wp_some_loader.php
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4566
 
[i] Fixed in: 4.2.8
 
 
 
[!] Title: WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS
 
    Reference: https://wpvulndb.com/vulnerabilities/8518
 
    Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
 
    Reference: https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5833
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5834
 
[i] Fixed in: 4.2.9
 
 
 
[!] Title: WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure
 
    Reference: https://wpvulndb.com/vulnerabilities/8519
 
    Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
 
    Reference: https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1
 
    Reference: https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5835
 
[i] Fixed in: 4.2.9
 
 
 
[!] Title: WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post
 
    Reference: https://wpvulndb.com/vulnerabilities/8520
 
    Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
 
    Reference: https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5837
 
[i] Fixed in: 4.2.9
 
 
 
[!] Title: WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename
 
    Reference: https://wpvulndb.com/vulnerabilities/8615
 
    Reference: https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
 
    Reference: https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0
 
    Reference: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html
 
    Reference: http://seclists.org/fulldisclosure/2016/Sep/6
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7168
 
[i] Fixed in: 4.2.10
 
 
 
[!] Title: WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader
 
    Reference: https://wpvulndb.com/vulnerabilities/8616
 
    Reference: https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
 
    Reference: https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e
 
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7169
 
[i] Fixed in: 4.2.10
 
 
 
[+] WordPress theme in use: bhost - v1.2.9
 
 
 
[+] Name: bhost - v1.2.9
 
  |  Location: https://192.168.1.13:12380/blogblog/wp-content/themes/bhost/
 
  |  Readme: https://192.168.1.13:12380/blogblog/wp-content/themes/bhost/readme.txt
 
[!] The version is out of date, the latest version is 1.3.3
 
  |  Style URL: https://192.168.1.13:12380/blogblog/wp-content/themes/bhost/style.css
 
|  Theme Name: BHost
 
|  Theme URI: Author: Masum Billah
 
|  Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This the...
 
|  Author: Masum Billah
 
|  Author URI: http://getmasum.net/
 
 
   
 
   
[+] Enumerating usernames ...
+
[+] Finished: Mon Jan 23 03:23:29 2023
[+] Identified the following 10 user/s:
+
[+] Requests Done: 2
    +----+---------+-----------------+
+
  [+] Cached Requests: 34
    | Id | Login  | Name            |
+
[+] Data Sent: 660 B
    +----+---------+-----------------+
+
[+] Data Received: 1.093 KB
    | 1  | john    | John Smith      |
+
  [+] Memory used: 239.617 MB
    | 2 | elly    | Elly Jones      |
+
[+] Elapsed time: 00:00:05
    | 3  | peter  | Peter Parker    |
 
    | 4  | barry  | Barry Atkins    |
 
    | 5  | heather | Heather Neville |
 
    | 6  | garry  | garry          |
 
    | 7  | harry  | harry          |
 
    | 8  | scott  | scott          |
 
    | 9 | kathy  | kathy          |
 
    | 10 | tim    | tim            |
 
    +----+---------+-----------------+
 
 
 
 
 
[+] Enumerating plugins from passive detection ...
 
[+] No plugins found
 
 
 
[+] Enumerating all plugins (may take a while and use a lot of system resources) ...
 
 
 
  Time: 00:06:11 <=====================> (62804 / 62804) 100.00% Time: 00:06:11
 
 
 
[+] We found 4 plugins:
 
 
 
[+] Name: advanced-video-embed-embed-videos-or-playlists - v1.0
 
|  Latest version: 1.0 (up to date)
 
  |  Location: https://192.168.1.13:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
 
|  Readme: https://192.168.1.13:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
 
[!] Directory listing is enabled: https://192.168.1.13:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
 
 
 
[+] Name: akismet
 
|  Latest version: 3.2
 
|  Location: https://192.168.1.13:12380/blogblog/wp-content/plugins/akismet/
 
  
[!] We could not determine a version so all vulnerabilities are printed out
+
Keren!
 +
* Kita dapat banyak user
 +
* Tampaknya ada XSS Vulnerability, Path Traversal Vulnerability
  
[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
 
    Reference: https://wpvulndb.com/vulnerabilities/8215
 
    Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
 
    Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
 
[i] Fixed in: 3.1.5
 
  
[+] Name: shortcode-ui - v0.6.2
 
|  Latest version: 0.6.2 (up to date)
 
|  Location: https://192.168.1.13:12380/blogblog/wp-content/plugins/shortcode-ui/
 
|  Readme: https://192.168.1.13:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
 
[!] Directory listing is enabled: https://192.168.1.13:12380/blogblog/wp-content/plugins/shortcode-ui/
 
  
[+] Name: two-factor
 
|  Latest version: 0.1-dev-20160412
 
|  Location: https://192.168.1.13:12380/blogblog/wp-content/plugins/two-factor/
 
|  Readme: https://192.168.1.13:12380/blogblog/wp-content/plugins/two-factor/readme.txt
 
[!] Directory listing is enabled: https://192.168.1.13:12380/blogblog/wp-content/plugins/two-factor/
 
  
  
[+] Finished: Tue Oct  4 20:09:29 2016
+
This is great! Not only did we find a ton of users (which seem to correlate to the names we found earlier) but we also found a few XSS Vulnerabilities, a and a few plugins that we can use to research for possible vulnerable entry points.
[+] Requests Done: 37
 
[+] Memory used: 32.523 MB
 
[+] Elapsed time: 00:00:04
 
This is great! Not only did we find a ton of users (which seem to correlate to the names we found earlier) but we also found a few XSS Vulnerabilities, a Path Traversal Vulnerability and a few plugins that we can use to research for possible vulnerable entry points.
 
  
 
After doing some research, I found out that the advanced-video-embed-embed-videos-or-playlists was vulnerable to a LFI Exploit. Which can be found here!
 
After doing some research, I found out that the advanced-video-embed-embed-videos-or-playlists was vulnerable to a LFI Exploit. Which can be found here!

Revision as of 15:26, 23 January 2023

Description

+---------------------------------------------------------+
|                                                         |
|                                  __..--\              |
|                          __..--         \             |
|                  __..--          __..--             |
|          __..--          __..--       |             |
|          \ o        __..--____....----""              |
|           \__..--\                                    |
|           |         \                                   |
|          +----------------------------------+           |
|          +----------------------------------+           |
|                                                         |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
|   Name: Stapler           |          IP: DHCP           |
|   Date: 2016-June-08      |        Goal: Get Root!      |
| Author: g0tmi1k           | Difficultly: ??? ;)         |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
|                                                         |
| + Average beginner/intermediate VM, only a few twists   |
|   + May find it easy/hard (depends on YOUR background)  |
|   + ...also which way you attack the box                |
|                                                         |
| + It SHOULD work on both VMware and Virtualbox          |
|   + REBOOT the VM if you CHANGE network modes           |
|   + Fusion users, you'll need to retry when importing   |
|                                                         |
| + There are multiple methods to-do this machine         |
|   + At least two (2) paths to get a limited shell       |
|   + At least three (3) ways to get a root access        |
|                                                         |
| + Made for BsidesLondon 2016                            |
|   + Slides: https://download.vulnhub.com/media/stapler/ |
|                                                         |
| + Thanks g0tmi1k, nullmode, rasta_mouse & superkojiman  |
|   + ...and shout-outs to the VulnHub-CTF Team =)        |
|                                                         |
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - -+
|                                                         |
|       --~~Enjoy. Have fun. Happy Hacking.~~--       |
|                                                         |
+---------------------------------------------------------+

Instalasi

  • Download OVA
  • Install di VirtualBox
  • Jalankan==

Hack

netdiscover

Cek IP address server Stapler

netdiscover -r 192.168.0.0/24

hasilnya

 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                                                                   
                                                                                                                                                                                                                                 
 29 Captured ARP Req/Rep packets, from 21 hosts.   Total size: 1740                                                                                                                                                              
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.0.2     40:16:7e:22:e7:69      1      60  ASUSTek COMPUTER INC.                                                                                                                                                         
 192.168.0.4     10:6f:3f:3d:73:d0      1      60  BUFFALO.INC                                                                                                                                                                   
 192.168.0.7     4c:e6:76:1f:15:4b      1      60  BUFFALO.INC                                                                                                                                                                   
 192.168.0.9     10:6f:3f:17:94:94      1      60  BUFFALO.INC                                                                                                                                                                   
 192.168.0.7     4c:e6:76:1f:15:4c      1      60  BUFFALO.INC                                                                                                                                                                   
 192.168.0.61    08:00:27:8b:94:43      1      60  PCS Systemtechnik GmbH                                                                                                                                                        
 192.168.0.60    74:d0:2b:6a:a9:66      1      60  ASUSTek COMPUTER INC.                                                                                                                                                         
 192.168.0.101   08:60:6e:db:4e:b8      1      60  ASUSTek COMPUTER INC.                                                                                                                                                         
 192.168.0.141   b0:a7:b9:b6:c1:c9      3     180  TP-Link Corporation Limited                                                                                                                                                   
 192.168.0.102   6c:29:90:1e:89:7f      1      60  WiZ Connected Lighting Company Limited                                                                                                                                        
 192.168.0.145   c0:56:27:1c:be:e1      1      60  Belkin International Inc.                                                                                                                                                     
 192.168.0.169   4c:e6:76:1f:15:4b      1      60  BUFFALO.INC                                                                                                                                                                   
 192.168.0.170   4c:e6:76:1f:15:4b      1      60  BUFFALO.INC                                                                                                                                                                   
 192.168.0.169   4c:e6:76:1f:15:4c      1      60  BUFFALO.INC                                                                                                                                                                   
 192.168.0.170   4c:e6:76:1f:15:4c      1      60  BUFFALO.INC                                                                                                                                                                   
 192.168.0.199   b4:b0:24:3d:8b:3b      1      60  TP-Link Corporation Limited                                                                                                                                                   
 192.168.0.223   c0:56:27:67:0d:a3      1      60  Belkin International Inc.                                                                                                                                                     
 192.168.0.224   28:ff:3e:5c:10:32      4     240  zte corporation                                                                                                                                                               
 192.168.0.222   6c:16:32:63:52:21      4     240  HUAWEI TECHNOLOGIES CO.,LTD                                                                                                                                                   
 192.168.0.144   6e:65:e5:8a:25:0d      1      60  Unknown vendor                                                                                                                                                                
 0.0.0.0         b0:a7:b9:b6:c1:c9      1      60  TP-Link Corporation Limited 


Target di VirtualBox biasanya MAC 08:00:..... IP address target disini adalah

 192.168.0.61    08:00:27:8b:94:43      1      60  PCS Systemtechnik GmbH 


Port Scanning

Port scanning

nmap -sS -A -O -n -p1-60000 192.168.0.61
nmap -v -A 192.168.0.61

Hasilnya kira-kira,

Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-23 01:11 EST
Initiating SYN Stealth Scan at 01:11
Scanning 192.168.0.61 [1000 ports]
Discovered open port 21/tcp on 192.168.0.61
Discovered open port 139/tcp on 192.168.0.61
Discovered open port 3306/tcp on 192.168.0.61
Discovered open port 80/tcp on 192.168.0.61
Discovered open port 53/tcp on 192.168.0.61
Discovered open port 22/tcp on 192.168.0.61
Discovered open port 666/tcp on 192.168.0.61
Scanning 7 services on 192.168.0.61
Nmap scan report for 192.168.0.61
Host is up (0.00066s latency).
Not shown: 992 filtered tcp ports (no-response)
PORT     STATE  SERVICE     VERSION
20/tcp   closed ftp-data
21/tcp   open   ftp         vsftpd 2.0.8 or later
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.0.62
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
22/tcp   open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|   256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_  256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp   open   domain      dnsmasq 2.75
| dns-nsid: 
|   NSID: 218m83 (3231386d3833)
|   id.server: CGK
|_  bind.version: dnsmasq-2.75
80/tcp   open   http        PHP cli server 5.5 or later
|_http-title: 404 Not Found
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
139/tcp  open   netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp  open   doom?
| fingerprint-strings: 
|   NULL: 
|     message2.jpgUT 
|     QWux
|     "DL[E
|     #;3[
|     \xf6
|     u([r
|     qYQq
|     Y_?n2
|     3&M~{
|     9-a)T
|     L}AJ
|_    .npy.9
3306/tcp open   mysql       MySQL 5.7.12-0ubuntu1
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.12-0ubuntu1
|   Thread ID: 10
|   Capabilities flags: 63487
|   Some Capabilities: LongColumnFlag, Support41Auth, Speaks41ProtocolOld, FoundRows, 
SupportsLoadDataLocal, InteractiveClient, SupportsTransactions, IgnoreSigpipes, 
Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, 
LongPassword, ODBCClient, ConnectWithDatabase, SupportsCompression, SupportsAuthPlugins, 
SupportsMultipleResults, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: <Xp\x1EH]w*\x1C"+\x14\x19\x16*\x15ZnR\x1D
|_  Auth Plugin Name: mysql_native_password
MAC Address: 08:00:27:8B:94:43 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.005 days (since Mon Jan 23 01:04:14 2023)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel  

Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m58s
| smb2-time: 
|   date: 2023-01-23T13:11:23
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   RED<00>              Flags: <unique><active>
|   RED<03>              Flags: <unique><active>
|   RED<20>              Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED\x00
|   Domain name: \x00
|   FQDN: red
|_  System time: 2023-01-23T13:11:23+00:00 

TRACEROUTE
HOP RTT     ADDRESS
1   0.66 ms 192.168.0.61

OS and Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.02 seconds
           Raw packets sent: 2024 (90.564KB) | Rcvd: 24 (1.428KB)

Salah satu yang menarik disini adalah FTP, dengan anonymous FTP login.

Anonymous FTP

Coba login anonymous ftp (username anonymous password bebas merdeka)

ftp 192.168.0.61 
Connected to 192.168.0.61.
220-
220-|----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|----------------------------------------------------------------------------------------|
220-
220 
Name (192.168.0.61:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

Keren! cek ada file apa saja di FTP server tersebut dan ambil file yang ada :) ..

ftp> ls
550 Permission denied.
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             107 Jun 03  2016 note
226 Directory send OK.
ftp> get note
local: note remote: note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
100% 
|*************************************************************************************************************************************************************************************|   
107        0.91 KiB/s    00:00 ETA
226 Transfer complete.
107 bytes received in 00:00 (0.91 KiB/s)
ftp> quit
221 Goodbye.

Buka note

cat note                     

Isinya,

Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
         

Tidak ada yang terlalu menarik,tapi ada dua (2) nama :) ... mungkin bisa membantu nanti jika kita butuh bruteforce.

Coba SSH root

Coba akses.

ssh root@192.168.0.61                                                                                                  

Hasilnya gagal,

The authenticity of host '192.168.0.61 (192.168.0.61)' can't be established.
ED25519 key fingerprint is SHA256:eKqLSFHjJECXJ3AvqDaqSI9kP+EbRmhDaNZGyOrlZ2A.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.61' (ED25519) to the list of known hosts.
-----------------------------------------------------------------
~          Barry, don't forget to put a message here           ~
-----------------------------------------------------------------
root@192.168.0.61's password: 
Permission denied, please try again.


Tapi kita dapat satu nama lagi :) ..

Coba SMB

Coba,

smbclient -L 192.168.0.61

Password for [WORKGROUP\root]:

Coba isi password dengan root. Untung2-an berhasil :) .. Hasilnya kira-kira

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        kathy           Disk      Fred, What are we doing here?
        tmp             Disk      All temporary files should be stored here
        IPC$            IPC       IPC Service (red server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------  

        Workgroup            Master
        ---------            -------
        WORKGROUP            SCANDISK


Tampaknya ada 2 active share - kathy dan tmp. Yang menarik ada komentar - Fred, What are we doing here? Tampaknya Fred bisa mengakses kathy share. Mari kita akses kathy share menggunakan networked user/computer fred.

smbclient //fred/kathy -I 192.168.0.61 -N

Coba check ls

Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jun  3 12:52:52 2016
  ..                                  D        0  Mon Jun  6 17:39:56 2016
  kathy_stuff                         D        0  Sun Jun  5 11:02:27 2016
  backup                              D        0  Sun Jun  5 11:04:14 2016

                19478204 blocks of size 1024. 16397108 blocks available
smb: \> 

Keren! tampaknya kita bisa tersambung. Lakukan enumerate file dan folder.

smb: \> cd kathy_stuff\
smb: \kathy_stuff\> ls
  .                                   D        0  Sun Jun  5 11:02:27 2016
  ..                                  D        0  Fri Jun  3 12:52:52 2016
  todo-list.txt                       N       64  Sun Jun  5 11:02:27 2016

                19478204 blocks of size 1024. 16397108 blocks available
smb: \kathy_stuff\> get todo-list.txt 
getting file \kathy_stuff\todo-list.txt of size 64 as todo-list.txt (3.3 KiloBytes/sec) 
(average 3.3 KiloBytes/sec)
smb: \kathy_stuff\> cd ..
smb: \> cd backup\
smb: \backup\> ls
  .                                   D        0  Sun Jun  5 11:04:14 2016
  ..                                  D        0  Fri Jun  3 12:52:52 2016
  vsftpd.conf                         N     5961  Sun Jun  5 11:03:45 2016
  wordpress-4.tar.gz                  N  6321767  Mon Apr 27 13:14:46 2015 
                19478204 blocks of size 1024. 16397108 blocks available
smb: \backup\> get vsftpd.conf 
getting file \backup\vsftpd.conf of size 5961 as vsftpd.conf (306.4 KiloBytes/sec) (average 154.8 KiloBytes/sec)
smb: \backup\> quit


Setelah kita selesai dengan kathy share, kita bisa lakukan hal yang sama untuk tmp share,

smbclient //fred/tmp -I 192.168.0.61 -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Jun  7 04:08:39 2016
  ..                                  D        0  Mon Jun  6 17:39:56 2016
  ls                                  N      274  Sun Jun  5 11:32:58 2016

                19478204 blocks of size 1024. 16397096 blocks available
smb: \> quit

Tampaknya tidak ada yang menarik, paling tidak kita dapat file konfigurasi FTP, dan to-do-list.

Coba kita lihat,

cat todo-list.txt 

isinya,

I'm making sure to backup anything important for Initech, Kathy

Coba kita lihat,

cat ls            

isinya,

.:
total 12.0K
drwxrwxrwt  2 root root 4.0K Jun  5 16:32 .
drwxr-xr-x 16 root root 4.0K Jun  3 22:06 ..
-rw-r--r--  1 root root    0 Jun  5 16:32 ls
drwx------  3 root root 4.0K Jun  5 15:32 systemd-private-df2bff9b90164a2eadc490c0b8f76087-systemd-timesyncd.service-vFKoxJ


Nikto 12380

Cek web

nikto -h 192.168.0.61:12380

Hasilnya,

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.0.61
+ Target Hostname:    192.168.0.61
+ Target Port:        12380
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are 
you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put 
here./CN=Red.Initech/emailAddress=pam@red.localhost
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are 
you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put 
here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time:         2023-01-23 01:55:17 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to 
protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render 
the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 
is the EOL for the 2.x branch.
+ Hostname '192.168.0.61' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 8071 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2023-01-23 01:59:01 (GMT-5) (224 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


Yang menarik, kita memperoleh 4 directory: /phpmyadin/, /blogblog/, /admin112233/, dan tentunya /robots.txt.

Akses Web

Coba akses,

https://192.168.0.61:12380/robots.txt

Tampak isinya,

User-agent: *
Disallow: /admin112233/
Disallow: /blogblog/

Mari kita coba

https://192.168.0.61:12380/admin112233/

Akan mengeluarkan "humor"

This could of been a BeEF-XSS hook ;)

Mari kita coba

https://192.168.0.61:12380/blogblog/

Tampak berisi blog, tidak ada yang terlalu menarik kecuali ada beberapa nama. Dan yang menarik ada login page.

WPScan

Scan menggunakan,

wpscan --url https://192.168.0.61:12380/blogblog/ -e u --disable-tls-checks
wpscan --url https://192.168.0.61:12380/blogblog/ -e ap --disable-tls-checks

Hasilnya,

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|  
         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: https://192.168.0.61:12380/blogblog/ [192.168.0.61]
[+] Started: Mon Jan 23 03:19:59 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.18 (Ubuntu)
 |  - Dave: Soemthing doesn't look right here
 | Found By: Headers (Passive Detection)
 | Confidence: 100% 

[+] XML-RPC seems to be enabled: https://192.168.0.61:12380/blogblog/xmlrpc.php
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 | Confirmed By:
 |  - Link Tag (Passive Detection), 30% confidence
 |  - Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ 

[+] WordPress readme found: https://192.168.0.61:12380/blogblog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100% 

[+] Registration is enabled: https://192.168.0.61:12380/blogblog/wp-login.php? action=register 
 | Found By: Di rect Access (Aggressive Detection)
 | Confidence:  100% 

[+] Upload directory has listing enabled: https://192.168.0.61:12380/blogblog/wp- content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: https://192.168.0.61:12380/blogblog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27).
 | Found By: Rss Generator (Passive Detection)
 |  - https://192.168.0.61:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
 |  - https://192.168.0.61:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
[+] WordPress theme in use: bhost
 | Location: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/
 | Last Updated: 2022-10-30T00:00:00.000Z
 | Readme: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/readme.txt
 | [!] The version is out of date, the latest version is 1.6
 | Style URL: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1
 | Style Name: BHost
 | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
 | Author: Masum Billah
 | Author URI: http://getmasum.net/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2.9 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, Match: 'Version: 1.2.9'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 
<====================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] John Smith
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By: Rss Generator (Passive Detection)

[+] john
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] garry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] barry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection) 

[+] elly
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] peter
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] heather
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] harry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] scott
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] kathy
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection) 

[+] tim
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon Jan 23 03:20:02 2023
[+] Requests Done: 23
[+] Cached Requests: 55
[+] Data Sent: 7.361 KB
[+] Data Received: 49.097 KB
[+] Memory used: 193.543 MB
[+] Elapsed time: 00:00:03


Hasil -e ap

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_| 

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: https://192.168.0.61:12380/blogblog/ [192.168.0.61]
[+] Started: Mon Jan 23 03:23:24 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.18 (Ubuntu)
 |  - Dave: Soemthing doesn't look right here
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: https://192.168.0.61:12380/blogblog/xmlrpc.php
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 | Confirmed By:
 |  - Link Tag (Passive Detection), 30% confidence
 |  - Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: https://192.168.0.61:12380/blogblog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%  

[+] Registration is enabled: https://192.168.0.61:12380/blogblog/wp-login.php? action=register 
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: https://192.168.0.61:12380/blogblog/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: https://192.168.0.61:12380/blogblog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27).
 | Found By: Rss Generator (Passive Detection)
 |  - https://192.168.0.61:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
 |  - https://192.168.0.61:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
[+] WordPress theme in use: bhost
 | Location: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/
 | Last Updated: 2022-10-30T00:00:00.000Z
 | Readme: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/readme.txt
 | [!] The version is out of date, the latest version is 1.6
 | Style URL: https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1
 | Style Name: BHost
 | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
 | Author: Masum Billah
 | Author URI: http://getmasum.net/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2.9 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://192.168.0.61:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, 
Match: 'Version: 1.2.9'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon Jan 23 03:23:29 2023
[+] Requests Done: 2
[+] Cached Requests: 34
[+] Data Sent: 660 B
[+] Data Received: 1.093 KB
[+] Memory used: 239.617 MB
[+] Elapsed time: 00:00:05

Keren!

  • Kita dapat banyak user
  • Tampaknya ada XSS Vulnerability, Path Traversal Vulnerability



This is great! Not only did we find a ton of users (which seem to correlate to the names we found earlier) but we also found a few XSS Vulnerabilities, a and a few plugins that we can use to research for possible vulnerable entry points.

After doing some research, I found out that the advanced-video-embed-embed-videos-or-playlists was vulnerable to a LFI Exploit. Which can be found here!

Upon downloading the exploit, and running it, I was presented with an SSL error… So I went ahead and edited the code to include the following

import ssl ssl._create_default_https_context = ssl._create_unverified_context Once it ran successfully - I navigated to https://192.168.1.13:12380/blogblog/wp-content/uploads/ and was presented with a .jpeg file.

Referensi