csl-boats-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.
Today let’s play  CyberSecLabs Boats at  https://www.cyberseclabs.co.uk/labs/beginner-labs

Tasks

Port Scanning

root@kali:~/cyberlabs/Boats$ nmap -sV -sT -sC -o nmapscan 172.31.1.14
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-30 20:17 EDT
Nmap scan report for 172.31.1.14
Host is up (0.11s latency).
Not shown: 988 filtered ports
PORT      STATE SERVICE            VERSION
80/tcp    open  http               Apache httpd 2.2.11 ((Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-generator: WordPress 4.0.1
|_http-server-header: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
|_http-title: Boats | Boats
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
443/tcp   open  ssl/https?
|_ssl-date: 2020-05-31T00:19:50+00:00; +1s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_IDEA_128_CBC_WITH_MD5
|_    SSL2_DES_64_CBC_WITH_MD5
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp  open  mysql              MySQL (unauthorized)
3389/tcp  open  ssl/ms-wbt-server?
| rdp-ntlm-info: 
|   Target_Name: BOATS
|   NetBIOS_Domain_Name: BOATS
|   NetBIOS_Computer_Name: BOATS
|   DNS_Domain_Name: Boats
|   DNS_Computer_Name: Boats
|   Product_Version: 6.3.9600
|_  System_Time: 2020-05-31T00:19:26+00:00
| ssl-cert: Subject: commonName=Boats
| Not valid before: 2020-04-21T19:39:55
|_Not valid after:  2020-10-21T19:39:55
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49163/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: BOATS, NetBIOS user: <unknown>, NetBIOS MAC: 02:33:63:0d:b9:ba (unknown)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-05-31T00:19:25
|_  start_date: 2020-05-31T00:12:56

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 206.08 seconds

Now we have WordPress CMS hosted on 80 port and we need to start enumerate a WordPress Plugins and Themes and Misconstructions and more to try to gain access to this application.

Application Enumeration

I will use a ffuf to fuzzing a directories and hidden files in application and on the other side i will run WPscan to scan WordPress vulnerable plugins and Themes and enumerating users.

After fuzzing directories i found a phpmyadmin path accessible without password.

Now I found a “WordPress” Table in Phpmyadmin and i can edit a “wp_users” table to login with admin account.

In “WP_Users” i found a user called “James” with “id=1” and this means this user has the administrator privileges and we need to change his password to login with his account.

I have changed a user_pass for james password to “secfathy” and select MD5 to generate a password with MD5 Hash.

Now we need to login with James account by using our password to WordPress Dashboard and to login to this dashboard we need to navigate to this following URL http://172.31.1.14/wp-login.php

Yes we have access with administrator privilege to WordPress dashboard and we need to get a reverse shell to access this machine, we have more than method like upload a malicious Theme or plugin with our backdoor with php extension or edit one of installed themes and replace this index page for example with our backdoor code to gain access and we can install a WPTerm Plugin to execute command on wordpress – but i will edit a Twenty Fourteen theme to add me code.

To edit a WordPress Themes navigate to Appearance Editor

I selected a “Index.php” page to add my code but I don’t prefer to use this method in production environment during any penetration testing assessment because if you didn’t get a backup, you will not be able to enter the main page of the site.

I will use a “p0wny webshell” to access a machine files simply https://github.com/flozz/p0wny-shell

After select a “index.php” i add my a p0wny webshell code to access web-shell and to save this action click to “Upload File” button.

by navigate to machine homepage you can find a Powny Shell terminal and i executed a whoami command to know what is my privileges and a terminal return system – our goal now to get a user.txt flag and root.txt flag from this user desktop and administrator desktop.

by using a powny shell i navigated to “C:\Users\james\Desktop” and i found a “access.txt” file

Now I have a access.txt flag and we need to get a “system.txt” flag and by small searching i found this flag in a administrator desktop

Yes!! we own a system flag

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *