Hi All, This is my write-up about boats machine from CyberSecLabs Platform in an easy category of security challenges.
[email protected]:~/cyberlabs/Boats$ nmap -sV -sT -sC -o nmapscan 172.31.1.14 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-30 20:17 EDT Nmap scan report for 172.31.1.14 Host is up (0.11s latency). Not shown: 988 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.11 ((Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-generator: WordPress 4.0.1 |_http-server-header: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9 |_http-title: Boats | Boats 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/https? |_ssl-date: 2020-05-31T00:19:50+00:00; +1s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC2_128_CBC_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC4_128_WITH_MD5 | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_IDEA_128_CBC_WITH_MD5 |_ SSL2_DES_64_CBC_WITH_MD5 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 3306/tcp open mysql MySQL (unauthorized) 3389/tcp open ssl/ms-wbt-server? | rdp-ntlm-info: | Target_Name: BOATS | NetBIOS_Domain_Name: BOATS | NetBIOS_Computer_Name: BOATS | DNS_Domain_Name: Boats | DNS_Computer_Name: Boats | Product_Version: 6.3.9600 |_ System_Time: 2020-05-31T00:19:26+00:00 | ssl-cert: Subject: commonName=Boats | Not valid before: 2020-04-21T19:39:55 |_Not valid after: 2020-10-21T19:39:55 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49163/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_nbstat: NetBIOS name: BOATS, NetBIOS user: <unknown>, NetBIOS MAC: 02:33:63:0d:b9:ba (unknown) |_smb-os-discovery: ERROR: Script execution failed (use -d to debug) | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-05-31T00:19:25 |_ start_date: 2020-05-31T00:12:56 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 206.08 seconds
Now we have WordPress CMS hosted on 80 port and we need to start enumerate a WordPress Plugins and Themes and Misconstructions and more to try to gain access to this application.
I will use a ffuf to fuzzing a directories and hidden files in application and on the other side i will run WPscan to scan WordPress vulnerable plugins and Themes and enumerating users.
After fuzzing directories i found a phpmyadmin path accessible without password.
Now I found a "WordPress" Table in Phpmyadmin and i can edit a "wp_users" table to login with admin account.
In "WP_Users" i found a user called "James" with "id=1" and this means this user has the administrator privileges and we need to change his password to login with his account.
I have changed a user_pass for james password to "secfathy" and select MD5 to generate a password with MD5 Hash.
Now we need to login with James account by using our password to WordPress Dashboard and to login to this dashboard we need to navigate to this following URL http://172.31.1.14/wp-login.php
Yes we have access with administrator privilege to WordPress dashboard and we need to get a reverse shell to access this machine, we have more than method like upload a malicious Theme or plugin with our backdoor with php extension or edit one of installed themes and replace this index page for example with our backdoor code to gain access and we can install a WPTerm Plugin to execute command on wordpress - but i will edit a Twenty Fourteen theme to add me code.
To edit a WordPress Themes navigate to Appearance > Editor
I selected a "Index.php" page to add my code but I don't prefer to use this method in production environment during any penetration testing assessment because if you didn't get a backup, you will not be able to enter the main page of the site.
I will use a "p0wny webshell" to access a machine files simply https://github.com/flozz/p0wny-shell
After select a "index.php" i add my a p0wny webshell code to access web-shell and to save this action click to "Upload File" button.
by navigate to machine homepage you can find a Powny Shell terminal and i executed a whoami command to know what is my privileges and a terminal return system - our goal now to get a user.txt flag and root.txt flag from this user desktop and administrator desktop.
by using a powny shell i navigated to "C:\Users\james\Desktop" and i found a "access.txt" file
Now I have a access.txt flag and we need to get a "system.txt" flag and by small searching i found this flag in a administrator desktop
Yes!! we own a system flag
That’s it, Feedback is appreciated and Thanks for reading.