Difference between revisions of "Mr-Robot: 1 ~ VulnHub - Walkthrough"
m (→Discovery) |
m (→Discovery) |
||
| Line 68: | Line 68: | ||
Manually trying default some standard credentials at '/wp-login.php' didn't bring any success so let's take a look around | Manually trying default some standard credentials at '/wp-login.php' didn't bring any success so let's take a look around | ||
| + | |||
| + | <syntaxhighlight lang=shell-session highlight="3,4" line> | ||
| + | root@kali:~# curl http://192.168.56.108/robots.txt | ||
| + | User-agent: * | ||
| + | fsocity.dic | ||
| + | key-1-of-3.txt | ||
| + | </syntaxhighlight> | ||
| + | '''Key 1: 073403c8a58a1f80d943455fb30724b9''' | ||
| + | |||
| + | Now, what else do we have here? list of users? passwords? | ||
| + | <syntaxhighlight lang="shell-session" highlight="" line> | ||
| + | root@kali:~# wget http://192.168.56.108/fsocity.dic | ||
| + | --2018-05-13 15:53:47-- http://192.168.56.108/fsocity.dic | ||
| + | Connecting to 192.168.56.107:80... connected. | ||
| + | HTTP request sent, awaiting response... 200 OK | ||
| + | Length: 7245381 (6.9M) [text/x-c] | ||
| + | Saving to: ‘fsocity.dic’ | ||
| + | .... | ||
| + | root@kali:/mnt/VM_Transfer/Pentesting/Mr. Robot# wc -l fsocity.dic | ||
| + | 858160 fsocity.dic | ||
| + | root@kali:~# sort -u fsocity.dic > fsocity.dic.sorted | ||
| + | root@kali:~# wc -l fsocity.dic.sorted | ||
| + | 11451 fsocity.dic.sorted | ||
| + | root@kali:~# head -15 fsocity.dic | ||
| + | true | ||
| + | false | ||
| + | wikia | ||
| + | from | ||
| + | the | ||
| + | now | ||
| + | Wikia | ||
| + | extensions | ||
| + | scss | ||
| + | window | ||
| + | http | ||
| + | var | ||
| + | page | ||
| + | Robot | ||
| + | Elliot | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | Alright! We have good stuff! Let's now put it to use. First let's check if any of those can be used to log in to the WordPress admin console. | ||
| + | |||
| + | I'm going to utilize ''Hydra'' which is a threaded login cracker, to check these these against our target. | ||
| + | |||
| + | First we need the query string passed to the server after "Submit" is pressed on the log in form. Loade /wp-admin in the browser, fired up my ZAP in ''intercept'' mode, provided junk credentials ''asdf'', ''zxcv'', hit ''Submit''. According to what was intercepted by ''ZAP'', our query string looks like this: | ||
<syntaxhighlight lang=shell-session highlight="" line> | <syntaxhighlight lang=shell-session highlight="" line> | ||
| + | /wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1 | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| − | |||
Revision as of 07:42, 15 May 2018
Contents
Objective
Find three hidden flags. Acquire 'root' access
Source: [VulnHub.com]
Status: [Work in progress]
Methodology
Discovery
root@kali:~# nmap -O -sT -sV -p- -T5 192.168.56.108
Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-14 22:45 EDT
Nmap scan report for 192.168.56.108
Host is up (0.0011s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
443/tcp open ssl/http Apache httpd
MAC Address: 08:00:27:B4:E3:34 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8
...Let's take a look that port 80
root@kali:/mnt/VM_Transfer/Pentesting/Mr. Robot# nikto -h 192.168.56.107
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.107
+ Target Hostname: 192.168.56.107
+ Target Port: 80
+ Start Time: 2018-05-13 15:46:30 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /readme: This might be interesting...
+ Uncommon header 'link' found, with contents: <http://192.168.56.107/?p=23>; rel=shortlink
+ OSVDB-5089: /admin/system.php3?cmd=cat%20/etc/passwd: DotBr 0.1 allows remote command execution.
+ OSVDB-5090: /admin/exec.php3?cmd=cat%20/etc/passwd: DotBr 0.1 allows remote command execution.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found
+ /blog/wp-login.php: Wordpress login found
+ /wp-login.php: Wordpress login found
+ 7536 requests: 1 error(s) and 20 item(s) reported on remote host
+ End Time: 2018-05-13 15:50:06 (GMT-4) (216 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedTwo things pop up - a possible WP installation and robots. txt.
Manually trying default some standard credentials at '/wp-login.php' didn't bring any success so let's take a look around
root@kali:~# curl http://192.168.56.108/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txtKey 1: 073403c8a58a1f80d943455fb30724b9
Now, what else do we have here? list of users? passwords?
root@kali:~# wget http://192.168.56.108/fsocity.dic
--2018-05-13 15:53:47-- http://192.168.56.108/fsocity.dic
Connecting to 192.168.56.107:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7245381 (6.9M) [text/x-c]
Saving to: ‘fsocity.dic’
....
root@kali:/mnt/VM_Transfer/Pentesting/Mr. Robot# wc -l fsocity.dic
858160 fsocity.dic
root@kali:~# sort -u fsocity.dic > fsocity.dic.sorted
root@kali:~# wc -l fsocity.dic.sorted
11451 fsocity.dic.sorted
root@kali:~# head -15 fsocity.dic
true
false
wikia
from
the
now
Wikia
extensions
scss
window
http
var
page
Robot
ElliotAlright! We have good stuff! Let's now put it to use. First let's check if any of those can be used to log in to the WordPress admin console.
I'm going to utilize Hydra which is a threaded login cracker, to check these these against our target.
First we need the query string passed to the server after "Submit" is pressed on the log in form. Loade /wp-admin in the browser, fired up my ZAP in intercept mode, provided junk credentials asdf, zxcv, hit Submit. According to what was intercepted by ZAP, our query string looks like this:
/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1
<to be continued>
Entry Point #1 - Port 80 (HTTP)
Recommendations
Appendix A: Vulnerability Detail and Mitigation
| Rating | High |
| Description | xxxxxx |
| Impact | xxxxx |
| Remediation | xxxxx |
| Rating | High |
| Description | xxxxxx |
| Impact | xxxxx |
| Remediation | xxxxx |