Máquina Backdoor Hack the Box
Realizamos un escaneo de servicios y nos encontramos con que la máquina corre con 2 servicios un ssh en el puerto 22 y un http en el puerto 80
1 │ # Nmap 7.92 scan initiated Mon Jan 17 19:13:04 2022 as: nmap -sC -sV -p22,80 -oN nmap 10.10.11.125
2 │ Nmap scan report for 10.10.11.125
3 │ Host is up (0.082s latency).
4 │
5 │ PORT STATE SERVICE VERSION
6 │ 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
7 │ | ssh-hostkey:
8 │ | 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
9 │ | 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
10 │ |_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
11 │ 80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
12 │ |_http-generator: WordPress 5.8.1
13 │ |_http-server-header: Apache/2.4.41 (Ubuntu)
14 │ |_http-title: Backdoor – Real-Life
15 │ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
16 │
17 │ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
18 │ # Nmap done at Mon Jan 17 19:13:15 2022 -- 1 IP address (1 host up) scanned in 11.17 seconds
Vemos que cuenta con una página web
Y también vemos que está bajo wordpress como nos indicó nuestro escaneo
Vamos a realizar una enumeración con wpscan para ver con que nos encontramos
┌─[✗]─[root@angussmoody]─[/mnt/angussMoody/Machines/Backdoor]
└──╼ #wpscan --url http://backdoor.htb/ --api-token XEDRIT4KnQXgIA45weDfLzVO1N8x3sps344IGp75t30 --enumerate p,t,u --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.17
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://backdoor.htb/ [10.10.11.125]
[+] Started: Mon Jan 17 20:03:43 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://backdoor.htb/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://backdoor.htb/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://backdoor.htb/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://backdoor.htb/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.8.1 identified (Insecure, released on 2021-09-09).
| Found By: Rss Generator (Passive Detection)
| - http://backdoor.htb/index.php/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
| - http://backdoor.htb/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
|
| [!] 5 vulnerabilities identified:
|
| [!] Title: WordPress < 5.8.2 - Expired DST Root CA X3 Certificate
| Fixed in: 5.8.2
| References:
| - https://wpscan.com/vulnerability/cc23344a-5c91-414a-91e3-c46db614da8d
| - https://wordpress.org/news/2021/11/wordpress-5-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/ticket/54207
|
| [!] Title: WordPress < 5.8.3 - SQL Injection via WP_Query
| Fixed in: 5.8.3
| References:
| - https://wpscan.com/vulnerability/7f768bcf-ed33-4b22-b432-d1e7f95c1317
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21661
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84
| - https://hackerone.com/reports/1378209
|
| [!] Title: WordPress < 5.8.3 - Author+ Stored XSS via Post Slugs
| Fixed in: 5.8.3
| References:
| - https://wpscan.com/vulnerability/dc6f04c2-7bf2-4a07-92b5-dd197e4d94c8
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21662
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w
| - https://hackerone.com/reports/425342
| - https://blog.sonarsource.com/wordpress-stored-xss-vulnerability
|
| [!] Title: WordPress 4.1-5.8.2 - SQL Injection via WP_Meta_Query
| Fixed in: 5.8.3
| References:
| - https://wpscan.com/vulnerability/24462ac4-7959-4575-97aa-a6dcceeae722
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21664
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86
|
| [!] Title: WordPress < 5.8.3 - Super Admin Object Injection in Multisites
| Fixed in: 5.8.3
| References:
| - https://wpscan.com/vulnerability/008c21ab-3d7e-4d97-b6c3-db9d83f390a7
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21663
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h
| - https://hackerone.com/reports/541469
[+] WordPress theme in use: twentyseventeen
| Location: http://backdoor.htb/wp-content/themes/twentyseventeen/
| Latest Version: 2.8 (up to date)
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://backdoor.htb/wp-content/themes/twentyseventeen/readme.txt
| Style URL: http://backdoor.htb/wp-content/themes/twentyseventeen/style.css?ver=20201208
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.8 (80% confidence)
| Found By: Style (Passive Detection)
| - http://backdoor.htb/wp-content/themes/twentyseventeen/style.css?ver=20201208, Match: 'Version: 2.8'
[+] Enumerating Most Popular Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:00:25 <=========================================================================================================> (1500 / 1500) 100.00% Time: 00:00:25
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://backdoor.htb/wp-content/plugins/akismet/
| Latest Version: 4.2.1
| Last Updated: 2021-10-01T18:28:00.000Z
|
| Found By: Known Locations (Aggressive Detection)
| - http://backdoor.htb/wp-content/plugins/akismet/, status: 403
|
| [!] 1 vulnerability identified:
|
| [!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
| Fixed in: 3.1.5
| References:
| - https://wpscan.com/vulnerability/1a2f3094-5970-4251-9ed0-ec595a0cd26c
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9357
| - http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
| - https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
|
| The version could not be determined.
[+] Enumerating Most Popular Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:07 <===========================================================================================================> (400 / 400) 100.00% Time: 00:00:07
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] Theme(s) Identified:
[+] twentynineteen
| Location: http://backdoor.htb/wp-content/themes/twentynineteen/
| Latest Version: 2.1 (up to date)
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://backdoor.htb/wp-content/themes/twentynineteen/readme.txt
| Style URL: http://backdoor.htb/wp-content/themes/twentynineteen/style.css
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://backdoor.htb/wp-content/themes/twentynineteen/, status: 500
|
| Version: 2.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://backdoor.htb/wp-content/themes/twentynineteen/style.css, Match: 'Version: 2.1'
[+] twentyseventeen
| Location: http://backdoor.htb/wp-content/themes/twentyseventeen/
| Latest Version: 2.8 (up to date)
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://backdoor.htb/wp-content/themes/twentyseventeen/readme.txt
| Style URL: http://backdoor.htb/wp-content/themes/twentyseventeen/style.css
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Known Locations (Aggressive Detection)
| - http://backdoor.htb/wp-content/themes/twentyseventeen/, status: 500
|
| Version: 2.8 (80% confidence)
| Found By: Style (Passive Detection)
| - http://backdoor.htb/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 2.8'
[+] twentytwenty
| Location: http://backdoor.htb/wp-content/themes/twentytwenty/
| Latest Version: 1.8 (up to date)
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://backdoor.htb/wp-content/themes/twentytwenty/readme.txt
| Style URL: http://backdoor.htb/wp-content/themes/twentytwenty/style.css
| Style Name: Twenty Twenty
| Style URI: https://wordpress.org/themes/twentytwenty/
| Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Known Locations (Aggressive Detection)
| - http://backdoor.htb/wp-content/themes/twentytwenty/, status: 500
|
| Version: 1.8 (80% confidence)
| Found By: Style (Passive Detection)
| - http://backdoor.htb/wp-content/themes/twentytwenty/style.css, Match: 'Version: 1.8'
[+] twentytwentyone
| Location: http://backdoor.htb/wp-content/themes/twentytwentyone/
| Latest Version: 1.4 (up to date)
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://backdoor.htb/wp-content/themes/twentytwentyone/readme.txt
| Style URL: http://backdoor.htb/wp-content/themes/twentytwentyone/style.css
| Style Name: Twenty Twenty-One
| Style URI: https://wordpress.org/themes/twentytwentyone/
| Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://backdoor.htb/wp-content/themes/twentytwentyone/, status: 500
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://backdoor.htb/wp-content/themes/twentytwentyone/style.css, Match: 'Version: 1.4'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <=============================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://backdoor.htb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 6
| Requests Remaining: 19
[+] Finished: Mon Jan 17 20:04:30 2022
[+] Requests Done: 1992
[+] Cached Requests: 24
[+] Data Sent: 539.181 KB
[+] Data Received: 18.866 MB
[+] Memory used: 260.449 MB
[+] Elapsed time: 00:00:47
vemos que nos muestra una Vulnerabilidad en el Plugin akismet, pero cuando vamos a este nos da un erro de 403 Forbidden
si nos dirigimos un directorio atrás nos encontramos con algo llamado ebook-download
Así que vamos a investigar un poco sobre esto y realizando una búsqueda en google nos contramos con este artículo https://www.exploit-db.com/exploits/39575 de exploit db que nos dice que se encuentra un Directory traversal
Vamos a realizar esta Prueba de Concepto para ver si logramos dar con este archivo y vemos que tenemos un Directory traversal
