HackingLab – Raven

Iniziamo con la scansione della rete con arp-scan per identificare la macchina target sulla rete; la sintassi è: arp-scan –interface=eth0 –localnet.
La macchina target risponde all’IP 192.168.188.82.

kali@kali:~$ sudo arp-scan --interface=eth0 --localnet
[sudo] password di kali: 
Interface: eth0, type: EN10MB, MAC: 08:00:27:ac:2d:3e, IPv4: 192.168.188.75
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.188.1   98:9b:cb:9f:3a:e3       AVM Audiovisuelles Marketing und Computersysteme GmbH
192.168.188.20  cc:b0:da:aa:38:07       Liteon Technology Corporation
192.168.188.23  48:d6:d5:03:07:22       Google, Inc.
192.168.188.26  40:b0:34:db:2a:65       Hewlett Packard
192.168.188.29  00:03:7f:c3:11:0c       Atheros Communications, Inc.
192.168.188.27  7c:2f:80:f5:84:18       Gigaset Communications GmbH
192.168.188.43  54:b8:0a:01:ad:33       D-Link International
192.168.188.81  08:00:27:8d:88:12       PCS Systemtechnik GmbH
192.168.188.82  08:00:27:9d:6d:a8       PCS Systemtechnik GmbH

9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.014 seconds (127.11 hosts/sec). 9 responded

Con nmap effettuiamo una scansione delle porte e dei servizi aperti; la sintassi è sudo nmap -sV -sT -O -A -p- <INDIRIZZO IP> dove:
-sV indicano un SCTP INIT scan,
-sT indicano un TCP connect scan,
-O indica il riconoscimento del Sistema Operativo,
-A indica una scansione “invasiva”,
-p- indica la scansione di tutte le porte.

La scansione con nmap rivela aperte le seguenti porte:
22 – ssh,
80 – http,
111 – rcpbind,
42201.

kali@kali:~$ sudo nmap -sV -sT -O -A -p- 192.168.188.82
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-06 08:48 CEST
Nmap scan report for Raven.fritz.box (192.168.188.82)
Host is up (0.00062s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 26:81:c1:f3:5e:01:ef:93:49:3d:91:1e:ae:8b:3c:fc (DSA)
|   2048 31:58:01:19:4d:a2:80:a6:b9:0d:40:98:1c:97:aa:53 (RSA)
|   256 1f:77:31:19:de:b0:e1:6d:ca:77:07:76:84:d3:a9:a0 (ECDSA)
|_  256 0e:85:71:a8:a2:c3:08:69:9c:91:c0:3f:84:18:df:ae (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Raven Security
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          42201/tcp   status
|   100024  1          47767/udp6  status
|   100024  1          55952/udp   status
|_  100024  1          57479/tcp6  status
42201/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:9D:6D:A8 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.62 ms Raven.fritz.box (192.168.188.82)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.81 seconds

Per valutare le eventuali vulnerabilità abbiamo quindi utilizzato nikto sulla porta 80; la sintassi è nikto -host <INDIRIZZO IP> -port <PORTA> dove:
-host indica l’indirizzo IP della macchina target,
-port indica la porta su cui effettuare la scansione delle vulnerabilità.

kali@kali:~$ nikto -host 192.168.188.82 -port 80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.188.82
+ Target Hostname:    192.168.188.82
+ Target Port:        80
+ Start Time:         2020-06-06 08:51:37 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 41b3, size: 5734482bdcb00, mtime: gzip
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-6694: /.DS_Store: Apache on Mac OSX will serve the .DS_Store file, which contains sensitive information. Configure Apache to ignore this file or upgrade to a newer version.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7916 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2020-06-06 08:52:36 (GMT2) (59 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Avendo trovato la porta 80 aperta puntiamo il browser all’indirizzo IP della Macchina Target ed esaminiamo il codice sorgente delle varie pagine scoprendo nella pagina “Services” la prima Flag:
<!– flag1{b9bbcb33e11b80be759c4e844862482d} –>

Abbiamo iniziato a enumerare le directory con dirb utilizzando la sintassi dirb http://<INDIRIZZO IP>. scoprendo una direcotry “WordPress”.

kali@kali:~$ dirb http://192.168.188.82 /usr/share/wordlists/dirb/big.txt 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jun  6 09:01:22 2020
URL_BASE: http://192.168.188.82/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt

-----------------

GENERATED WORDS: 20458                                                         

---- Scanning URL: http://192.168.188.82/ ----
==> DIRECTORY: http://192.168.188.82/css/                                                                                                  
==> DIRECTORY: http://192.168.188.82/fonts/                                                                                                
==> DIRECTORY: http://192.168.188.82/img/                                                                                                  
==> DIRECTORY: http://192.168.188.82/js/                                                                                                   
==> DIRECTORY: http://192.168.188.82/manual/                                                                                               
+ http://192.168.188.82/server-status (CODE:403|SIZE:302)                                                                                  
==> DIRECTORY: http://192.168.188.82/vendor/                                                                                               
==> DIRECTORY: http://192.168.188.82/wordpress/ 

Utilizziamo a scopo di raffronto gobuster con la sintassi gobuster dir -u <INDIRIZZO IP> -w <PATH AL DIZIONARIO>.

kali@kali:~$ gobuster dir -u http://192.168.188.82/ -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.188.82/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/06/06 09:49:26 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/css (Status: 301)
/fonts (Status: 301)
/img (Status: 301)
/index.html (Status: 200)
/js (Status: 301)
/manual (Status: 301)
/server-status (Status: 403)
/vendor (Status: 301)
/wordpress (Status: 301)
===============================================================
2020/06/06 09:49:28 Finished
===============================================================

Navigando nel blog troviamo il nome di un primo possibile utente del sistema: michael.

Utilizziamo wpscan con la sintassi wpscan –url http://192.168.188.82/wordpress –wp-content-dir -ep -et -eu dove:
–url indica l’url dove è installato WordPress,
–wp-content-dir indica a wpscan di cercare la directory dei contenuti,
-eu ricerca gli user,
-et ricerca i theme;
-ep ricerca i plugin.
Dalla scansione otteniamo come risultato il nome di due utenti: “Michael” e “Steve”.

kali@kali:~$ wpscan --url http://192.168.188.82/wordpress --wp-content-dir -ep -et -eu
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.1
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.188.82/wordpress/ [192.168.188.82]
[+] Started: Sat Jun  6 09:10:16 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.10 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.188.82/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://192.168.188.82/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.188.82/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.8.13 identified (Latest, released on 2020-04-29).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://192.168.188.82/wordpress/, Match: '-release.min.js?ver=4.8.13'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://192.168.188.82/wordpress/, Match: 'WordPress 4.8.13'

[i] The main theme could not be detected.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:02 <==============================================================> (10 / 10) 100.00% Time: 00:00:02

[i] User(s) Identified:

[+] steven
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] michael
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Sat Jun  6 09:10:22 2020
[+] Requests Done: 48
[+] Cached Requests: 4
[+] Data Sent: 10.627 KB
[+] Data Received: 284.896 KB
[+] Memory used: 106.492 MB
[+] Elapsed time: 00:00:06

Leave a Reply

Your email address will not be published. Required fields are marked *