Web
Nmap discovered a web server running on the target port 80
It also detected that there is /robots.txt with 5 disallowed entries
Webroot
/robots.txt
There appears to be 5 different web services
/webservices/tar/tar/source/
404
/webservices/easy-file-uploader/
404
/webservices/developmental/
404
/webservices/phpmyadmin/
404
/webservices/monstra-3.0.4/
Only /webservices/monstra-3.0.4/ returned well.
Login page present at /webservices/monstra-3.0.4/admin/
Attempting some weak/default credentials
i was able to login with admin:admin
┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ searchsploit monstra CMS 3.0.4 Remote Code Execution
------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------- ---------------------------------
Monstra CMS 3.0.4 - (Authenticated) Arbitrary File Upload / Remote Code Execution | php/webapps/43348.txt
Monstra CMS 3.0.4 - Remote Code Execution (Authenticated) | php/webapps/49949.py
------------------------------------------------------------------------------------- ---------------------------------
shellcodes: No Results
papers: No ResultsMonstra CMS 3.0.4 is vulnerable to RCE via file upload
I tried it, but it didn’t work
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP:80/FUZZ -ic -e .txt,.php,.html
________________________________________________
:: Method : GET
:: URL : http://10.10.10.88:80/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .txt .php .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
index.html [Status: 200, Size: 10766, Words: 3195, Lines: 564, Duration: 29ms]
robots.txt [Status: 200, Size: 208, Words: 7, Lines: 8, Duration: 29ms]
webservices [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 30ms]ffuf was able to locate only /webservies/ and /robots.txtat the webroot
But these were already found.
┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP:80/webservices/FUZZ -ic -e .txt,.php,.html
________________________________________________
:: Method : GET
:: URL : http://10.10.10.88:80/webservices/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .txt .php .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
wp [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 29ms]It looks like there is another directory at the /webservices directory
It’s /wp/
is it wp as in WordPress?
/webservices/wp/
The blog looks off as it’s noted being under construction
Then I noticed, there is an external link URL with a proper domain
I suggests that I need to resolve the DNS locally to see the page properly
Append the IP address with the domain to the /etc/hosts file on Kali
It’s improved a little
wappalyzer identified the technologies involved.
I can see that the blog is using WordPress 4.9.4
wpscan
┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ wpscan --url http://tartarsauce.htb/webservices/wp/ -e ap,at,u --plugins-detection aggressive
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]Y
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://tartarsauce.htb/webservices/wp/ [10.10.10.88]
[+] Started: Mon Jan 23 13:10:53 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://tartarsauce.htb/webservices/wp/xmlrpc.php
| Found By: Link Tag (Passive Detection)
| Confidence: 100%
| Confirmed By: Direct Access (Aggressive Detection), 100% confidence
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://tartarsauce.htb/webservices/wp/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://tartarsauce.htb/webservices/wp/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.9.4 identified (Insecure, released on 2018-02-06).
| Found By: Rss Generator (Passive Detection)
| - http://tartarsauce.htb/webservices/wp/index.php/feed/, <generator>https://wordpress.org/?v=4.9.4</generator>
| - http://tartarsauce.htb/webservices/wp/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.9.4</generator>
[+] WordPress theme in use: voce
| Location: http://tartarsauce.htb/webservices/wp/wp-content/themes/voce/
| Latest Version: 1.1.0 (up to date)
| Last Updated: 2017-09-01T00:00:00.000Z
| Readme: http://tartarsauce.htb/webservices/wp/wp-content/themes/voce/readme.txt
| Style URL: http://tartarsauce.htb/webservices/wp/wp-content/themes/voce/style.css?ver=4.9.4
| Style Name: voce
| Style URI: http://limbenjamin.com/pages/voce-wp.html
| Description: voce is a minimal theme, suitable for text heavy articles. The front page features a list of recent ...
| Author: Benjamin Lim
| Author URI: https://limbenjamin.com
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/themes/voce/style.css?ver=4.9.4, Match: 'Version: 1.1.0'
[+] Enumerating All Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:12:09 <==================================================> (101942 / 101942) 100.00% Time: 00:12:09
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://tartarsauce.htb/webservices/wp/wp-content/plugins/akismet/
| Last Updated: 2022-12-01T17:18:00.000Z
| Readme: http://tartarsauce.htb/webservices/wp/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 5.0.2
|
| Found By: Known Locations (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/plugins/akismet/, status: 200
|
| Version: 4.0.3 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/plugins/akismet/readme.txt
[+] brute-force-login-protection
| Location: http://tartarsauce.htb/webservices/wp/wp-content/plugins/brute-force-login-protection/
| Latest Version: 1.5.3 (up to date)
| Last Updated: 2017-06-29T10:39:00.000Z
| Readme: http://tartarsauce.htb/webservices/wp/wp-content/plugins/brute-force-login-protection/readme.txt
|
| Found By: Known Locations (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/plugins/brute-force-login-protection/, status: 403
|
| Version: 1.5.3 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/plugins/brute-force-login-protection/readme.txt
[+] gwolle-gb
| Location: http://tartarsauce.htb/webservices/wp/wp-content/plugins/gwolle-gb/
| Last Updated: 2022-11-19T09:57:00.000Z
| Readme: http://tartarsauce.htb/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
| [!] The version is out of date, the latest version is 4.4.1
|
| Found By: Known Locations (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/plugins/gwolle-gb/, status: 200
|
| Version: 2.3.10 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt
[+] Enumerating All Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:03:00 <====================================================> (25190 / 25190) 100.00% Time: 00:03:00
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] Theme(s) Identified:
[+] twentyfifteen
| Location: http://tartarsauce.htb/webservices/wp/wp-content/themes/twentyfifteen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://tartarsauce.htb/webservices/wp/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 3.3
| Style URL: http://tartarsauce.htb/webservices/wp/wp-content/themes/twentyfifteen/style.css
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen/
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/themes/twentyfifteen/, status: 500
|
| Version: 1.9 (80% confidence)
| Found By: Style (Passive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/themes/twentyfifteen/style.css, Match: 'Version: 1.9'
[+] twentyseventeen
| Location: http://tartarsauce.htb/webservices/wp/wp-content/themes/twentyseventeen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://tartarsauce.htb/webservices/wp/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 3.1
| Style URL: http://tartarsauce.htb/webservices/wp/wp-content/themes/twentyseventeen/style.css
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/themes/twentyseventeen/, status: 500
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/themes/twentyseventeen/style.css, Match: 'Version: 1.4'
[+] twentysixteen
| Location: http://tartarsauce.htb/webservices/wp/wp-content/themes/twentysixteen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://tartarsauce.htb/webservices/wp/wp-content/themes/twentysixteen/readme.txt
| [!] The version is out of date, the latest version is 2.8
| Style URL: http://tartarsauce.htb/webservices/wp/wp-content/themes/twentysixteen/style.css
| Style Name: Twenty Sixteen
| Style URI: https://wordpress.org/themes/twentysixteen/
| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Known Locations (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/themes/twentysixteen/, status: 500
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/themes/twentysixteen/style.css, Match: 'Version: 1.4'
[+] voce
| Location: http://tartarsauce.htb/webservices/wp/wp-content/themes/voce/
| Latest Version: 1.1.0 (up to date)
| Last Updated: 2017-09-01T00:00:00.000Z
| Readme: http://tartarsauce.htb/webservices/wp/wp-content/themes/voce/readme.txt
| Style URL: http://tartarsauce.htb/webservices/wp/wp-content/themes/voce/style.css
| Style Name: voce
| Style URI: http://limbenjamin.com/pages/voce-wp.html
| Description: voce is a minimal theme, suitable for text heavy articles. The front page features a list of recent ...
| Author: Benjamin Lim
| Author URI: https://limbenjamin.com
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Known Locations (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/themes/voce/, status: 500
|
| Version: 1.1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://tartarsauce.htb/webservices/wp/wp-content/themes/voce/style.css, Match: 'Version: 1.1.0'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==========================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] wpadmin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://tartarsauce.htb/webservices/wp/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Jan 23 13:26:30 2023
[+] Requests Done: 127229
[+] Cached Requests: 18
[+] Data Sent: 37.804 MB
[+] Data Received: 36.771 MB
[+] Memory used: 442.258 MB
[+] Elapsed time: 00:15:36wpscan identified quite a few installations to this blog Plugins:
WordPress version 4.9.4akismet 4.0.3brute-force-login-protection 1.5.3gwolle-gb 2.3.10Themes:twentyfifteen 1.9twentysixteen 1.4twentyseventeen 1.4voce 1.1.0User(s):wpadmin
Since there is a brute-force protection plugin installed, I cannot just brute-force the authentication.
While querying all those plugins on searchsploit returned none, I found something withgwolle-gb
Gwolle Guestbook
Navigating to the /webservices/wp/wp-content/plugins/gwolle-gb/readme.txt file reveals that the file was modified to trick wpscan.
The plugin version is 1.5.3, NOT 2.3.10
┌──(kali㉿kali)-[~/archive/htb/labs/tartarsauce]
└─$ searchsploit gwolle-gb 1.5.3
------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------ ---------------------------------
WordPress Plugin Gwolle Guestbook 1.5.3 - Remote File Inclusion | php/webapps/38861.txt
------------------------------------------------------------------ ---------------------------------
shellcodes: No Results
papers: No Resultsgwolle-gb 1.5.3 is vulnerable to RFI