For those that didn’t get part 1 click the button below:
Thou shalt not ignore hints – Hint 2
Later on as people got stuck on the easy bits. The second hint was given. Now being as easy as it is most people didn’t take heed to the words and it elicited mixed reactions.
Take heed of the messages remember lesson 1
Lesson 4: “Always take heed to not miss the detail, the devil is there”
After Giving Web Head, What’s so hard?
Back from where we were on our result we notice a couple of things, very few results but how valuable well lets see the information. From the 3 folders in the results:
- Lmao– Contains Subrion CMS v3.3.4.10
- Speed1- Contains a backup archive named massimo
- Massimo- Notice that the archive for the above is here, Coincidence. I think not.
application/octet-stream the Massimo i.e. Download 😀
Application/Octet stream Massimo
Lesson 5: ” Thou shalt learn to interpret information keenly, in order to come up with proper attack case, thou art a web sculptor so model the threat artistically”
Read Lesson 4
We all agree from the above , devil is in the details. So lets see what we can gather from this archive.
Massimo Dissection
From the extraction we notice alot:
- We are dealing with a wordpress site (version: 4.2.4)
- We have the database credentials
- WordPress pressure points – Plugins and Themes.
From the above narrowing down our surface of checks , plugins folder has kismet only well no new plugins here so exclude that. In the themes folder we only notice one theme folder to be custom i.e. monster.
I have found the monster
You may not be a coder but seeing the other files then this one tells you that something is not right. so lets pass this to UnPHP to decode it and see what was being hidden here.
Finding the Monster’s Heart
Key word : Upload on 404.php
Deduction: 404 gives me an upload. Putting this to the test.
Lesson 6: “The web has monsters for it is a monster, thou shalt love the monster unconditionally”
The web lies , Hidden in Plain Sight
This error seems so blessed , so what can we do here. Well if upload==true it means shell to happiness. Testing the 404 gives you a blank page but from what we have seen this cannot be true so , Inspect (Press F12 or right click and select inspect element). Notice we have a style=”display:none” , delete the attribute display:none and make a “prayer” to bless the server.
.
404 page can’t be blank and under the hood shows why.
Now we see why we couldn’t see the upload. It’s set to not display. So we need to change this attribute. from display:none to blank.
Changing it displays our upload form
Lesson 7: “Thou shalt learn to peep under the hood, for you don’t like lies”
I call on yee oh tiny shell, of mighty power
Yes you are thinking GUI shells with high reliance on extensions especially in the case of PHP and JSP however it would be wise to use minimal shells when on the web that use default functions that come on a typical install, avoid surprises of a non-working shell. So going minimal from the OWASP Mth3l3m3nt Framework.
Generate a PHP Shell for we are dealing with wordpress
Save the shell in a file of your choice for upload.
Saving the shell for upload
Lesson 8: “Thou shalt love minimal shells, for minimal never fails”
Yoda Listens, Everything will be 200 (OK)
Yoda is not always rude he listens , make 200 you’re favorite number. Now that we have a successful shell we can choose to run it directly there or bot it, personally I bot it so as to not forget where my shell is, but not mandatory, so allow me to use OWASP Mth3l3m3nt Framework for this though not mandatory you can run the commands directly from the scripts. I’ll give it the URL of the shell and work from my dashboard direct.
Yoda has listened
Add a bot to OMF
Bot ready for control
Lesson 9: “With patience and an understanding of monster speech , all things will be 200 (OK)”
Finding Keys to heaven’s door
Now lets browse the server as is seen common attacks fly not here , but there are alot of A5‘s they leaving stuff everywhere lets hunt. Notice a .pem file in the massimo root hmm we all know what this means 😀 and guess what the name seems to have a username seems this is idiot proof, lets test the theory once again.
Listing Files from Bot
on linux to use this would be:
ssh -i ubuntu_at_server_here_kp.pem ubuntu@197.232.20.152
As of this writing im on a windows box so 3 steps for putty to udnerstand this .
– Convert key pair to ppk
– add ppk to putty
– add username and login
Convert the private key to putty type using putty Keygen then save the ppk
Configure the ppk for authentication using putty
Configure username to use with the key
got Root?? == YES
Trolls =0 , You =10
And whoa :
Lesson 10: “Knock, Knock, Knock, On heaven’s door , it is when trolls become numb and humans become giants, thou shalt love owning as root”.
