HackTheBox頑張る その20 ~WPScanについて
攻略中のマシンがWord-Press使ってたので、WPScanを試してみた
実行した結果と、何が記載されているか確認した
kali@kali:~/SyachinekoLab/workspace/HTB/Tenten$ wpscan --url 10.10.10.10 _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.4 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://10.10.10.10/ [10.10.10.10] [+] Started: Sat Aug 29 02:59:55 2020 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.18 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://10.10.10.10/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] http://10.10.10.10/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://10.10.10.10/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06). | Found By: Rss Generator (Passive Detection) | - http://10.10.10.10/index.php/feed/, <generator>https://wordpress.org/?v=4.7.3</generator> | - http://10.10.10.10/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.3</generator> [+] WordPress theme in use: twentyseventeen | Location: http://10.10.10.10/wp-content/themes/twentyseventeen/ | Last Updated: 2020-08-11T00:00:00.000Z | Readme: http://10.10.10.10/wp-content/themes/twentyseventeen/README.txt | [!] The version is out of date, the latest version is 2.4 | Style URL: http://10.10.10.10/wp-content/themes/twentyseventeen/style.css?ver=4.7.3 | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.1 (80% confidence) | Found By: Style (Passive Detection) | - http://10.10.10.10/wp-content/themes/twentyseventeen/style.css?ver=4.7.3, Match: 'Version: 1.1' [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] job-manager | Location: http://10.10.10.10/wp-content/plugins/job-manager/ | Latest Version: 0.7.25 (up to date) | Last Updated: 2015-08-25T22:44:00.000Z | | Found By: Urls In Homepage (Passive Detection) | | Version: 7.2.5 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://10.10.10.10/wp-content/plugins/job-manager/readme.txt [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:01 <============================================================================> (21 / 21) 100.00% Time: 00:00:01 [i] No Config Backups Found. [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up [+] Finished: Sat Aug 29 03:00:03 2020 [+] Requests Done: 23 [+] Cached Requests: 35 [+] Data Sent: 5.14 KB [+] Data Received: 3.911 KB [+] Memory used: 182.262 MB [+] Elapsed time: 00:00:08
順に見ていく
[+] Headers | Interesting Entry: Server: Apache/2.4.18 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100%
ヘッダー情報
今回はApache 2.4.18
Confidenceで確率を記載している?
[+] XML-RPC seems to be enabled: http://10.10.10.10/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
xmlrpc.phpというファイルの存在を確認し、XML-RPCが動いていることを検知している?
これについては別で調べることにする
[+] http://10.10.10.10/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100%
readme.htmlがあることを検知
WPのバージョンと、使用方法が記載されている
通常は削除すべきファイル?
[+] The external WP-Cron seems to be enabled: http://10.10.10.10/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299
WP-cronが動作していることを検知
wpcronについては別で調べることにする
[+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06). | Found By: Rss Generator (Passive Detection) | - http://10.10.10.10/index.php/feed/, <generator>https://wordpress.org/?v=4.7.3</generator> | - http://10.10.10.10/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.3</generator>
WordPress Ver. 4.7.3であることを検知
[+] WordPress theme in use: twentyseventeen | Location: http://10.10.10.10/wp-content/themes/twentyseventeen/ | Last Updated: 2020-08-11T00:00:00.000Z | Readme: http://10.10.10.10/wp-content/themes/twentyseventeen/README.txt | [!] The version is out of date, the latest version is 2.4 | Style URL: http://10.10.10.10/wp-content/themes/twentyseventeen/style.css?ver=4.7.3 | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.1 (80% confidence) | Found By: Style (Passive Detection) | - http://10.10.10.10/wp-content/themes/twentyseventeen/style.css?ver=4.7.3, Match: 'Version: 1.1'
使用されているWPのテーマがtwentyseventeen Ver. 1.1であることが検知されている
ここから脆弱性を調べることもできるはず
[+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] job-manager | Location: http://10.10.10.10/wp-content/plugins/job-manager/ | Latest Version: 0.7.25 (up to date) | Last Updated: 2015-08-25T22:44:00.000Z | | Found By: Urls In Homepage (Passive Detection) | | Version: 7.2.5 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://10.10.10.10/wp-content/plugins/job-manager/readme.txt
プラグインについて調査を行い、job-manager Ver. 7.2.5が使用されていることを検知
[+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:01 <============================================================================> (21 / 21) 100.00% Time: 00:00:01 [i] No Config Backups Found. [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up [+] Finished: Sat Aug 29 03:00:03 2020 [+] Requests Done: 23 [+] Cached Requests: 35 [+] Data Sent: 5.14 KB [+] Data Received: 3.911 KB [+] Memory used: 182.262 MB [+] Elapsed time: 00:00:08
その他は特に情報なし
この結果を見ると、以下の情報から攻めるといいか?
・WordPress Ver. 4.7.3
・Theme twentyseventeen Ver. 1.1
・plungin job-manager Ver. 7.2.5
以上