search

🐧Stapler

hashtag
Enumeration

Nmap scan

nmap -sV -p- -A 192.168.197.148

hashtag
Service Enumeration

hashtag
Port 21

Port 21 allows anonymous FTP login.

Note file from FTP.

Now we know we have at least three user's Harry, Elly, and John.

hashtag
Port 80

hashtag
Port 139

SMB allows anonymous login.

Grabbed all files from kathy and tmp.

hashtag
Port 12380

Nikto scan

hashtag
DOH!

So I'm an idiot and spent a few hours wondering why I could do no scans against this box's web servers..... its using HTTPS not HTTP.

The continued IP is 192.168.87.148 Gobuster scan

Robots.txt

Interesting places

WPScan

Had to get a hint here.

List of plugins.

Had to get a hint here was not finding anything on WPScans website about these plugins. Found that searchsploit would bring up an exploit is seached for advance video.

Having trouble getting this exploit from searchsploit to run. Found another python exploit at https://github.com/gtech/39646/blob/master/39646.pyarrow-up-right this one is working for LFI.

hashtag
Port 3306

Connected via MySQL

hashtag
Port 12380 - Revisited

Used root credentials to log into myphpadmin webpage.

Returned on 1/23/2023. New IP is 192.168.112.148 Grabbed all the hashes for cracking.

Cracking the hashes.

Found that John was an admin user when checking the accounts.

Found that I could upload my own plugin. Uploaded my shell. Found that it will prompt for a FTP login but one is not required it will still upload the file.

Found the shell in /blogblog/wp-content/uploads/

hashtag
Shell

Opened rev3.php for my shell.

Stabilized the shell.

Dropped Linpeas on the machine. Found an interesting file I could edit.

Added reverse shell to cron-logrotate.sh and waited a few minutes.

hashtag
Root

PreviousInfoSecPrepNextBBSCute

Last updated