Stapler (Walkthrough)

-

Stapler (Walkthrough)

This Box Is From Vulhub You Can Download It From Link. i pwned this box by doing wordpress enumeration and an old exploit of ubuntu 16.04 which help me to get root permission.


Breaching Process 

Finding IP

  • Nmap

Enumeration

  • Browsing HTTP and HTTPS service
  • Deep nmap scan for all ports found (12380) running in https
  • Enumerating directory using nikto 
  • Found robots.txt and other useful direcotry

Exploitation

  • Injecting php code in plugin 
  • Got reverse shell in meterpreter

Privilege Escalation

  • Further enumeration found old Ubuntu (16.04)
  • Got root permission (compiling bunch of exoloit)


Let's Breach 

Using nmap scan i found the box ip address.The ip address was 192.168.1.7



I browse the ip to see there was port 80 open and let the nmap scan  

There was not any interesting thing in 80 port.After seeing the and found nothing i go for nmap scan.



There was bunch of open port but the interesting port was ftp (21) 
Funny thing was i can enter as anonymous in ftp 
so,i quickly login to ftp  as anonymous

Found ftp was just a trap a DEADEND :( 

let's turn the step and go from begining


Then i enumerate the ip using enumlinux (script) 
There was bunch of directory that can be access without password
so, i quickly grab that 

First i go with kathy,



Now there was bunch of interesting file for wordpress (This give me the idea that there may be a wordpress site running )


I grab anything that i found but guess what nothing just nothing helped me to exploit
there was a another tmp directory
and i don't have hope with finding anything that will pwned the machine rather i go for it

and that's it was DEADEND

Let's again go from start and scan all the port
Now i go all port scan using nmap and okay i found new port hmmmmm......


Deep scanning the port 12380 i found that was running http and https port 


Surfing the https://192.168.1.7:12380

This was just a website writing coming soon


and i fire-up the nikto to found interesting directory.There was two directory



One was blogblog and another admin112233 
and i surf admin112233 that was just a redirection to some wierd xss website
Now let's surf  the blogblog site wow that was a wordpress site




Let's enumerate the wordpress with wpscan
as this website was a https so disable-tls-checks should be used





This was good so many username was dumped




i go the login page of wordpress 


Now let's bruteforce the username with password list 
It was a matter of second that it cracked the password of john and the password was incorrect




Let's login into the admin panel of wordpress
Boom i got logged in

As i want to get the reverse shell i generate the php reverse shell
using msfvenom you can generate the php reverse shell

I tried to get the reverse shell editing 404 templete haha 
There was not any editing permission 



There was another way to get reverse shell editing plugin.So,I copy the code php in reverse.php and save in my local computer.
Now,I upload in as add plugin in victim machine







Seeing in the directory of plugin uploads directory i found the reverse.php.So,this works like charm 



Let's try to get the reverse shell using meterpreter

So,I fire-up the msfconsole to catch the reverse shell


Boom i got the shell,



As, i got the shell and the shell was lazy  so import the tty shell and xterm 


Now i can clear the enviroment that's pretty good

Let's begin the privilege escalation 

As i found this box was ubuntu 16.04


I googled it and found out pretty interesting vulnerabilty
wget the address in tmp directory of victim machine 


As, it was a zip file you have to extract 39772.zip


and again extract the  exploit.tar


There you will get the bunch of c and sh file
So, running this file you will eventually end up with root 
First, of all run the compile.sh 

./compile.sh

and then 

./doubleput



There will be root shell after a minute 
so,after i got the root shell 
i cat the flag.txt 
that's done




HAPPY HACKING :)


Comments

Post a Comment

Popular posts from this blog

Wordpress Reverse Shell

-
Image
Wordpress Reverse Shell This post is related to WordPress security testing to identify what will be possible procedure to exploit WordPress by compromising admin console. We have already setup WordPress in our windows 7 machine. Table of Content 1) Metasploit Framework 3) Upload PHP reverse shell 4) Getting reverse shell connection Requirement: Host machine: WordPress Attacker machine: Kali Linux WordPress Credential: admin: password Let's begin 1) 1st Method  The site which we are going to test is: i login into the wordpress admin Now i check upload the reverse shell (PHP) using metasploit BOOOOOOM : I got the interactive shell of windows 7 machine Let's breach in another way 2) 2nd Method I have already done login into wordpress using admin and password So, Create a PHP code file using msfvenom Now Go to the Apprereance -> Theme editor -> 404.php templetes past a php code ...
Read more

SAR1 VULHUB WALKTHROUGH

-
Image
SAR1 (Walkthrough) This Box Is From Vulhub You Can Download It From  Link .This Box is like OSCP box which i beleive is .I pwned this box using LFI leads to RCE. Breaching Process  Finding IP Netdiscover Enumeration Browsing HTTP  service Nmap scan Enumerating directory using nikto and dirb Found robots.txt and other useful directory Enumerating sar2HTML Exploitation using searchsploit for sar2HTML found RCE Injecting php code using (wget) Got reverse shell using NC Privilege Escalation Found crontab execute shell in 5 min. Add the sudoers permission for www-data. Got root permission  Let's Breach   Using netdiscover  i found the box ip address.The ip address was 192.168.248.136 Then i scan the IP using nmap The command is nmap -sSVC -A 192.168.248.136 | tee nmap.txt Here the scan shows only 80 port which was default page of apache There was no thing to see so,i need to dig d...
Read more

EVM: 1 Vulnhub Walkthrough

-
Image
Penetration Methodologies: Finding IP Nmap Enumeration Browsing HTTP Service Directory Bruteforce using dirb Enumeration Using WPScan Password Bruteforce using WPScan Getting Login Credentials Exploitation Exploiting using Metasploit  Getting a reverse connection  Spawning a TTY Shell  Enumeration for Root Credentials Privilege Escalation  Getting Login Credentials Logging in as root Reading the Final Flag Let's Breach:     First of all finding IP for the machine i use bridge connection.The IP of machine was 192.168.1.5 I quickly nmap the website found 80 open Then i browse the server and found that apache default page and phpinfo() Nothing interesting then i bruteforce the directory you can use gobuster and nikto also While scan is complete i found a wordpress directory that leads me to an another website Then i quickly browse the http://192.168.1.5/wordpress then i found the page d...
Read more