Good to see that you've made it this far - but you're not home yet. Then finally used /bin/su jerry command to escalate to jerry using the password found from the wpscan brute-force attack Most likely a hint on to escalating to jerry user using sudo command and most likely are previous found password from the wpscan brute-forceīut first we need to escape our shell as it is very restricted I used vi here to escape Escaped Running a few commands to check on the environment what files might get found and such there is a flag3.txt file since “cat and strings” are not working I used ‘less’ and this was the output. Permitted by applicable logged onto the server I notice that commands aren’t executing as usual since it seems we are ‘jailed’ in a rbash shell. Individual files in /usr/share/doc/*/copyright.ĭebian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent The exact distribution terms for each program are described in the The programs included with the Debian GNU/Linux system are free software Permission denied, please try Permission denied ssh -p password: Warning: Permanently added ':7744' (ECDSA) to the list of known password: The authenticity of host ':7744 (:7744)' can't be established.ĮCDSA key fingerprint is SHA256:ZbyT03GNDQgEmA5AMiTX2N685NTzZuOoyMDIA+DW1qU.Īre you sure you want to continue connecting (yes/no/)? yes Trying admin / log Time: 00:02:50 (645 / 645) 100.00% Time: 00:02:50Īfter taking a few wild guesses login in to the WordPress site I continued with the uncommon open port that is running the SSH service (7744) so with this I tried to login with both users but only tom gave me access ssh -p 7744 | Detected By: Rss Generator (Passive Detection) WordPress version 4.7.10 identified (Insecure, released on ). | Found By: Direct Access (Aggressive Detection) | Interesting Entry: Server: Apache/2.4.10 (Debian) Sponsored by Sucuri - URL: Started: Thu Aug 29 01:20:34 2019 WordPress Security Scanner by the WPScan Team Optionally, CeWL can follow external links.įrom here I continued with the wpscan tool when we find certain CMS we want to used tools designated for them, manual exploring is also welcomed and a few general scanning tools, but targeted tools for there respective CMS are welcomed more.Īfter a few mintues wpscan came back with some results on the webpage wpscan -url -o cat wpscan-dc2.txt Seems that cewl is the trick here I will move onto that tool nextĬewl:CeWL (Custom Word List generator) is a ruby app which spiders a given URL, up to a specified depth, and returns a list of words whic can then be used for password crackers such as John the Ripper. Nmap done: 1 IP address (1 host up) scanned in 29.75 secondsīy visiting the http page a WordPress blog is shown with Default content, a few directories and one interesting one called Flag 1 Service Info: OS: Linux CPE: cpe:/o:linux:linux_kernel |_Requested resource was |_https-redirect: ERROR: Script execution failed (use -d to debug)ħ744/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u7 (protocol 2.0) | http-title: DC-2 – Just another WordPress site |_http-server-header: Apache/2.4.10 (Debian) Nmap done: 1 IP address (1 host up) scanned in 12.92 secondsĭetailed Scan nmap -sC -sV -p80,7744 192.168.1.224 -oA nmap/DC2Ĩ0/tcp open http Apache httpd 2.4.10 ((Debian)) MAC Address: 08:00:27:15:7D:2E (Oracle VirtualBox virtual NIC) Started with a full port scan and the -sT flag once ports returned back results I continued with a more targeted attack on the output in open ports sudo nmap 192.168.1.224 -sT -p-min-rate 5000 Starting Nmap 7.80 ( ) at 01:00 PDT Interface: eth0, datalink type: EN10MB (Ethernet) Started with arp-scan to find the target Box sudo arp-scan -l Let us continue people!!, DC2 is here from my DC series this was pretty interesting as we needed more creativity and a little bit of guessing for how to proceed and keep on going with getting a shell, this box is well built as if you keep on moving in the intended path you will continue to receive the proper hint’s to getting a root shell on this box a few tools used for this machine was very well known was such as: Nmap, Wpscan, Cewl, Ncat, and some attacks like brute-forcing, let’s start.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |