Author: Agoonie
Date: 2018-03-14
* Target IP (192.168.126.142)
* Full Scan
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5JTRpIfa2OOsBFuAH3bqvhHV2ei8P_l5KCCXOlhKI_NGT1Eb_De4DYSUWvYG2XvWTWYnn8t8btTdzjKhI5XGakD46_bGPbQWGFOeS3vZ4x-6VhQGCbdqVdj_-wVLnnqU88k_fSJQ_MevA/s400/screenshot1.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2ygp5ALSsYjLZpnW3JIypi3xgdf62ARs1_2Dl84zotWLrDt0Lrw4Kmk21OlutRnnKDKalvBY9JeSmcVdJ2qyfLSJg5HOhfxiWGyLAftJEs0tuHyDwByCScRoiSTcshltm1Nj8xEeWqqfA/s400/screenshot2.png)
Looks like we have ports 21, 22, and 80. Let's try port 80. Starting with NIKTO to find some vulns.
Ok. Let try to look up some directories. Ah there's a secret...
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqsbVN6Fi8RIVCfF4X56sKIgpWTLCeIdvOBhZvtDpD8o0_24bqKRh2M3ikwwcWS9_kNAdGajUCJTcWpk_BcAaeB4g_3ySCW4-QuzjPhePB6t2nXtThy0MpK9FOMNHri_He58C64mmpOQgd/s400/screenshot4.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizaO6zXn5ZTCGf3ptGDI4ljFhZem1BI15kPE0FzNc_FIIqsWAR2yWw-xzIbqZGos9lqvJz9b6gQlrMjgAhnoyld9RjEqwX2YSKpMKzmn5foMrnCwGglY9y8hKckN0hawPhEJmPtGfVm5HD/s400/screenshot5.png)
Looks like from the page source I should edit my hosts file for DNS resolution.
Ok. Now we look at the WordPress page. Let's try the usual credentials. Welp that works.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXL1hvPtd_mgHR9l5M0uGu9kJzxfuwmD_xr-iNyVP8v0Xu9FmLcLbfUVFc5q_hf9pFgFGLqQus9IKU6QvpC_CEWMouV5XWWW-nMqEi4RcKtIILDvQtBj0wB3AjZdM0Ocz3HA1iAMbaXcaa/s320/screenshot8.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEtSE8BHDDsAm2uGYq3mWOsvwy-mnuSY1_ncrTpZDliFfiTLWfqL8HuKum1kexANo1qsCFcLXi6xJY8yR-6lQlLrCZO27wLSPe2t5HFOqIVOPEWgnL57WniDl-MAVQbusH4jpgF9rBhVHf/s400/screenshot9.png)
HELLLOOOO Dollllllyyy. With this plugin, we can add a webshell and activate the plugin. Initially I added it in the beginning of the plugin and it did not work well. Then, I added it to the end of the plugin and viola.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyxF7KNNUd5NBlGu4WgFDcTDZxpO89ZzvnF3tYODk6PqE6yykBb-AjoSZjE42o2OXYvW9QH4t6btFKTVE5aQapPd9vYx7WSJ_fITkOaSSQTD2MYvvSCvHMuHon_w2XdFEd3PsfaHPdFcpU/s400/screenshot11.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTia3BRXgY73T9xVIDXj5kGjpV2692X9HMel9UISk5W-fFoIyxzrjoP56mwSoQ6hE2ZNA898hBtczChgnxjT0nlmiKnVcdQf1PTaV2tEGDQwQ763-3txtTfyzg7DtOYENcAG0Wclxm1Kzt/s320/screenshot13.png)
We have a meterpreter session. Let's do some exploring.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaegy1iuD-Kt4MauaIP_9oNZb1kg4Jh_BzL5-lJ4ny6YkC5oEYBf9E_jUg8u2BSKcMEseA3nbtnZysC6y8SHal2Ff5W8Ic0XeLd0Ds403NmjS_DjMJLBtNYfxjJvtaLBvdORgMmutubSOu/s320/screenshot17.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaGFKJ8KnbEDkKYHVZMfPjMKXA7IU-WlgLnOba-XSf2dViuPmdidyZvWZl9ijTt5WRlTbd9jiMKpEedJE1MIUjXLM2KaY8E0zF3X8mAGVHzuQzBHXk1_qtkc3e4TmCKyzZ1U4ibNHCCiMz/s320/screenshot18.png)
Ok. You know the drill. Let's look at some of the config files. Let's look at the HOME directory.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6BmNpZoaMyWx1sGNXM3vfLZF0FTK6W23z-UCS9Zw0KD2NZNfVVhrrKmJ18-Wo8YBRrzqxsEAoS4Lk6NvJCy7HWnQm1OMf16fqaDEKKBSkTsz7kHd51kiRkrN3TFKsNPVBa1qdl4ucyZV1/s320/screenshot19.png)
Woah. Proftpd backdoored? Uh, I know there is a vuln of that.
ProFTPD Backdoor
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXFlz4uEENLHpkeuuhyphenhyphenwadnNfms8OYHitmpBjJD8ITPEyC888WGty3Evo-xZxwoCzahB4N-kAtOopnww5Sn2DlVJMWG-Q8OtkJihSYI4ZxttUmS1j6xD27GgWSktyLt3V7fpw4MtY2KKU2/s400/screenshot21.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh79dImoQTlNq22L-BdX2abOPvaVMCph5Vu6pfb6Ql7cL-mUUFX7HmQQpPJ3jBtd0aSOR28BBDrOEE0-3pn4v91MnK3TIT9zZI8AvrHULwwaiiEu_GIDOuyrIFj7LGYjl1XOb_nPLP_A1T1/s400/screenshot22.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi34O1KqMxGwyaMk2GsGQb-wwbLtdl1mVDZ6r-4dA1zj6wN4Pu8aI1XDvxfgeawS5NGQBzGqL5ubp0jyQmUIhNq1A5HAmvHkBbtXKGz2p8-4AzHc_Gs_NluQ8tyQ-gTXWSxk3tNY7iB3HKm/s400/screenshot23.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL_Gq1GWrrM4760U-KXDDbuDny7VzM4m8OSm6ZoL_TCxnxzFEkF2Zcz8OCBvkwbLRZqhMjc6N6p3PFRKGmRDy2GnONawaqCkdL-uQOkaWWw1Acup40p7DsEcqS6cOils5ZdPkwv7-4l8Kv/s400/screenshot24.png)
Got Root? Well I guess now we just check for flags if there any. Looks like this server was hacked and a backdoor was entered. I did not check if there was a kernel privilege escalation vulnerability but I suspect there is. I will revisit it later. I did check John the Ripper for the Marlinspike password. It is just marlinspike :)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpaXSFCuwYIuC2Alb3-ICT2MMD52zwA7zsbyt4YgDkLrXrDWIUVVRXbWvTkRgVHhISmFFXCJ6kt320pu0K8EDImGhalOg8Gu_MUSID4qpHbWsIw86Ut7NzRbp4jIOn8DCcjLSVEMweVaXO/s400/screenshot25.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja2S3yOLNsVfry6oAPisTUhM9KPwiBZiqHlMxfcn1DvH2_MGnE6bxYhN9EHRyaY-qazcIe-S0QirEAdKhczw19ffVX9b7R8YX8aZ2WmTlrvIDNFfXFggSdjv0rvfK1tcSdyx7_fUWtH3Gw/s400/screenshot26.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh75lv9lxUpyC7-oZwi9v1zVEWdkYQPKcbgPJnB6mIu5xUYL2H3ECSrTDSkpUBuOrHdXpcFGAwTVqrYhRPBfCWSdKD-0KFUhBwLrBIYEvDQICs9D62AIvfCtDQ1JSmLoWEcHnkY1D43Jk2H/s400/screenshot27.png)
No comments:
Post a Comment