Monday, 13 June 2016

Freshly challenge

Hello all,
Scanning phase

As often - scanning with aggressive mode all ports.
The default web page on 80 port

A source code does not display something interesting. Let's run dirbuster

The login.php looks interesting. Let's try play with it.

I had been testing the login panel and I have found that it is vulnerable to SQL Injection (after successful logging or SQLi we will get "1" response, in the opposite case we will get "0" response).
Using sqlmap we have got following result

Excellent! The wordpress8080 database probably is associated with web page served on 8080 port. The login database also looks interesting and users as well.

So, let's go deeper into login database

The credentials from wordpress8080 database

Good, we are armed with several credentials.
We know that admin panel in the WordPress is located in wp-admin.php or wp-login.php as default. So, let's exploit our retrieved credentials to WordPress admin panel on 8080 port.

Great, we have to find some feature to upload our reverse shell script. I conducted a lot of attempts to upload backdoor in an img file and something like that - without success.
I am pretty sure that I am so close to find something helpful for us. Let's try examine plugins. I think that Hello Dolly which is not active, we could upload into source code our backdoor.
So, I have downloaded the PHP Exec Plugin. Now we are able to inject PHP code into posts. I have added the phpinfo script to new page

Excellent it works! Now let's upload our reverse shell script

Amazing! So, let's check what we can do

Wow! So, we may try crack the root password or use our brain :-) During the previous phase we have found password like a SuperSecretPassword.
Let's try use this password to log in as root

Game over!