Monday 13 June 2016

Freshly challenge

Hello all,
Scanning phase














As often - scanning with aggressive mode all ports.
The default web page on 80 port

















A source code does not display something interesting. Let's run dirbuster







The login.php looks interesting. Let's try play with it.







I had been testing the login panel and I have found that it is vulnerable to SQL Injection (after successful logging or SQLi we will get "1" response, in the opposite case we will get "0" response).
Using sqlmap we have got following result









Excellent! The wordpress8080 database probably is associated with web page served on 8080 port. The login database also looks interesting and users as well.









So, let's go deeper into login database










The credentials from wordpress8080 database










Good, we are armed with several credentials.
We know that admin panel in the WordPress is located in wp-admin.php or wp-login.php as default. So, let's exploit our retrieved credentials to WordPress admin panel on 8080 port.

















Great, we have to find some feature to upload our reverse shell script. I conducted a lot of attempts to upload backdoor in an img file and something like that - without success.
I am pretty sure that I am so close to find something helpful for us. Let's try examine plugins. I think that Hello Dolly which is not active, we could upload into source code our backdoor.
So, I have downloaded the PHP Exec Plugin. Now we are able to inject PHP code into posts. I have added the phpinfo script to new page
































Excellent it works! Now let's upload our reverse shell script









Amazing! So, let's check what we can do
















Wow! So, we may try crack the root password or use our brain :-) During the previous phase we have found password like a SuperSecretPassword.
Let's try use this password to log in as root









Game over!