We start by scanning the host with nmap
Nmap –A –T4 –p- 192.168.1.7
Running dirb on the host there is a robot file inside of it some directories we can try
The path http://192.168.1.7/blog/ is running WordPress, now lets enumerate the users on the service
wpscan –url http://192.168.1.7/blog/ -e u
There is a backup path were have some files were we can download, one of them is a php page with some information of sql database were are a username – password – database name.
The pathhttp://192.168.1.7/assets/adminer.php we can use these credentials in this page as:
Got it and now we can go through the database, I found the admin and fs0ft username and some passwords.
Now we need to add the host name of WordPress to our hosts file
Now we go to http://fsoft.hacking/blog/wp-login.php and login using username fs0ft and password fs0f@2020!@
Now all we need to do is go to Media and upload a php shell there, you may get that the file is not going to be uploaded and may not be viewed, but to make sure it’s there you can go to http://192.168.1.7/blog/wp-content/uploads and you will see it there.
Breaking from shell jail by python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
Then running find / -perm -u=s -type f 2>/dev/null to find writable files by the owner.
There we can see that screen-4.5.0 is a vulnerability that we will use, searching searchsploit for screen came with:
File number 41154.sh .. be aware it won’t run till you execute this command sed -i -e ‘s/\r$//’ 41154.sh .. then rename it to exploit.sh or leave it as it is, transfer it to the host using python –m SimpleHTTPServer 80 , give it executable permissions with chomd +x exploit.sh and run it