Posted on

Vulnhub – Haclabs Deception Walkthrough

Scanning the host with dirbuster, the host running WordPress:

Now we run wpscan to enumerate users and vulnerable themes and plugs wpscan –url http://192.168.1.2/wordpress -e u

Running dirb with –X .txt found robots.txt

Nothing to see here lol,but ok looks like we have an .html pages too, using dirb again came with this:

Ok searching for API in the source of the home page i found these:

I tried each one as a password for login for phpmyadmin page and for wordpress page and for ssh service but didn’t work, till i gatherd them all as 5F4DCC3B5AA765D61D8327DEB882CF99 and then tried all and the ssh service worked for yash user:

I used the LinEnum.sh script and i got this back:

To become a root with this vulnerability we use this command python -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’

And then we access the root directory:

As you can see after grabbing the root flag i went back and got the other flag from the user haclabs 😀 guess i’ve made a deception but the lab started it first lol.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s