Actually, I did this in case I failed to exploit wordpress.Īfter checking the source page of the /hackathons dir I found this. Running gobuster with the medium.txt file, I found another directory. You can either use cyberchef or the command echo "base64-contents" | base64 -d to decode the text. I used the find utility to find the file.Ĭat-ing out the contents of the private.txt file we can get the password.Īfter changing the user to elyana we can get the user flag in the home directory in the base64 encoded format.ĭecoding the contents of the user.txt file we can get the user flag.
#Elyana pic password
Reading the hint.txt file says that the password for the user elyana is hidden in the system. Navigating into the home directory of the user elyana we can find two txt files. To get a stable shell, use ```python3 pty pty.spawn(“/bin/bash”)’ User flag 6) Go to Anndddd baam!!! We got the reverse shell. 5) Open a netcat listener in your local machine.
#Elyana pic update
3) Clear the contents of the 404.php template and paste the contents of the php reverse shell.Ĥ) Click on update file.
#Elyana pic download
2) In your local machine copy or download a php-reverse-shell.php file, change the ip and port fields and copy the contents of the file. You can find the login page in the path To get the reverse shell follow these steps:ġ) Go to Appearance -> Theme editor.
Login to the wordpress account with the username elyana and the password that we just found. After decoding the base64 encoded string I found the password for the username elyana. I did a quick search on google on the php filter bypass and finally got the contents of the wp-config.php file in base64 encoded strings It seems we have to bypass the filter to get the content of the wp-config.php file. After trying to access the wp-config.php file it didn’t return anything. Since, it was successful we can get the reverse shell using Access log poisoning…is what I thought first but I had to work another way and ended up with the wp-config.php file which holds the password for the database. But in this case, we should also include the /wordpress directory name. The affected parameter is ?pl from the mail-masta plugin which can be used to include the local files.
Let’s search for any publicly available exploits using searchsploit.īoth of them are valid exploits and can be used to exploit the machine, but I first tried the LFI exploit. Wpscan -url We can see the plugins mail-masta and reflex-gallery and their respective versions. I also tried bruteforcing the passwords for the usernames that we just found but don’t bother doing it. Since it runs wordpress, our next step is to run wpscan for enumerating what plugins and themes the wordpress site use. I found some usernames in this page which I’ve highlighted. I used gobuster to find the hidden directories with the common.txt wordlist. The ftp server was empty so ultimately I checked the http service.Īs we can see, it shows the apache2 index.html page. There are only 3 ports open: 21/ftp, 22/ssh and 80/http. Few intended and unintended paths to getting user and root access.ĭeploy the VM and let’s hack the machine!!! Enumeration Author i7md Description This is a fun box where you will get to exploit the system in several ways.
0 kommentar(er)
