Difficulty: Medium
Machine Creator: ch4p
Tools Used:
NMAP
WPScan
Steghide
John
Task: To find User.txt and Root.txt
Network Enumeration
Let’s start with a quick NMAP scan to discover open ports and services.
We can see from the NMAP scan we can see that ports 22 (SSH) and 80 (HTTP) are open.
After running a more intense scan on port 80, a few things stick out. We can see Apache 2.4.18 and WordPress 4.7.3. After searching on Exploit-DB, there are no exploits for either of these applications.
After browsing to port 80, we can see the WordPress site running.
The first thing to do on a WordPress site is to run wpscan for any vulnerabilities.
WPScan results returned a vulnerability finding regarding the job manager.
The second reference links of the exploit findings give us a website with a PHP script for exploitation. In the script, it’s calling for two inputs website and file name. We already have the site we now need to find the file name.
If we go to the apply link on the jobs page title says Pen Tester.
If we change the number, we get a different job application. Let’s see what all of the titles say. We can do this with a simple bash script.
for i in $(seq 1 20); do echo -n “$i: “; curl -s http://10.10.10.10/index.php/jobs/apply/$i/ | grep ‘<h1 class=”entry-title”>’; done
The results look typical except for line 13 that says “HackerAccessGranted.”
We need to make a few changes to our script.
for year in range(2017,2018):
for i in range(1,13):
for extension in {‘php’,’html’,’pdf’,’png’,’gif’,’jpg’,’jpeg’}:
After running the script, we get a file name returned. HackerAccessGranted.jpg