Target machine ip is 10.0.2.17
STAPLER can found on the vulnhub website.
We scan target machine with nmapAutomator.
we try to login ftp server with default credentials. Default credentials are “anonymous”,”anonymous”.
We see note in ftp and download to localhost with get command.
We try to connect ssh. But password is necessary to connect but we find username. Maybe it works.
we discover there is a WordPress website 12380 port with nmapAutomator.
We scan WordPress with wpscan and we get error ssl problem.
We disable ssl check
We find advanced video plugin
We look the advanced video plugin readmefile and we search plugin version in exploitdb and we find exploit for advanced video.
We try to find wp -config using file path. We get error.
We write the full path of wp-config.
We look https://localhost:12380/blogblog/wp-content/uploads.
We download the 3992227223.jpeg with wget command and we examine the jpeg file with nano.
We find username and password for wordpress database and we connect the mysql these credentials.
We look wordpress database and show tables.
We found user_pass hashs. With the hash identifier, we learn what the hashing will be. It is important John because there is the name who see in the wordpress blog.
We crack hash with hashcat
John’s password is ‘incorrect’ and we login into the wordpress.
We look plugin and we get error if we want to add new plugin.
we decide to add the plugin manually. We go to upload page
We upload php file to reverse shell.
Before, We run php-reverse-shell.php. We listen related port with nc command.
We look at the bash histories of the users.
We find ssh credentials as named peter username and we connect ssh. We write sudo -l command. We see important message that very neccassry to get root. The message is ‘User peter may run the following commands on red’.
