First Post: Last Update: Word Count: 3k Read Time: 18min
information_collect
frist we need locate the machine.
we got command as
1
arp-scan -l
or
1
netdiscover
1
arp -a #maybe fail.
than i got it on 192.168.242.129
than nmap is we need; nmap can scan the machine with the ports,services,text and so on.so it’s really useful when we are in the early information-collection steps of pentest/ctf and other place.
--------------------------nmapresult-------------------------------- StartingNmap7.80 ( https://nmap.org ) at 2020-09-19 00:15 EDT Nmap scan report for 192.168.242.129 Host is up (0.00044s latency). Notshown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0) | ssh-hostkey: | 1024c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA) | 204811:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA) |_ 2563d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Debian)) |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache/2.2.22 (Debian) |_http-title: Welcome to Drupal Site | Drupal Site 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 1000002,3,4111/tcp rpcbind | 1000002,3,4111/udp rpcbind | 1000003,4111/tcp6 rpcbind | 1000003,4111/udp6 rpcbind | 100024135938/tcp6 status | 100024137866/udp status | 100024145265/udp6 status |_ 100024160683/tcp status Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.25 seconds
tips
we can find two things needed high-lights;
one is druapl site! //a kind of cms
one is robots.txt //the text will ban the sipder of information collecting
we can curl/access with web broswer.
by the way i use firefox(because it based on my kali default)
WordPress Security Scanner by the WPScan Team Version 3.8.6 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________
[i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o, default: [N][+] URL: http://192.168.242.129/ [192.168.242.129] [+] Started: Sat Sep 1903:46:242020
[+] XML-RPC seems to be enabled: http://192.168.242.129/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] A backup directory has been found: http://192.168.242.129/user/backup-db/ | Found By: Direct Access (Aggressive Detection) | Confidence: 70% | Reference: https://github.com/wpscanteam/wpscan/issues/422
[+] This site has 'Must Use Plugins': http://192.168.242.129/user/mu-plugins/ | Found By: Direct Access (Aggressive Detection) | Confidence: 80% | Reference: http://codex.wordpress.org/Must_Use_Plugins
Fingerprinting the version - Time: 00:00:25 <=============> (463 / 463) 100.00%Time: 00:00:25 [i] The WordPress version could not be detected.
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
so get in the mysql database you can see the admin pass(with encrypted one)
tips
google is also a tips.
google”forget admin pass of drupal” can tell us drupal 7 encypt method and other way to access the drupal dashboard.
so the method is you can both crack or change the pass in mysql or use drupal console to reset it.
make damage is whatever because nobody use this drupal but you. :)
the backend has the article by admin,it’s a hint.
1 2 3
Url is http://<ip-address>/node/2#overlay-context=shell Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
Unh..go to the method 1 use find command to get shell~~;
WIN
now you are root! WIN!!!!!
1 2 3 4 5 6 7 8 9 10
ls thefinalflag.txt
cat thefinalflag.txt Well done!!!!
Hopefully you've enjoyed this and learned some new skills.
You can letme know what you thought of this little journey by contacting me via Twitter - @DCAU7
————-success————-
thank you for watching~I am Esonhugh,this is the frist blog for me.