Thứ Tư, 7 tháng 10, 2020

[VulnHub] Loly walkthrough

 Hello, today I come back with VulnHub - which provides materials allowing anyone to gain practical hands-on experience with digital security, computer applications and network administration tasks .

I choose a random lab, named Loly. Let's get through it!




Interesting! This lab using wordpress as web platform. Let's surf!




 Ok girl! this seems like a personal blog of a kitty cat 😋. Actually, the content of the website do not perform like this at first. I have to change something in the hosts file btw/

Move on to login page 


After trying fuzzing , I ensure that no default login credential useful. Back to my ubuntu, running wpscan for vulnerability if any. 





Wordpress 5.5 ! Google didn't tell me anything useful for this case. This lab was built in August, so the version of WP is almose no vuln!

After searching and browsing, I review the report of WPscan and figure out I miss this stuff !



XML-RPC is on! So I immediataly surf to this location 


This maybe the door! If you have't heard about XML-RPC, google it!

So I open ZAP proxy and send a POST request to target

Here is the result


Let's send anothe request containing XML doc to retrive some information

<methodCall>

  <methodName>system.listMethods</methodName>

  <params></params>

</methodCall>

and the response is : 


 There are many methods but we should only care about pingback method and bruteforce login !

Test with pingback method



but nothing in both methods above useful. Stuck!

After trying everything , the last chance was bruteforce this authentication mechanism. And I didn't think this was the right way until after 2 seconds bruteforcing, the password came out :) 


Login successfully! After an hours surfing and browsing around, I find out this stuff


As you can see, zip file was not restricted! And after uploading, zip file was extracted automatically .

Let's up a shell and call it

Bingo!


We found linux ubuntu version. I find the way to exploit this kernel using searchsploit and choose an exploit c file


And I make my ubuntu become the server to allow target machine download file 



Seem like gcc $PATH is not set .
export PATH=$PATH:
set and run again

Okay . Run this file and get Root!



Happy Hacking!










Không có nhận xét nào:

Đăng nhận xét

Phổ Biến