Hello, today I come back with VulnHub - which provides materials allowing anyone to gain practical hands-on experience with digital security, computer applications and network administration tasks .
I choose a random lab, named Loly. Let's get through it!
Interesting! This lab using wordpress as web platform. Let's surf!
Ok girl! this seems like a personal blog of a kitty cat 😋. Actually, the content of the website do not perform like this at first. I have to change something in the hosts file btw/
Move on to login page
Wordpress 5.5 ! Google didn't tell me anything useful for this case. This lab was built in August, so the version of WP is almose no vuln!
After searching and browsing, I review the report of WPscan and figure out I miss this stuff !
XML-RPC is on! So I immediataly surf to this location
This maybe the door! If you have't heard about XML-RPC, google it!
So I open ZAP proxy and send a POST request to target
Here is the result
Let's send anothe request containing XML doc to retrive some information
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
and the response is :
There are many methods but we should only care about pingback method and bruteforce login !
Test with pingback method
but nothing in both methods above useful. Stuck!
After trying everything , the last chance was bruteforce this authentication mechanism. And I didn't think this was the right way until after 2 seconds bruteforcing, the password came out :)
Login successfully! After an hours surfing and browsing around, I find out this stuff
As you can see, zip file was not restricted! And after uploading, zip file was extracted automatically .
Let's up a shell and call it
Bingo!
We found linux ubuntu version. I find the way to exploit this kernel using searchsploit and choose an exploit c file
And I make my ubuntu become the server to allow target machine download file
export PATH=$PATH:Okay . Run this file and get Root!
Happy Hacking!
Không có nhận xét nào:
Đăng nhận xét