Thứ Tư, 7 tháng 10, 2020

[VulnHub] Loly walkthrough

 Hello, today I come back with VulnHub - which provides materials allowing anyone to gain practical hands-on experience with digital security, computer applications and network administration tasks .

I choose a random lab, named Loly. Let's get through it!

Interesting! This lab using wordpress as web platform. Let's surf!

 Ok girl! this seems like a personal blog of a kitty cat 😋. Actually, the content of the website do not perform like this at first. I have to change something in the hosts file btw/

Move on to login page 

After trying fuzzing , I ensure that no default login credential useful. Back to my ubuntu, running wpscan for vulnerability if any. 

Wordpress 5.5 ! Google didn't tell me anything useful for this case. This lab was built in August, so the version of WP is almose no vuln!

After searching and browsing, I review the report of WPscan and figure out I miss this stuff !

XML-RPC is on! So I immediataly surf to this location 

This maybe the door! If you have't heard about XML-RPC, google it!

So I open ZAP proxy and send a POST request to target

Here is the result

Let's send anothe request containing XML doc to retrive some information





and the response is : 

 There are many methods but we should only care about pingback method and bruteforce login !

Test with pingback method

but nothing in both methods above useful. Stuck!

After trying everything , the last chance was bruteforce this authentication mechanism. And I didn't think this was the right way until after 2 seconds bruteforcing, the password came out :) 

Login successfully! After an hours surfing and browsing around, I find out this stuff

As you can see, zip file was not restricted! And after uploading, zip file was extracted automatically .

Let's up a shell and call it


We found linux ubuntu version. I find the way to exploit this kernel using searchsploit and choose an exploit c file

And I make my ubuntu become the server to allow target machine download file 

Seem like gcc $PATH is not set .
export PATH=$PATH:
set and run again

Okay . Run this file and get Root!

Happy Hacking!

Không có nhận xét nào:

Đăng nhận xét

Phổ Biến