When machine was ready I scanned ports using nmap and found 3 ports related to HTTP somehow... Next step was to visit those 'pages' and see if there is any hidden hint. I started from port 80/tcp:
dirb to scan webroot of remote host.
After a while of checking wordlists available in Kali (/usr/share/wordlists/) I used rockyou.txt with (-X .php switch) to find new link. The file I was looking for was login.php.
I used Burp to intercept (login) request and copied it to use (raw request) with sqlmap:
I was wondering if there are some databases. Scanning with dirb revealed directories like "phpmyadmin", "wordpress" so my first guess was to find Wordpress DB, grab admin's password and drop a shell via Themes (it was probably already described somewhere here).
So I started to listing available DB's:
Cool, there are few interesting places to check. I started from Wordpress, table 'users':
So far, so good. Looks like this is away to our shell ;)
Super obfuscated payload:
Next step was to download small sample generated by venome.sh.
Let's get the file:
Quick setup for Metasploit:
Time to get a shell:
Cool :) We are here:
Next thing I tried was to cat passwd and shadow files. So now we are here:
I decided to spawn python-shell again:
Then I used credentials (grabbed by sqlmap) to log into PMA panel and grab more passwords. Goal was to check how can I switch to root or candycane user(s from passwd file).
So, we are here:
Looks like this is it ;)
See you next time.
Special thanks goes to: 'Ela z Sanoka'!