Secsheep

愿你从知识中获得勇气和力量。

Home › uncategorized › Pg Practice Readys writeup

Pg Practice Readys writeup

Secsheep 2023年10月2日    

目录

Toggle
  • 1.Reconnaissance
  • 2.Enumeration
  • 3.Foothold
  • 4.Changing to another user
  • 5.Privilege Escalation

1.Reconnaissance

use nmap to scan target machine opening port ,service and udp port

 sudo ./nmapAutomator.sh 192.168.207.166 all

[sudo] password for kali:

Running all scans on 192.168.207.166

Host is likely running Unknown OS!

———————Starting Port Scan———————–

 

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

 

———————Starting Script Scan———————–

 

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 74ba2023899262029fe73d3b83d4d96c (RSA)
| 256 548f79555ab03a695ad5723964fd074e (ECDSA)
|_ 256 7f5d102762ba75e9bcc84fe27287d4e2 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-generator: WordPress 5.7.2
|_http-title: Readys – Just another WordPress site
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

 

OS Detection modified to: Linux

 

———————Starting Full Scan————————

 

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
6379/tcp open redis

 

Making a script scan on extra ports: 6379

PORT STATE SERVICE VERSION
6379/tcp open redis Redis key-value store

 

———————-Starting UDP Scan————————

 

No UDP ports are open

Just looking at the Nmap results, it is possible to see that this is a Linux machine running a Web Server Apache. Also, it is possible to spot and WordPress application in the results.

2.Enumeration

Here we can see this is a static page

It is important to check the robots.txt file and sitemap.xml to see if there are any interesting pages,

but http://192.168.207.166/robots.txt and http://192.168.207.166/sitemap.xmd don’t find any useful information,decide this is a wordpress app,and u

decide use wp-scan to see if there are any vulnerabilities

wpscan --api-token k0U9PCes1BN4sGJDuPqmUCDISso8CYCBvjW8wRyia40 --url "http://192.168.207.166" -e p

After running Wpscan,i found a possible attack vector,there is a plugin called site-editor running on WordPress.

https://www.exploit-db.com/exploits/44340?source=post_page—–e066074eed——————————–


Checking the exploit-db,i found a possible vulnerability for this plugin.Apparently,this plugin has a LFI vulnerability on the parameter.

after,using /~/.ssh/id_rda don’t work

so,checked the opening port,found the server is redis server on port 6379

As we all know,the default path for the configuration file is on /etc/redis/redis.conf.

3.Foothold

4.Changing to another user

5.Privilege Escalation

 Previous Post

Pg Practice ZenPhoto writeup

―2023年10月2日

Next Post 

PG-Shenzi-Wp

―2023年10月3日

Author: Secsheep

Related Articles

Secsheep ― 2023年10月7日 | No Comment

PG-Access-Wp

1.Reconnaissance We

Secsheep ― 2023年5月22日 | 1 Comment

转载-Oscp训练靶场之HTB-Redcross

Secsheep ― 2025年1月8日 | No Comment

2025-1-8

Secsheep ― 2024年8月14日 | No Comment

我对Kerberos协议的理解

Secsheep ― 2024年7月5日 | No Comment

加油,前方就是胜利!

Secsheep ― 2024年6月29日 | No Comment

内网信息收集

Secsheep ― 2024年6月28日 | No Comment

Cobaltstriker 使用篇

Secsheep ― 2024年6月26日 | No Comment

内网篇-Kerberos相关安全问题和攻击手法

Secsheep ― 2024年6月26日 | No Comment

内网信息收集总结

Secsheep ― 2024年6月25日 | No Comment

域森林环境搭建总结

Leave a Reply Cancel reply

Copyright © Secsheep 赣ICP备2023005527号