I setup my own Wordpress site!
I love that there are so many plugins. My favorite is Revolution Slider. Even though it's a little old it doesn't show up on wpscan!
Please give it about 30 seconds after connecting for everything to setup correctly.
The flag is in
Openvpn config file:
start with configuring the openvpn config file
now use nmap to scan the network
so there is a ip 172.30.0.3 which has open ssh and http port and there is another ip 172.30.0.2 with open mysql service
looks like 172.30.0.3 is our webserver and otherone is database server
lets look at the site by typing 172.30.0.3 in browser
so it's a wordpress site. I use wpscan to scan but found nothing intresting(also while scanning with wpscan use timeout 30 sec ***).
Also there was a clue that they are using revslider as plugin in site..... googling about revslider exploit i found that there is file upload vulnerabiity in revslider.
Basically we can upload file in webserver by exploit that vulnerability... to demonstrate let fireup msfconsole and do following
before that write a simple php payload for proof of concept.payload I used was...
now for msfconsole stuff:
so by this we have successfully uploaded the payload..
let check it on real server
So good so far. Now my Target is to upload a php TcP_reverse payload which when run gives us a shell at port 1234(for example).
I got a shellcode.php in my tool list which i use for the purpose... i upload it as
Download the php-reverse-shell
now i have to just start a listener at port 1234 and hit my payload...before hiting payload
after hiting the payload.....
after some simple linux commands i found note.txt
So the ssh key is in dbserver at /backup/id_rsa and the db server is 172.30.0.2
Now we need some more things to workwith....
so i checked the wp-config.php file using cat command....guess what... i found database credentials.
so username for db is ‘wordpress’ ,host: 172.30.0.2, password: ‘0NYa6PBH52y86C'
I just connect with these values in db server.
So i have to read /backup/id_rsa in this server. As now i have full control over database, this is quite a simple task...
what i did was I created a ‘temp’ table with one coloumn in it. Then i load the content of /backup/id_rsa in that table. and see it using select query.....
After select query
I store this in a file and save it as a id_rsa.... Now to have to use this key to connect through ssh as root user
Hence After login I got The flag....
Iy was a fun challenge ;-)