Posts

Showing posts from March, 2017

Pluck w00t!

Image
Time to Pluck! Though a bit late, I decided to give this machine a try! As with all almost every machine I began with arp-scan/netdiscover: Once this is done, next I try to do a port scan on the host. I began with the tcp scan while upd scans taking more time ran in the background. Since port 80 was open, I ran nikto in other window. Post this is done, I move next to check banners on each service. SSH dint give any banner, neither mysql or llmnr protocol so I tried to enumerate the web. Just before I went to check the web service, I looked at the nikto results and they were interesting! Now, this was very interesting, an LFI!! Meanwhile I had also tried fuzzing the admin page on the webservice and it revealed sql injection: Now, I had two vectors so I thought lets begin with the LFI. Doing a /etc/passwd dumped all the contents!! But Trying lfi on other files like apache logs etc was not getting possible (permission issue??) This was when som
Image
I picked up Sedna and these were the steps: Like any machine, starting with arp-scan to first know the machine IP: arp-scan -l The machine got detected at 192.168.137.152 The next step was to run an nmap scan: From here, I decided that I shall  be concentrating on port 80. First checking the webpage: I decided I shall have a peek at the robots.txt as well: going to /Hackers gave 404 -Not found! Damn! :D Meanwhile in background, I was running gobuster. Doing web enumeration and checking web page sources dint reveal much! I decided to check my gobuster results: Manually enumerating the dirbuster pointed folders, I quickly became clear that builderengine was running. Next, a searchsploit revealed exploit for arbitrary upload in BuilderEngine. Seems BuilderEngine is vulnerable to arbitrary file uploads on the directory: http://IP_Addr/themes/dashboard/assets/plugins/jquery-file-upload/server/php/ I uploaded a simple php reverse shell to