EVM: 1 Walkthrough
reference | EVM: 1 |
target ip | 192.168.1.21 |
I changed the network configuration of the target to use a bridged network.
Scan with nmap
:

Enumerate port 80 with gobuster
:


Enumerate users of wordpress
with wpscan
:
1 | wpscan --url http://192.168.1.21/wordpress -e u --no-banner |

Brute-force crack the password of user c0rrupt3d_brain
:
1 | wpscan --url http://192.168.1.21/wordpress --no-banner --usernames=c0rrupt3d_brain -P /usr/share/wordlists/rockyou.txt --password-attack=wp-login |

The target will request 192.168.56.103
by default when visiting the webpage with firefox
.
Use burp
to intercept the request.
But burp
won’t redirect one ip(192.168.56.103
) to another(192.168.1.21
) by default.
Download Jython standalone.
Config burp
to load jython
:

Update TrafficRedirector.py:
1 | from burp import IBurpExtender |
Config burp
to load TrafficRedirector.py
:

Use FoxyProxy Standard to setup the Firefox
proxy to http://127.0.0.1:1080
.
Redirect the request instead of modifying requests.
Ignore these related requests:

Login with username c0rrupt3d_brain
and password 24992499
:

Inject the reverse shell to wordpress
plugin Hello Dolly
:

Activate the plugin:

Get the reverse shell:

Escalate to user root
:

