sunset: midnight Walkthrough
reference | sunset: midnight |
target ip | 192.168.1.9 |
Scan with nmap
:

Brute force MySQL login with hydra
:
1 | hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.1.9 mysql -e nsr -I -V -t 4 |

Login into MySQL:

Enumerate wp_users
:

Crack failed with john
.
Update admin user, with the password pass
generated from this site:

Login into WordPress with username admin, password pass.
Failed to inject PHP codes to Simple Poll plugin.
The admin user has write permissions to Akismet Anti-Spam plugin.
But the related pages of the plugin like this is forbidden.

Try to generate a malicious WordPress plugin manually.
This method is derived from wetw0rk/malicious-wordpress-plugin.
You may want to use this to generate automatically.
The plugin contains two files:
- info.php
- rs.php

rs.php
is just a common PHP reverse shell.
Generate a zipped file.

Load the malicious plugin to WordPress(Plugins->Add New->Upload Plugin):

Request rs.php to get a reverse shell.

Jose’s credential can be found from /var/www/html/wordpress/wp-config.php
:

This is also the SSH credential.

/home/jose/user.txt
:

Enumerate suid files:

Failed with /usr/bin/status
:

Add a service
script:

Update the PATH
environment variable:

Another reverse shell as user root:

/root/root.txt
:
