Professional Documents
Culture Documents
Projectyadhu
Projectyadhu
▪ SCANNING
▪ ENUMERATION
PENETRATION ▪ EXPLOITATION
1. SCANNING
The ip address of the host system was found to be
192.168.0.16
Scanning with nmap for open ports
• Nmap –sC –Pn 192.168.0.16
After getting the IP address of the machine I enumerated
the open ports using nmap tool, and found three services
▪ FTP
▪ SSH
▪ HTTP
Then I moved on to the http service, but couldn't find anything useful.So I brute forced the directories using dirb
tool
I was able to find the robots.txt file which contained the disallowed directory entry which
contained a webpage named 's0mething.php'
From further investigation I found that it is a base85 encoded text and by using 'cyberchef' tool I decoded the
data and got 'b3lla-c1a0'. But I couldn't find what it was for.
Then I browsed 'b3lla-c1a0' in the browser and got a page which included a pdf file named 'money.pdf'
• Http://192.168.0.15/b3lla-c1ao
Looking at the file properties I came to know that it is a jpg file and renamed it to money.jpg.
And using the stegcracker tool I brute forced the jpg file with Rockyou.txt and obtained the password as
'mallows'
• Stegcracker money.jpg /usr/share/wordlists/rockyou.txt
I got another jpg file named Heist.jpg and by further investigation I found a word in the jpg
file "la-c45a-d3-p4p3l"
• Strings heist.jpg
After browsing the word in the browser I got an unusual error displaying the domain name of the host(redteam). So
I knew I had to add the hostname in /etc/hosts
• Nano /etc/hosts
• Add " 192.168.0.15 redteam"
After adding the hostname I reloaded the page and I was redirected to a wordpress page,on the bottom
of the page was a link to the login page and after clicking the link I got a wordpress login page
What I did next was, I tried to login with the defualt credentials. That is admin:admin
From this I came to know that a user 'admin' exists and we just have to find the password.
To brute force the password I used wpscan tool and the selected wordlist was rockyou.txt
The password was found to be 'admin123'
I logged in using the credentials and entered the wordpress management site
There are several ways to exploit a wordpress site.
3.EXPLOITATION
Now that I've upoaded the shell, I have to setup a listener in metasploit and browse http://redteam/la-c45a-d3-
p4p3l/wp-content/themes/twentytwenty/404.php
Thus I was able to get a shell as 'www-data' into the host system
As the user www-data does not have the necessary
Using hydra I got the password "tokyosilene" for the user 't0kyo'
Next I logged in to the ssh using this credentials and was logged in
as 't0kyo'
In the t0kyo user directory I found 2 files named 'gift' and 'letter'.
Opening them gave me a clue to go to the next user, ri0
Opening gift showed a message from Rio to Tokyo and opening the file 'letter' gave me a
password hash
• Cat gift
• Cat letter
I saved the hash into a file and tried to crack the hash using 'john' tool and the selected
dictionary was Seclists
• John –wordlist=/usr/share/wordlists/SecLists/Passwords/xato-net-10-million-passwords.txt rio.txt
From the message it was clear that the file 'thegiftofprofessor' conained something that
would get me to the superuser
On enumerating further I discovered the private ssh key file named
'thegiftofprofessor' in /usr/games/user
• Cat thegiftofprofessor