VulnHub - PinkysPalace v2

qZDGVqTCdXA/default.jpg

00:47 - Start of Recon, get debian rev from apache header.
03:15 - Explanation of NMAP Filtered // TCPWrapped
06:45 - Enumerating Wordpress
09:58 - Finding /secret folder with Port Knock Ports
10:42 - Trying to take advantage of open wordpress installer (Rabbit Hole)
16:45 - Writing port knock script
34:10 - Finally successful port knock, lets see what ports are open
38:40 - Using Cewl to build a wordlist, then using Hydra to bruteforce HTTP Post Login
44:57 - Login, ignoring an SSH Key :( and instead playing with an LFI!
01:03:50 - Reverse Shell via LFI + Log Poisoning
01:07:50 - Enough playing, lets just crack the SSH Key with John + sshng2john
01:13:35 - Analyzing qsub binary with radare2
01:24:00 - Finding the command injection in send function
01:26:14 - Exploiting command injection to setup SetUID Binary (Stefano - Pinky)
01:29:29 - Using SSH Keys to get proper session to pinky, then exploit cron script to get to demon
01:36:49 - Analyzing panel with Radare2
01:48:29 - Enough of me learning, lets just take the easy route and use GDB+PEDA
01:56:39 - Finishing up the exploit with some Shell Code

qZDGVqTCdXA/default.jpg
VulnHub - PinkysPalace v2 VulnHub - PinkysPalace v2 Reviewed by Anonymous on April 11, 2018 Rating: 5