00:00 - Intro
00:55 - Start of nmap
03:05 - Looking at the webste, getting a VirtualHost and then navigating to the page and confirming Wordpress
04:25 - The wp-content/plugins directory doesn't have an index, don't even need to use wpscan
06:45 - Testing the LFI with the plugin
10:55 - Using wpscan to enumerate wordpress users
12:20 - Explaining the /proc/ directory and why we can use this to enumerate running processes
13:44 - Creating a curl script to enumerate all running processes on the box
15:15 - Pulling apache's configuration to discover another virtual host
19:00 - Trying the wordpress credentials in cacti for password re-use and then exploiting Cacti with a CVE to get a shell
24:00 - Manually enumerating the SQL Databases, using /G to select large amounts of data in a human readable format
29:50 - Discovering the .backup directory in Marcus's home but we can't list contents. Grepping directories for .backup to see if any files are referenced
34:25 - SSH with the Marcus user and a quick refresher on SSH Port Forwarding
36:00 - Using gobuster to discover Apache OfBiz was running on 8443
41:00 - Using ysoserial to exploit Apache OfBiz via java deserialization
47:50 - Shell returned on the container! We are root doing some light enumeration to discover cap_sys_module
52:30 - Compiling the LKM to get a reverse shell
55:30 - Inserting the kernel module and getting root on the box
Support the originator by clicking the read the rest link below.
