Python Script: Retrieve WordPress Admin v2

by Vince
in Blog
Hits: 1957

This has less to do with WordPress and more to do with a Python exploit which failed to work because of a self-signed SSL certificate.  To keep the solution simple, I decided to rewrite the existing WordPress script and test out the fix.  Essentially when a server is using a self-signed SSL certificate and you run the exploit, you're going to see the following error:

urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)>

If you look at the original version of this script, you'll notice I've added five lines which solves this issue:

#!/usr/bin/python
import urllib2
import os
import ssl
if (not os.environ.get('PYTHONHTTPSVERIFY', '') and
    getattr(ssl, '_create_unverified_context', None)):
    ssl._create_default_https_context = ssl._create_unverified_context
print "[*] Target URL format = http://www.mydomain.com"
host = raw_input("[*] Enter target URL: ")
path = '/wp-links-opml.php'
combined = host + path
url = urllib2.urlopen(combined)
print
print ("fetching... ") + combined
html = url.readlines()
for line in html:
    if 'generator' in line:
        print
        print line

Vulnhub SickOs: 1.2 Walkthrough

by Vince
in Blog
Hits: 4523

The second of two, SickOs: 1.2 promises to be, and is, different than it's predecessor.  If anything, I learned that I'm becoming frustrated with my setup.  If you've noticed, a lot of the time, I'm pushing my shells across port 53.  That's partly by design and partly out of necessity.  First, if you think about it, port 53 is DNS and there should be a lot of DNS traffic floating around on your network.  While a reverse shell doesn't LOOK like a DNS query upon close inspection, perhaps it goes unnoticed among the noise.  Second, I like to use port 443 for basically the same reason, it gets lost in the noise.  But I had to enable SSL on my C2 server because there were exploits I needed to pass across HTTPS.  Enabling and disabling Apache was becoming annoying which is why I switched over to 53 and you'll see why that's a problem in a moment.

Read more

Vulnhub billu: b0x 2 Walkthrough

by Vince
in Blog
Hits: 2186

While I sort through some issues with my hypervisor and some older boxes which won't run on it, I'm working on the newer releases on vulnhub.  I spotted billu: box 2 and I think I recall doing the first box by this author sometime ago.  I don't remember the original nor do I have any notes so I can't give you any information as to whether it's similar, harder, or if there's any relationship at all.  

I spent some time trying to work out a manual way of getting my low priv shell but eventually went with Metasploit.  But I'm getting ahead of myself --

Read more