I've been reading books on Red Teaming and one of the differences that stands out from Pentesting is the need to be stealthy.  Pentesting tools are very noisy and in a mature, or maybe even not so mature, environment, running stock Kali tools might set off an alert and trigger a ban of some sort.

So I was thinking -- if I wanted to get the WordPress version from a site in a stealthy manner, how would I go about doing that?  Let's paint that picture a bit more -- I'm on a network with my Kali laptop, I don't have access to the Internet, and I found a web server running WordPress.  I want to make as little noise as possible.  As it turns out, I know that I can get the WordPress version from wp-links-opml.php and I'll do it with Python because using a browser is lame.  :)

Read more: Simple Python Scripts: CMS Version Retrieval

VehicleWorkshop is vulnerable to SQL Injection and you can view the tidbit of information on Exploit-DB.  Essentially, our injection point is "vehicleid=" but this isn't a login prompt, I can't use:  bob' or 1=1;-- and while I don't like tools, this is definitely a job for sqlmap.  

Before we get started, let's get this app setup.  You can download the app from Exploit-DB, extract it to a folder, and setup the permissions with chmod 777.  I wanted command execution which is why I gave the folder wrx.  Without it, you won't be able to perform any of the os-shell commands.  You can get into sql-shell and poke around but it's not nearly as fun.  

Read more: sqlmap -- VehicleWorkshop SQL Injection

I came across a web site running a current version of WordPress with the Simple Fields plugin installed.  Searching Exploit-DB, I found:

WordPress Plugin Simple Fields 0.2 - 0.3.5 - Local/Remote File Inclusion / Remote Code Execution

“ This can even lead to remote code execution, for example by injecting php code into the apache logs or if allow_url_include is turned on in php.ini. ”

Read more: The Reality of Log Contamination

I periodically hit up Vulnhub for some machines to beat on.  Bsides Vancouver:  2018 (Workshop) is the most recent addition, it's description states:  "Boot2root challenges aim to create a safe environment where you can perform real-world penetration testing on an (intentionally) vulnerable target."

It was designed for VirtualBox but this was easily imported into Xenserver.  Once I got it running, I started my enumeration.

Read more: Vulnhub BSides Vancouver: 2018 Walkthrough

The first time you find a page with a Local File Inclusion (LFI) vulnerability, it's like magic.  You feed your string in the browser:

http://192.168.150.150/vulnerable.php?page=../../../../../../../../etc/passwd%00

... it spits back the contents of /etc/passwd, you're excited, and you continue enumerating the system. 

Read more: Python: Automating Local File Inclusion (LFI)

I was setting up fail2ban recently, I noticed that my notes were outdated, and I decided to document the setup for current setups.  Despite what the title states, this can be used for anything as long as you know what logs are receiving entries and what attacks look like.  For example, I haven't played with Drupal in a while but I seem to recall the admin page looking something like:  ?q=user/login

With that information, we search the logs for repeated attempts, create a regex and now this works for Drupal as well.

If you haven't already installed iptables, here are the steps for enabling iptables for ports open on ssh, http, and https.

Read more: Fail2Ban for Content Management Systems