Whitelist: W1R3S: 1.0.1

W1R3S: 1.0.1

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine w1r3s 1.0.1

- w1r3s 1.0.1 can be downloaded from here:

https://www.vulnhub.com/entry/w1r3s-101,220/

- Once downloaded and extracted with VirtualBox:

2 - ENUMERATION

- Discovering the IP:

- Scanning:

2.1 - FTP enumeration

- Let's start enumerating the FTP service in detail.

- It seems that anonymous login to the FTP service is allowed:

- Using the browser to access FTP service:

- Reading text files inside folder /content:

- Reading 01.txt:

- Reading 02.txt:

- Indentifying the hash type of the first string, it is probably MD5:

- Decrypting the MD5 hash:

- Decoding the second string:

- Reading 03.txt:

- Reading /docs/worktodo.txt:

- Reading employee-names.txt:

- Just in case, let's store the names for later usage:

2.2 - Web enumeration

- Browsing the web server:

- Applying dirb on the web server:

- So basically 2 main directories have been found, /administrator and /wordpress:

- Going to /administrator we are redirected to /installation, where the content project manager Cuppa CMS is running:

3 - EXPLOITATION

- Searching for Cuppa CMS exploits:

- The exploit 25971.txt allows a Remote/Local File Inclusion:

https://www.exploit-db.com/exploits/25971

- Reading 25971.txt:

- Following instructions from 25971.txt and trying the exploit directly at the browser it doesn't work:

- However, using curl we achieve /etc/passwd. URL data sent with method POST is encoded:

............................

- Same thing for /etc/shadow:

...........................

- Same results with Burp, using method POST instead of GET.

- It is important to notice the header Content-type: application/x-www-form-urlencoded, what indicates that the request body is URL encoded.