Napoleon-v3.1Beta

The topology of the game is simple :

-Raspberry pi running DV pi3 in 192.168.0.23 (local) and using no-ip.com with the address : http://victimwebserver.ddns.net

-Attacker using kali on hotspot from iphone (VPN Russia).

Running a small "wpscan --url http://victimwebserver.ddns.net --enumerate --plugins-detection aggressive"

That showed us a vulnerability that allow us to use arbitary file upload on the plugin wp-mobile-detector 3.5.

(edit: creation of new Github in order to keep safe my github)

That code was uploaded on github in order to be used to exploit the mobile-detector vulnerability in the Dv pi3. It will allow us to get access to Wifi-credential.txt located in the folder /home/pi

The goal will then be to upload that file (game.php) in the /var/www/html/wordpress/wp-content/plugins/wp-mobile-detector/cache in order to call it later directly from the website.

To do so, we will use a small python code that will upload game.php in the wordpress folder.

Once that is done, just call it "python hack.py".

Then go to http://victimwebserver.ddns.net/wp-content/plugins/wp-mobile-detector/cache/Game.php

you will see :

which is the content of Wifi-credentials.txt

The capture of the pcap is made directly on the raspberry pi with tcpdump.

Part 2 :

For the pcap 2, the attacker is going to scan the network with nmap

discover that 192.168.0.32 (Victim pc) is having port 445 open (smb)

He is later going to bruteforce it :

with two small lists (provisionnary) :

And find the username : "dsfdsfdfssdfdsfdsf" and password : "lol"

Part 3:

Kali using the credentials in part 2 in order to get a meterpreter session. Exploit used here is ms17 psexec

Done

To capture the traffic I am using Openwrt on a Dlink.

Tcpdump did the job.

(screenshot taken for part 3 where I only focused on 192.168.0.32)