Some questions about Shield

Hi there,
I’m working on Shield machine; I first tried to exploit it through the xmlrpc.php url, but metasploit gave me this weird answer:
[+] 10.10.10.29:80 - Found Wordpress version: 5.2.1
[-] 10.10.10.29:80 /wordpress/xmlrpc.php Target’s version (5.2.1) is not vulnerable to this attack.
[] 10.10.10.29:80 - Dropping CHUNKSIZE from 1500 to 1
[
] XMLRPC enabled, Hello message received!
[*] 10.10.10.29:80 - Starting XML-RPC login sweep…

So its says target not vulnerable, but still starts the login sweep? How?

I finally found out old credentials were working, and managed to get a meterpreter using metasploit wordpress exploit, but it seems that most of the commands doesn’t work. It’s my first time using a meterpreter so I figured it was not as good as a shell and made some search on how to get a shell from a meterpreter. Weirdly, most of the answers I found were the other way round: get a meterpreter from a shell. As in, meterpreter is better than a shell? How so?

I then managed to get a shell; still not a lot of working commands. Then I searched in the machine, found some Ids, but didn’t found any use for them, and ended up taking a look at the walkthrough.

It says, just like that, that the machine is vulnerable to the Rotten Potatoe exploit. And I would like to know HOW we can found that information? Because as soon as I found out which system it was, I searched for possible exploits against it; searchsploit found only one, metasploit reference some, the CVE site gives a lot of answers but none with an “all-made” exploit…and I found nothing on this Rotten Potatoe thing.

It also says hat netcat is used to get a “more stable shell”, as in, meterpreter is not as stable as the reverse shell? But we got the reverse shell through meterpreter, as sound as the meterpreter session breaks so does the reverse shell. How is it more stable?

Thanks for your time :blush:

From the official source: Juicy Potato (abusing the golden privileges) | juicy-potato If the user has SeImpersonate or SeAssignPrimaryToken privileges then you are SYSTEM. It’s nearly impossible to prevent the abuse of all these COM Servers. You could think to modify the permissions of these objects via DCOMCNFG but good luck, this is gonna be challenging. The actual solution is to protect sensitive accounts and applications which run under the * SERVICE accounts. Stopping DCOM would certainly inhibit this exploit but could have a serious impact on the underlying OS. You can use the following command to check if your service account has one of the golden privileges. whoami /priv For more Windows privilege escalation tips, I’ll recommend taking a looks at the following: PayloadsAllTheThings/Windows - Privilege Escalation.md at master · swisskyrepo/PayloadsAllTheThings · GitHub For the Metasploit/meterpreter question, I don’t kwon, I haven’t used it :slight_smile: Br