Found admin panel, now what?

Villain · 10-11-2013, 04:31 PM

Hey,

When I find the admin panel of a site, how do I get into it?

What can I use to bruteforce it?

Nefarious · 10-12-2013, 12:47 AM

Find vulns in the site to get admin credentials or try brutus(I think?).

foxhound · 10-12-2013, 01:41 AM

i am interested in the answers to come, i'm kind stuck there to. Have a target, run a few scans, get to know the server but, nothing seems week, tried several exploits with metasploit but nothing, even armitage fail too, the only thing left for me was, since the site was on WordPress use wpscan and go for the brute force, but gain....it takes forever, and using VPN also sometimes get stuck, i use little python from this great forum! to split large password list, so i split rockyou in like 25 lists, but still is very hard because some times its freeze so...after trying less of 20% with no success i give up here too...soooo good luck and hope we can get trough this! May add that LFI/RFI ,SQLI or XSS didn't work for me in first place!

good hunting!

Cosmic · 10-12-2013, 02:26 AM

What's the site running on? Is it WHMCS hosted? That's vulnerable, look into pentesting methods there. Has the owner left any of his personal details around the site? If so, dox and perform an SE to gain the login data.

XSS? SQLi? LRFI / RFI?

Try all of that Smile

yokai_old · 10-12-2013, 03:24 AM

Every answer I've seen in this thread is retarded, "WHMCS is vuln", yes publicly that depends on which version it is running, everything is vuln, the question is do you posess the exploit to take advantage of that vuln...And don't fucking say, HAVE YOU TRIED SQLI RFI LFI HURRR, you might as well ask him if he ran acunetix...And if he could perform a basic pentest then he should have already have tried those rudimentary techniques.

to OP, don't use any bullshit autohax programs, wpscan is useful for gaining some info, now that you know a majority of plugins it runs, try to audit the source of those plugins, then you can own the site...if you want to sitback and bruteforce the /wp-admin/ you are free to do so, but unless the admin is as stupid as you you aren't going to get him that way, wpscan has a bruteforce feature, you should really read the help docs before asking stupid questions

Ominous · 10-12-2013, 04:27 AM

1. Elevate Privileges and Exploit for personal gain.
2. Sell the login info to it.

foxhound · 10-12-2013, 07:45 AM

sorry how do you do what you say? where can i find a good tutorial or maybe some examples of doing such a things, i really want to learn this! need a hand!

Greed · 10-12-2013, 07:56 AM

Try to use XSS and gin the login credentials, maybe complicated but the end is truly rewarding.

foxhound · 10-12-2013, 08:46 AM

well of course i always after the reward but in my case XSS just don't work...it is a really simple site, a sales page, but for me is really hard, i don´t like brute force but how can i do when the site seems to have no vulns? is this possible?

Cake · 10-12-2013, 08:49 AM

(10-12-2013, 02:26 AM)Cosmic Wrote: What's the site running on? Is it WHMCS hosted? That's vulnerable, look into pentesting methods there. Has the owner left any of his personal details around the site? If so, dox and perform an SE to gain the login data.

XSS? SQLi? LRFI / RFI?

Try all of that

You probably have no idea what all of that is.

Found admin panel, now what?
Author Message