Inplainsight writeup
Nmap
Nothing fancy here, just some common port opened. Let’s start enumeration with FTP.
FTP
We can see in nmap scan that FTP allowed anonymous login and there is a todo.txt
.Let’s read that:
We can see that there seem to be 2 users named joe
and mike
. Also there might be some rabbit holes. Another thing we know is that there is wordpress
somewhere there.
HTTP
When we move on to the website we can see default apache page so I directly ran gobuster.
I found nothing on the wordpress. @4nqr34z told me to look in the plain sight
and that’s when I found something on the default page of Apache2.
We need to visit index.htnl
and not index.html
(notice the n
in place of m
). When we visit that page we can see a gif
if we click on that gif we’ll be taken to an upload page
.
I decided to upload a php
file to see if that is restricted or not.
When I did that I was directed to /upload.php
and there I noticed it said File is an image - image/gif.
when it was actually not, meaning this upload
could be a rabbit hole.
I decided to checkout the source of the page and there I found a comment.
Since it’s a base64 we can decode it using the base64 command. I did
➜ http -b http://192.168.56.138/748AD6CCD32E4E52718445BB1CADC01EB08A0DF6/upload.php | tr -dc 'a-zA-Z0-9' | base64 -d 2>/dev/null
This will give us the decoded string i.e so-dev-wordpress
. This could mean that we need to visit this directory path
.
When I opened IP/so-dev-wordpress
I got the similar looking WP. I started to look around but couldn’t find anything special there. Then I decided to do dictionary attack on the admin
login account. And that’s when I found the admin password.
Once I was in the WP I directly went to edit the Theme
and in 404.php
pasted my reverse shell code and updated it file.
And then I triggered the reverse shell by running:
➜ http http://192.168.56.138/so-dev-wordpress/wp-content/themes/twentytwenty/404.php
Note: here http
is a tool know as httpie
And that will give us a reverse shell.
Horizontal Privilege Escalation
Since we are in the system we can download our enumeration script and start enumerating the system.
Enumeration script didn’t find anything special. So I decided to do it manually.
In the /var/mail
I found two email for www-data
and mike
.
Both of them refers to mikes
password and the mike
email even says that he uses the same password as wordpress
so I decided to see if I can dump database for the wordpress.
First I read the mysql
password for so-dev-wordpress
from /var/www/html/wordpress/wp-config.php
.
I read the sodevwp_users
table from the sodevwp
database and that had password hash admin
and mike
.
select * from sodevwp_users;
I copied the mike
hash to a file and used john the ripper
to crack the hash.
john --wordlist=rockyou.txt hash.txt
mike:skuxdelux
Now we can use this password to become mike
After becoming mike
I started to look around for a way to become joe
but coudn’t find anything. Then @theart42 told me to look at the /etc/passwd
. When I read that file I found out that there was a hint infront of joe
username
So I decided to find files with hypen in them and I ran
mike@inplainsight:/tmp$ find / -type f -name *-* 2>/dev/null
And it gave me the following output:
And then I read the /etc/passwd-
which had the joe’s password.
Using joe:SmashMouthNoThanks
I su’ed joe
Vertical Privilege Escalation
I found a file name journal
in /home/joe
and it said
I started to look around but couldn’t find anything and then in the SUID section I noticed that there was a SUID named bwrap
which had a +
permission
This mean we can try to run this as root
.
This was a pretty good machine, even though there wasn’t anything tough but still a sweet way to root. Thanks to @bzyo_ for making this machine.
Thanks for reading, Feedback is always appreciated.
Follow me @0xmzfr for more “Writeups”. And if you’d like to support me considering donating 😄