Vulnhub virtual machine; another OSCP prep box. Which offered a wide scope of pentesting techniques to include Wordpress LFI with exploit modification to exclude SSL checking, MySQL RCE path that enabled the ability for a reverse shell and a custom find script that parsed .bash_history. Preparing for battle never felt so good.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an βethical hackerβ standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Discover VM on network
1 |
|
Target: 192.168.56.108
Enumeration
Nmap Scan
1 |
|
output:
Try for some low hanging fruit
1 |
|
Enumerated 3.0.3 - no easy pathway
Continue enumerating with enum4linux for the smb shares
1 |
|
we have generated a list of local users:
1 |
|
Navigate to HTTP server
No root directory found
Connect to FTP - anonymous allowed
1 |
|
βnoteβ discovered
1 |
|
cat note
Elly is a confirmed user and now we have John
Navigating to HTTP server on port 12380
More might possibly be here based off multiple web servers.
Run Nikto
1 |
|
nikto identified */blogblog/*
and */phpmyadmin/*
worth investigating.
Navigate to /blogblog/
If we can break in to this web blog we could be able to find our way into the box.
wp-content
We discovered an uploads directory and the plugins. Normally plugins are an easy way to gain access.
Searchsploit Plugins
1 |
|
Exactly the avenue we want.
Download copy of exploit to directory
1 |
|
investigating the code for how it works and what is required to use the exploit.
1 |
|
How we will need to craft our entry.
LFI
Modifying the exploit The exploit requires SSL to function properly but as we know this environment thats not going to happen. We need to bypass that ssl check and after some tinkering I found a solution.
before modification:
Adding
1 |
|
After modification and running of application we now have a new blog post
New blog post from exploit:
file uploaded to *uploads*
as expected.
Download file locally and take a look inside!
MySQL credentials have been captured.
1 |
|
Connecting to MySQL Server
1 |
|
We are in!
Creating a Web-shell via MySQL (one-liner)
1 |
|
Bingo-bango lets see if we can execute commands on system.
RCE
Remote code execution via PHP web-sell.
1 |
|
we can now execute commands on the box via this *sh.php?cmd=*
Reverse Shell Upload via SimpleHTTPServer
1 |
|
Successful reverse shell connection established. Now we need to upgrade this partial shell to a full shell.
Upgrade Partial Shell to full TTY
1 |
|
Upgraded!
Created a small script that parses through the entire home directory users for .bash_history
1 |
|
User JKanode
is not good with secrets as we discovered an ssh login and password
1 |
|
Pivoting to different ssh user Login as Peter
1 |
|
Test what peter is capable of
1 |
|
Peter happens to be able to do (ALL : ALL) ALL
well this can be used to our benefit.
PRIV-ESC/ROOT
Lets have peter call /bin/sh with sudo
1 |
|
Bring me the root!
-exec