Vulnhub virtual machine; another OSCP prep box. Which offered a wide scope of pentesting techniques to include Wordpress LFI with exploit modification to exclude SSL checking, MySQL RCE path that enabled the ability for a reverse shell and a custom find script that parsed .bash_history. Preparing for battle never felt so good.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Discover VM on network
Try for some low hanging fruit
Enumerated 3.0.3 - no easy pathway
Continue enumerating with enum4linux for the smb shares
we have generated a list of local users:
Navigate to HTTP server
No root directory found
Connect to FTP - anonymous allowed
Elly is a confirmed user and now we have John
Navigating to HTTP server on port 12380
More might possibly be here based off multiple web servers.
*/phpmyadmin/* worth investigating.
If we can break in to this web blog we could be able to find our way into the box.
We discovered an uploads directory and the plugins. Normally plugins are an easy way to gain access.
Exactly the avenue we want.
Download copy of exploit to directory
investigating the code for how it works and what is required to use the exploit.
How we will need to craft our entry.
Modifying the exploit The exploit requires SSL to function properly but as we know this environment thats not going to happen. We need to bypass that ssl check and after some tinkering I found a solution.
After modification and running of application we now have a new blog post
New blog post from exploit:
file uploaded to
*uploads* as expected.
Download file locally and take a look inside!
MySQL credentials have been captured.
Connecting to MySQL Server
We are in!
Creating a Web-shell via MySQL (one-liner)
Bingo-bango lets see if we can execute commands on system.
Remote code execution via PHP web-sell.
we can now execute commands on the box via this
Reverse Shell Upload via SimpleHTTPServer
Successful reverse shell connection established. Now we need to upgrade this partial shell to a full shell.
Upgrade Partial Shell to full TTY
Created a small script that parses through the entire home directory users for .bash_history
JKanode is not good with secrets as we discovered an ssh login and password
Pivoting to different ssh user Login as Peter
Test what peter is capable of
Peter happens to be able to do
(ALL : ALL) ALL well this can be used to our benefit.
Lets have peter call /bin/sh with sudo
Bring me the root!