Technical Report

Detailed analysis for technical teams, covering methodologies, tools, and findings.

Technical Security Report: "Blog" System

Purpose of the Report

This report details the penetration testing process performed on the "Blog" machine. The goal is to identify vulnerabilities, exploit them, and escalate privileges in order to capture the flags hidden on the machine.

Methodology

  1. Conduct port scanning to identify open ports.

  2. Perform directory enumeration using DirBuster to find relevant files or directories.

  3. Enumerate users using WPScan.

  4. Perform brute-force attack on the WordPress login page.

  5. Exploit WordPress vulnerabilities to gain access.

  6. Use privilege escalation techniques to obtain root access.

  7. Retrieve the flags: user.txt and root.txt.

Detailed Findings

  • Reconnaissance:

    • Ports 22, 80, 139, and 445 were identified as open via nmap.

    • Port 80 revealed a WordPress site.

  • Enumeration:

    • WPScan revealed two users: "kwheel" (Karen Wheeler) and "bjoel" (Billy Joel).

    • DirBuster revealed the wp-login.php file.

  • Exploitation:

    • Brute-force attack was successful for the "kwheel" user using a rockyou.txt wordlist.

    • WordPress version 5.0 was identified, and an exploit for the "Crop-image" vulnerability was found on Exploit-DB.

    • Metasploit was used to execute the exploit, gaining access to the system.

  • Privilege Escalation:

    • SUID binary "checker" was identified, and by manipulating the "admin" variable, root access was gained.

  • Results:

    • The user.txt and root.txt flags were successfully retrieved.

Recommendations

  • Short-Term Actions:

    • Update WordPress and plugins: Ensure that WordPress is updated to the latest version, along with all installed plugins, to protect against known vulnerabilities.

    • Implement strong password policies: Enforce the use of strong, unique passwords for all user accounts, particularly administrators.

    • Restrict access to SUID binaries: Review the configuration of SUID binaries like "checker" to ensure they are only executable by authorized users.

    • Monitor and audit user access: Regularly audit user accounts to ensure no unauthorized users exist, and monitor for suspicious login activity.

  • Long-Term Actions:

    • Regularly patch and update WordPress installations: Establish a process to regularly update WordPress core and plugins to avoid security holes from outdated software.

    • Enforce a security baseline for web applications: Implement security measures such as input validation, proper authentication, and authorization for web applications, especially WordPress.

    • Apply the principle of least privilege: Restrict user permissions to only what is necessary for their role, particularly with regard to SUID binaries and system-level access.

    • Conduct regular security audits and penetration tests: Schedule periodic penetration testing to identify new vulnerabilities and evaluate the overall security posture of the system.

    • Implement automated security scanning: Use automated tools to scan for known vulnerabilities and misconfigurations in WordPress and the underlying system.

Conclusion

The machine was successfully compromised by exploiting a WordPress vulnerability, followed by privilege escalation through SUID binaries. Proper security measures, including updates and restricted access, should be enforced to mitigate such vulnerabilities.

PreviousWrite-upNextExecutive Report

Last updated