Write-up
Step-by-step guide on the approach taken to pwn the machine.
Objectives
The objective is to capture both the user and root flags, demonstrating a complete system compromise.
Reconnaissance
We start by performing a port scan using Nmap:
sudo nmap -sCV -F -T5 <url>
We can see that WordPress 4.1.31 is running on port 80.
Using WPScan to enumerate users:
We find the following usernames: hugo, c0ldd, and phillip.
Next, we perform a brute-force attack with WPScan:
After a few attempts, we successfully obtain the password for the user c0ldd.
Gaining a Shell
Now, we access the WordPress admin panel and go to the Plugins section to manually upload a plugin.
We upload a plugin that contains a reverse shell script, such as the PentestMonkey PHP reverse shell, edited with our IP and port values.
Once uploaded, we access it via:
Before executing the reverse shell, we set up a listener on our machine:
Then, we trigger the uploaded script to receive the shell.
To upgrade the shell, we use:
Running whoami, we confirm we are www-data.
Our next step is to find the user flag:
However, we can't read the file due to permission restrictions, so we need access to the c0ldd user.
We check the WordPress config file for database credentials:
We retrieve the password for c0ldd.
Then we switch user:
Now, we can successfully read the user.txt flag. (If we decode it using base64 --decode, we get a congratulatory message.)
Next, we look for root.txt:
Again, we lack permission to read the file β so we need to escalate privileges to root.
Privilege Escalation
Using sudo -l, we see that we can run vim, chmod, and ftp as root. The easiest escalation path is using chmod:
As an alternative method, we can escalate using vim:
And that's it β machine completed.
Last updated