Hello everyone! Today we are trying to crack the easy box from @C0ldd__
Open <MACHINE_IP> in browser:
Good, I assume that is WordPress website, we have link “Log in” to standard WP auth panel, so I will try to use some standard tool for WP.
Of course, you could start from nmap, dirbuster\gobuster, but I skipped it.
2. WPScan
I’m trying to get more information about our target and enumerate users.
‘-e u’ is ‘enumerate users’
User list
Ok, we have user list, try to use bruteforce attack for hack it.
Success! We have one login/pass pair.
3. WP plugins.
Login with our credentials from wpscan.
Check our role! Wow, I’m an admin, so i will try to play with plugins.
Edit akisment plugin: I’ve added php-reverse shell from pentestmonkey.net. Note, that you don’t have to remove akisment code — just add reverse-shell code before plugin.
Netcat is listening…
Time to activate Akisment plugin!
I’ve got it!
4. Privilege escalation.
Use python to improving the shell. Now I’m www-data user.
Right side: I’ve started python http server with enumeration scripts. Left side: I’ve downloaded linpeas.sh from my python http server. https://linpeas.sh/
Enumerate is key! chmod +x linpeas.sh and ./linpeas.sh
I’ve found database credentials. I will try to use the pair for su.
Success! DB pair works.
sudo -l shows me that I can run vim with root priviliege. After I can get root flag.
