In every penetration testing practice we start by examining the target, starting with information gathering :
Lets start by using nmap as our information gathering tool of choice
Press enter or click to view image in full size
we found a couple of ports open with the shown services in the screenshot above ^
next lets start enumerating our target with our tool of choice “gobuster” >
Press enter or click to view image in full size
Press enter or click to view image in full size
as we can see in the results above we found two usernames : bjoel and khweel , maybe lets try to bruteforce the login page with those users in mind? with common passwords perhaps?
Moving along
Next we run the wpscan tool for conducting a vulnerability test on the wordpress webpage in this case we are looking for the password for the user khweel >>>
Press enter or click to view image in full size
BINGO!
the password for khweel is found, which is “XXXXX”
after some digging I found out that Wordpress 5.0 is vulnerable to multiple vulnerabilities.
one of those vulnerabilities is : WordPress Crop-image Shell Upload
using this exploit which is also available in metasploit we can use it as follows :
Press enter or click to view image in full size
Press enter or click to view image in full size
After laying foothold on the machine, and looking for a possible prevesc, I’ve found some creds ;
define(‘DB_USER’, ‘wordpressuser’);
define(‘DB_PASSWORD’, ‘LittleYellowLamp90!@’);
Get Cyb0rgBytes’s stories in your inbox
Join Medium for free to get updates from this writer.
lets keep these credentials for later we might need them and might not!
we run this command to check for SUID files and directories that www-data has acess to :
find / -perm -4000 2>/dev/null
one interesting directory is /usr/sbin/checker, lets check it out :
And finally I managed to crack this open and get Root!
thanks for reading everyone and see you in the next one!