RELEVANT: 1 Walkthrough (Vulnhub)

Description

This is a solid intermediate box. You get one hint — enumerate the box, then enumerate the box differently. Goal: Get the root flag. This is an easy one if you know how to use the wpscan tool and GTFOBins.

Port Scanning

As usual start with scanning the network with Nmap for open ports and services.

Web Reconnaissance

Visit the service http and you will see a message “Error establishing a database connection” with some links.

The very first link will take you to a youtube video and the second one contains some pair of credentials like this which is of no use as I tried for ssh login through hydra.

Next, I visited the third link which takes me to a page containing Barcode. I scanned it with my mobile and it’s a kind of an account getting registered with the app which generates a random code after every 30s as 2FA.

..the output I am getting after the scan is 👇

I thought patsy is a user and I tried to run hydra against this user for the password but failed.

Then I tried to find some hidden directories using gobuster and happy to see the result because it has WordPress installed.

But when you will open /wp-admin page it will again show some database error.

Running the simple Wpscan will show an error “the website is not using WordPress” so we have to use some additional option to ignore WordPress checks like force and aggressive plugin detection for identifying plugins.

…and we got one plugin installed ( Get your own API token for a scan from https://wpvulndb.com/api )

Click on the first link of References and you can read about the venerability of File manager. Download the exploit from here.

Read the exploit which says create a file payload.php. Include this code in the file https://gist.github.com/sente/4dbb2b7bdda2647ba80b

…and run the exploit like this 👇 and your file will be uploaded.

The provided link is not the URL of your uploaded file the actual link is 👇

Note:- If you are changing the file name change the name too in the code for proper work.

Open the link of your uploaded file and you will see the magic.

I tried to run the Netcat from here but unable to get the reverse connection. Then I uploaded a PHP reverse shellcode and I got success. ( Reverse shell code http://pentestmonkey.net/tools/web-shells/php-reverse-shell )

We can’t check for sudo permission as we don’t have a password. Let’s try to find out files related to each user. Finally, after checking all the user’s I got a file related to user h4*0r.

The file note.txt contains a pair of id: password but in encrypted form.

Let’s use John the Ripper for cracking it. As I have already cracked it, it is saved in the .pot file.

Now jump to the user news using “su news”. Since we have a password for this user let’s check what sudo privilege does he has.

So, this user can run node. Visit the https://gtfobins.github.io/#node and you will find how to escalate the privilege to root through node.

Ok, we did it now move to the root directory to get the reward.

For more walkthroughs stay tuned…

Before you go

Visit my recent walkthrough’s

FUNBOX 6: GAMBLE HALL Walkthrough (Vulnhub)

Funbox-4: CTF Walkthrough (Vulnhub)

HEALTHCARE: 1 Walkthrough (Vulnhub)

and clap 👏 if you like what you read. Feedback is always welcomed.