We notice that they are 3 ports open, we try to enter 21 ftp as an anonymous user, but we find nothing inside. Let’s enumerate again.
Using dirbuster we realize that the site runs in wordpress !! So we can enumerate it with the “wp-scan” tool let’s go.
wpscan — url http://10.10.128.23/wordpress/ — enumerate u, ap
u: you will enumerate the users
ap: you will detect if there are some plugins (all-plugins)
We found a possible user elyana and we found a possible exploit for the plugin mail-masta
Here I release the link of the exploit. I simply followed the exploit to arrive at a Local File Inclusion (LFI). The follow is the exploit.I also tried to brute force the user, but unfortunately I couldn’t.
Offensive Security's Exploit Database Archive
Date: [23-8-2016] [+] Autor Guillermo Garcia Marcos [+] Vendor: https://downloads.wordpress.org/plugin/mail-masta.zip…
Niceeeeeee!!! Now let’s go see if we find anything interesting.
(how to extract the wp-config file by converting it to base64 first)
Decode it and…
We have the credential for the website so let’s go to enter in /wordpress/wp-login.php
Ok now we are skilled to load our reverse shell.
Ok follow my step, we can upload the reverse shell in Twenty Nineteen Theme, in 404.php file. In my other write ups if you have difficulty loading a reverse shell, I explain it, go and see them.
Ok now that we have loaded the reverse shell press the “Update file” button listen on the port you have given, for example I left port 1234 by default, remember in the reverse shell to change the IP and put that of your VPN .
Navigete on /wordpress/wp-content/themes/twentynineteen/404.php and we are in!!!!!!!!!!! we are in www-data! Nice job! After enumerate we found an important file!
And we found user and password for ssh!!
Just type su elyana and we are in user :) For convenience I have again had access to ssh.
There are a lot of ways to do privilege escalation on this machine, but I will show you how to privilege via lxd group. Remember the flags are in base64! First download the exploit from here: https://github.com/saghul/lxd-alpine-builder . Once downloaded, follow my steps.
Now import the .tar into the target machine with the wget command but first:
and now we can take the .tar file!
We are now ready with privilege escalation! There are various syntaxes and I will release the commands of each syntax to you!
First step import jin (in my case) after list if there is the image that we called “jin” ! Yes Done!
Command: lxc image import ./alpine-v3.12-x86_64–20201225_1814.tar.gz — alias jin
lxc image list
Now create ignite first , and after add ignite in “mydevice” with the path:/mnt/root after you can start ignite and execute it ! And we are ROOT!
lxc init jin ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
Obviously the root flag is under / mnt / root / root, where we have mounted it.
I hope I have been useful as always, for more information I invite you to follow me and see the other write-ups. Good luck to all.