Summary
I have tried to exploit this vulnerable box and created a document on the same which can explain the process with screenshots. It is my first attempt at writing a technical blog, do let me know for any suggestions in the comment box.
To start with…
Download a WTF-1 challenge from vulnhub and import the file in your VM ware player.
The journey
1. Log in to your kali and initiate host discovery using nmap.
Press enter or click to view image in full size
2. Scan each discovered IP with nmap in order zero down on our target VM.
Press enter or click to view image in full size
3. As we see in scan results, there are two open ports 22 and 80 running open ssh and apache web server. I tried to check if any application is hosted on apache using a web browser.
Press enter or click to view image in full size
4. As we see in the above screenshot nothing was rendering more than a “?”, so I tried directory enumeration using gobuster as all the dirbuster wordlists I tried did not yield any interesting results.
Press enter or click to view image in full size
5. As noticed from gobuster results, there were two interesting directories. I tried to access both from the browser and ‘zhkh’ gave some interesting output.
Press enter or click to view image in full size
The response contained one private IP address using which the next request was getting generated.
Press enter or click to view image in full size
Considering this I used one feature from burp called “Match and Replace”. Using this I replaced the IP address in response body with the target host IP we have discovered at the start.
Press enter or click to view image in full size
6. With the above configuration I was able to browse the application. On one page, I found something to download, it helped me understand the application platform.
Press enter or click to view image in full size
I found that it’s a WordPress application and the version is 5.3 but nothing more ….
7. So I again tried the directory enumeration for further fingerprinting and it worked like charm.
Press enter or click to view image in full size
8. Now I had few more directories to work with, so I tried punching the URLs in browser to check what I can see and voilà!!
Press enter or click to view image in full size
A readily available shell on the platter. I clicked but nothing changed, so it’s not easy as it seems to be.
Get Navnath Sanap’s stories in your inbox
Join Medium for free to get updates from this writer.
9. The next thing I tried was Wireshark, as there was nothing interesting visible in burp request-responses. I captured the packets for the time I clicked the shell file, and it gave me a direction to move forward.
Press enter or click to view image in full size
As visible from the traffic, there is a connection initiated from our target machine to ‘192.168.1.14’ on port ‘5555’. Now, this shell is already available on the site and there is no mean discovered for editing the same on the remote machine.
I was left with one option and that was to align my network configuration to the preconfigured value.
10. As I was using VM Ware player 15.5, no virtual network editor for help. So I found a workaround, just go and change the VM network adapter configuration as shown below.
Press enter or click to view image in full size
Note: As I am writing this after exploiting the box, I have started with aligning my IP from the beginning.
11. With my kali configured to the observed IP, I executed a listener and then clicked the shell.
Press enter or click to view image in full size
As we see in the screenshot above, I got the shell access with the application user identity; now the next stop is escalating the privileges.
12. I tried checking what is accessible with current privileges and through that if something more can be found.
Press enter or click to view image in full size
13. With the Linux web directory structure in mind, I tried the following and was able to zero down to the application folder.
Press enter or click to view image in full size
14. After going through all the files in the directory I found something in wp-config.php, a username.
And as I scrolled through the console there was something lying in comments at the very end, “password” it was for the user we found.
15. Tried switching user and it worked like charm, once I was able login as ‘ra’ I checked for what privilege this user has and found that he has permission to run the “pip” module as ‘root’.
16. With this information, I searched the internet for privilege escalation using pip module and found a very easy method.
Press enter or click to view image in full size
But the above screenshot shows that the thing didn’t work as we are still stuck with ‘ra’ privileges.
17. After doing some digging I tried ssh to the target with user ‘ra’ and password we have obtained previously.
Press enter or click to view image in full size
And from above screenshot it is clear that the method worked and I landed with ‘root’ privileges and ultimately got the flag.