V3NU5đź’€AL13N:~#

Hack Enumerate Harder!. Eat. Sleep. Repeat.

View on GitHub

BLOGGER

ip = 192.168.159.217

difficulty = easy

os = linux

Nmap scan

image we have two ports open

so, let’s start with port 80(http) image see what we have on the page

i clicked around to explore some features but it seems it’s a Static page but note down the programmer’s name “james”

let’s fuzz for directories image

going over to the assets directory we have the sub directories and it’s running wordpress image And we got the domain blogger.thm

so, let’s add it to our /etc/hosts file

let’s enumerate the wordpress cms using wpscan wpscan --url http://blogger.thm/assets/fonts/blog/ --plugins-detection aggressive

it’s shows the wp version is 4.9.8 and a vulnerable theme poseidon which runs an outdated version too (v2.1.1) and a vulnerable plugin too wpdiscuz v7.0.4

tried exploiting the wp and the poseidon theme but non worked

so, let’s try exploiting the wpdiscuz plugin

The vulnerability allows abitrary file upload

The details can be found here

In the post comment field there is an option to upload/attach image to comments image

trying to upload a php file gave error coz it accept image files only.

was able to bypass it by add the gif header GIF89a to the beginning of the code

start a netcat listener and fill the form with random data and upload the comment.

image

so let’s get our uploaded reverse shell since our target is running wordpress then the upload folder should be /wp-content/uploads/ image As you can see the directory has our uploaded file.

clicking on it gave us a shell on the target system image

image

Privilege escalation

There is an hidden file in the /opt directory image it contains hardcoded credentials

seeing this i knew it’s rot47 so i used cyberchef for decoding the rot47 creds which output a base64 encoded chars so decoding the base64 gives another base64 and decoding it again gives the output james:S3cr37_P@$$W0rd image

let’s change user to james using the credentials gotten image

after deep enumeration was able to switch to user vagrant by using vagrant as passwd su vagrant

password: vagrant

image

so, user vagrant can run anything as root

sudo su gives us the root shell.

Thanks. Bankai Tensa zangetsu