WHALE
DIFFICULTY= medium
OS = Linux
Nmap scan
adding the domain to /etc/hosts
echo "ip bluewhale.net" >> /etc/hosts
so, visiting the site shows it’s running wordpress
let’s enumerate the wordpress using wpscan aggressive detection
wpscan --url http://bluewhale.net/ --plugins-detection aggressive -t 120
it gives us a vulnerable plugin; the plugin is vulnerable to arbitrary file read
so, we can exploit it using this
doing that,we should be able to read the wordpress config file wp-config
bluewhale.net/wp-content/plugins/post-pdf-export/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=../../../../wp-config.php
reading it gives us the gives us the base64 encoded chars.
decoding it shows the mysql credential
let’s login to mysql with it
mysql -u wordpress -h bluewhale.net -p
and input the password
as u can see we have the first flag already
let’s proceed by checking the wp_users table
and yeah we have the credentials for the wordpress login
so, instead of cracking the password hash we can actually change the password to our desired own for easier loggin(cool trick right?) lol
UPDATE wp_users SET user_pass = MD5('hacked') WHERE ID = 1;
so, we can now login to wordpress and proceed
login and upload a reverse shell using the add plugin feature
and let’s access our shell in the upload directory
getthe reverse shell and stablize it
Privilege escalation
Enumerating further i got the ssh private key for the user whale in the whale home directory .bak cool :)
so we can now ssh into the box as user whale
so let’s read the FLAG58 which we ain’t able to read before.
so, running the command id shows the user whale is in docker group which we can escalate our privilege to root using it.
read more about the docker group privilege escalation here
following the steps should give us root
Thanks.
Tags: Dompdf,Arbitrary file read,Docker