V3NU5💀AL13N:~#

Hack Enumerate Harder!. Eat. Sleep. Repeat.

View on GitHub

WEKOR THM

OS = Linux

DIFFICULTY = Medium

NMAP SCAN

image

let’s start our enumeration from port 80 which is running http server

image

As you can see there is nothing interesting on the site hompage

so, checking robots.txt on the site revealed some endpoints.

image

checking it one after the other gives nothing except the comingreallysoon directory

image

And yeah there’s is a note on the page telling us the location of their new website

Welcome Dear Client! We've setup our latest website on /it-next, Please go check it out! If you have any comments or suggestions, please tweet them to @faketwitteraccount! Thanks a lot !

Also, add the domain wekor.thm to your /etc/hosts file

image

going over to the cart page and applying a single quote throws SQL error indicating possible sql injection

image

so, intercept request with burpsuite and copy the request into a file.

Then dump the database by running sqlmap on the file

image

so, was able to crack the wp_yura password

image

now let’s find the wordpress page for us to login and we can easily do that by fuzzing for subdomains

image

And yeah, we have a valid subdomain. So, add the subdomain site.wekor.thm to your /etc/hosts file too.

let’s check the subdomain now image

let’s fuzz for directories on the subdomain

image

we have a wordpress directory let’s have a look at it.

image

so, let’s login with the credential

image

And yeah we are in.

let’s upload our php reverse shell and proceed

image

we’ve gotten a foothold on the box

PRIVILEGE ESCALATION

Trying to read files in the user home directory and permission was denied

image

Now I started to explore different files and folders but failed to find anything. Next I thought of checking for services running internally that are for only 127.0.0.1.

command used ss -tulnp

image

Service running on port 11211 is memcached gotten via google search, basically we can use this service to find the password of user Orka

you can read more on memcached exploit here

image

we now have the password for user Orka

su Orka to switch to user Orka and read the user flag

image

running ``sudo -l`` shows we can run the bitcoin binary located in the the user Desktop folder without password

and we can easily modify the contents of the folder since we own it

so, we can gain root by moving the ddesktop folder to another desired folder and then create a new desktop folder with a modified bitcoin file

mv Des* venus

mkdir Desktop;cp /bin/bash Des*/bitcoin

Then run sudo Des*/bitcoin to get root and read the root flag.

image

Thanks.