Objective

Employ enumeration, web enumeration, and WordPress enumeration techniques to identify vulnerabilities. Engage in exploiting file upload vulnerabilities and implement privilege escalation strategies. Additionally, utilize kernel exploits to enhance your access. This lab is designed to capitalize on your skills in vulnerability exploitation.

Enumeration

Nmap

During the initial reconnaissance phase, an Nmap scan was conducted, revealing the presence of one open port on the target system: Port 80 (HTTP). These findings were noted for further analysis in subsequent phases of the assessment.

00 - nmap output

Web Enumeration

During web enumeration, a WordPress site was discovered; however, it was redirecting to the domain loly.lc. To bypass this redirection and access the wp-admin page locally, I added the target IP address to the /etc/hosts file with the domain loly.lc.

01 - etc hosts

02 - wordpress admin

WordPress Enumeration

After gaining access to the WordPress site, I performed a WordPress scan and identified active usernames. I then conducted a brute-force attack using the rockyou.txt wordlist, which successfully yielded valid login credentials. Using these credentials, I was able to access the WordPress admin panel.

03 - wordpress

04 - wordpress output

05 - password found

Exploitation

The AdRotate plugin installed on the WordPress site was found to be vulnerable to arbitrary file upload. I generated a PHP reverse shell, compressed it into a ZIP archive, and uploaded it via the plugin’s interface. Upon upload, the plugin automatically extracted the archive and placed its contents into the wp-content/banners directory. By navigating to the uploaded PHP file via the browser, I was able to trigger the reverse shell and gain remote access to the target system.

06 - file upload

07 - rev-shell

Privilege Escalation

Initial privilege escalation attempts using the www-data user were unsuccessful. I then attempted kernel exploits, as the target system was running an outdated Linux kernel. However, the exploits failed to compile due to a gcc: cc1: error, indicating that the system lacked a working C compiler or I did not have permission to use it. After further investigation, I discovered valid credentials for the loly user within the wp-config.php file, which allowed me to escalate privileges by switching to that user.

08 - exploit suggester

09 - password

After switching to the loly user, I retried compiling the kernel exploit, and it worked successfully under this user context. Executing the compiled exploit granted root access to the target system.

10 - GG

<
Previous Post
Juicy Bar CTF - Network Manipulation
>
Next Post
Patato - OffSec Proving Grounds