Enumeration

Nmap

Initial nmap scan reveal HTTP, FTP and SSH ports were open.

00 - nmap

Web Enumeration

I was forwarded to a domain name when I visited the web page. So I added it to /etc/hosts file.

01 - domain

02 - etc hosts

Then while searching through the web page I found out that it was a wordpress page.

03 - wordpress info

So I did directory brute forcing and found valid wordpress endpoints.

04 - wordpress

Exploitation

WPScan

Then I ran wpscan and found valid usernames.

05 - wpscan

For those usernames, I did brute forcing and found joe’s password.

06 - cracked

Later, I enumerated the wordpress-admin page and could not find anything useful. I had no access to the themes or anything else.

SSH and User Flag

Thus, I gave up on wordpress and tried the credentials I found on SSH port and it worked. I got the user.

The shell was restricted shell at first (rbash). So I logged in with bash shell.

07 - ssh and got the user

Privilege Escalation

Enumeration

There was a file named mbox. Checking it revealed that there should be a backup scrit running on funny user.

08 - mbox

Checking the home page of funny user revealed that backup script. Moreover, current user had write privileges over it.

09 - backup script

Pspy

Later, I updated the script and got reverse shell as funny user but it was a rabbit hole. Then, I learned that the script could also be running as other user. So I downloaded pspy64 and ran it. It revealed that the script was run by both funny and the root user.

10 - pspy output

Gaining Root Access

With this knowledge in mind, I updated the script to add SUID privileges to /bin/bash.

11 - updated backup script

Then, waited for 2 minutes and got the root shell and the flag.

12 - got the root

<
Previous Post
BTRSys2.1 - Proving Grounds Play
>
Next Post
Katana - Proving Grounds Play