PG — Wpwn — Walkthrough (Offensive Security Proving Grounds Play Boxes)
Introduction
This article aims to walk you through Wpwn box produced by 0xatom and hosted on Offensive Security’s Proving Grounds Labs. Anyone who has access to Vulnhub and Offensive Security’s Proving Grounds Play or Practice can try to pwn this box, this is an easy and fun box. Hope you enjoy reading the walkthrough!
Reconnaissance
Since we are already provided with IP address of the box, we will scan it via Nmap.
Scanning
We are going to scan the IP for all open ports by typing the following command on our terminal. -p- indicates that we want to check all open ports.
nmap -p- 192.168.x.x
After waiting for a while, we have got our results as shown below:
To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.
nmap -p 22,80 192.168.x.x -sV -sC
In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on port 80 as port 22 is not a logical starting point for use because it does not provide us with a broad attack surface.
Enumeration
First of all, we type IP address in our browser.
We find it is just a webserver that tells us to have fun. So, let us have fun and check the source code.
We find nothing useful here as well.
In this case, we decide to run gobuster to bruteforce directories to see if we have something useful. We will use -u argument to specify URL and -w argument to provide the wordlist we want to use for directory bruteforcing. And to make bruteforcing process fast, we will specify threads as 30 by -t argument.
gobuster dir -u http://192.168.x.x/ -w /usr/share/wordlists/dirb/common.txt -t 30
After a very short while, we find a web directory which is WordPress that catch our attention since it indicates that there is a path to enumerate further.
We check the web directory and find that port 80 is hosting WordPress.
From this point on, we will enumerate this directory further to see if we can find a way to get a low shell on the box.
We will use wpscan that is a WordPress vulnerability scanning tool that can be used to scan remote WordPress installations to find security issues. So we will use following simple syntax to scan:
wpscan — url http://192.168.x.x/wordpress/
Wpscan updates its database, it starts to scan plugins, themes, and presents us with interesting findings.
We see that there is a plugin called Social-warfare and it is outdated, which may indicate a path for getting a low shell.
We search on google if there is a vulnerability related to WordPress plugin found, we find there is a Remote Code Execution (RCE) vulnerability which provides us with Remote File Inclusion (RFI) vulnerability that we can leverage to get a shell on the box.
Now, we will test if it works for us.
Following steps provided for Remote Code Execution, we create a payload.txt
vim payload.txt
cat payload.txt
And start an http server on our attacking box.
python3 -m http.server 80
We are still following the steps provided above and test our vulnerable URL.
After executing the URL, we see that the box is communicating with our attacking box;
And we are able to read /etc/passwd content.
Note: It is always good to remember noting down any names on the target box since they can be useful for later exploitation processes. So, we will note down user takis.
Exploitation
As we have Remote Code Execution on the target box, now we will try to exploit the machine and get our low shell.
After trying and failing to get a reverse shell through Remote File Inclusion, we decide to enumerate WordPress configuration files, and we have got some credentials.
We change content of our payload as such:
We see that our payload is being executed:
And execute the URL again and we have got a result. As it shows the output in a complicated format as shown below:
We will check the source code of the page that provide us with a very organized and clear page.
Since we have a username and MySQL Database password, we will try to log in on port 22 as SSH user using these credentials.
We use takis as user and try to connect to SSH on port 22 with the following command and provide the password we found on WordPress configuration file as password.
ssh takis@192.168.x.x
We see that we can log in on the box as SSH user, and so we have a low shell on the box. Then, we look for local.txt by the following command:
find / -name local.txt 2>/dev/null
Since Offensive Security hashes does not locate in user.txt, we find it in /var/www/local.txt and have got our hash.
Privilege Escalation
Privilege Escalation of this box was very easy, there are some initial enumeration steps for privilege escalation after getting low shell, and the first on tried on this box, which was checking sudo permissions for the current user sudo -l, was the way for privilege escalation.
As we see that we have full access to the box, we will simply type sudo su and escalate our privilege to root level on the box and get our high shell hash.
And we have full authority on the box. Enjoy!
