PG — Wpwn — Walkthrough (Offensive Security Proving Grounds Play Boxes)

Introduction

This article aims to walk you through Wpwn box produced by 0xatom and hosted on Offensive Security’s Proving Grounds Labs. Anyone who has access to Vulnhub and Offensive Security’s Proving Grounds Play or Practice can try to pwn this box, this is an easy and fun box. Hope you enjoy reading the walkthrough!

Reconnaissance

Since we are already provided with IP address of the box, we will scan it via Nmap.

Scanning

We are going to scan the IP for all open ports by typing the following command on our terminal. -p- indicates that we want to check all open ports.

nmap -p- 192.168.x.x

After waiting for a while, we have got our results as shown below:

Nmap Port Scanning

To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.

nmap -p 22,80 192.168.x.x -sV -sC

In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on port 80 as port 22 is not a logical starting point for use because it does not provide us with a broad attack surface.

Nmap Specified Port Scanning

Enumeration

First of all, we type IP address in our browser.

Port 80 Enumeration

We find it is just a webserver that tells us to have fun. So, let us have fun and check the source code.

Checking Source Code of the Webserver

We find nothing useful here as well.

In this case, we decide to run gobuster to bruteforce directories to see if we have something useful. We will use -u argument to specify URL and -w argument to provide the wordlist we want to use for directory bruteforcing. And to make bruteforcing process fast, we will specify threads as 30 by -t argument.

gobuster dir -u http://192.168.x.x/ -w /usr/share/wordlists/dirb/common.txt -t 30

After a very short while, we find a web directory which is WordPress that catch our attention since it indicates that there is a path to enumerate further.

Gobuster Directory Bruteforcing Results

We check the web directory and find that port 80 is hosting WordPress.

Port 80 Wordpress Directory

From this point on, we will enumerate this directory further to see if we can find a way to get a low shell on the box.

We will use wpscan that is a WordPress vulnerability scanning tool that can be used to scan remote WordPress installations to find security issues. So we will use following simple syntax to scan:

wpscan — url http://192.168.x.x/wordpress/

Wpscan Enumeration on Port 80

Wpscan updates its database, it starts to scan plugins, themes, and presents us with interesting findings.

Vulnerable Social-warfare Plugin Found by Wpscan

We see that there is a plugin called Social-warfare and it is outdated, which may indicate a path for getting a low shell.

We search on google if there is a vulnerability related to WordPress plugin found, we find there is a Remote Code Execution (RCE) vulnerability which provides us with Remote File Inclusion (RFI) vulnerability that we can leverage to get a shell on the box.

Social-warfare Plugin RCE (Unauthenticated)

Now, we will test if it works for us.

Following steps provided for Remote Code Execution, we create a payload.txt

vim payload.txt

Creating Payload
Content of the Payload

cat payload.txt

Content of the Payload

And start an http server on our attacking box.

python3 -m http.server 80

Starting Http Server

We are still following the steps provided above and test our vulnerable URL.

Vulnerable URL

After executing the URL, we see that the box is communicating with our attacking box;

Our Payload on Our Attacking Box is Executed

And we are able to read /etc/passwd content.

Note: It is always good to remember noting down any names on the target box since they can be useful for later exploitation processes. So, we will note down user takis.

Exploitation

As we have Remote Code Execution on the target box, now we will try to exploit the machine and get our low shell.

After trying and failing to get a reverse shell through Remote File Inclusion, we decide to enumerate WordPress configuration files, and we have got some credentials.

We change content of our payload as such:

New Payload Content

We see that our payload is being executed:

Payload Execution Proof

And execute the URL again and we have got a result. As it shows the output in a complicated format as shown below:

The Output of Wordpress Configuration File

We will check the source code of the page that provide us with a very organized and clear page.

Credentials in WordPress Config File

Since we have a username and MySQL Database password, we will try to log in on port 22 as SSH user using these credentials.

We use takis as user and try to connect to SSH on port 22 with the following command and provide the password we found on WordPress configuration file as password.

ssh takis@192.168.x.x

We see that we can log in on the box as SSH user, and so we have a low shell on the box. Then, we look for local.txt by the following command:

find / -name local.txt 2>/dev/null

Since Offensive Security hashes does not locate in user.txt, we find it in /var/www/local.txt and have got our hash.

SSH Login and Low Shell Hash

Privilege Escalation

Privilege Escalation of this box was very easy, there are some initial enumeration steps for privilege escalation after getting low shell, and the first on tried on this box, which was checking sudo permissions for the current user sudo -l, was the way for privilege escalation.

Privilege Escalation Enumeration

As we see that we have full access to the box, we will simply type sudo su and escalate our privilege to root level on the box and get our high shell hash.

Privilege Escalating to Root

And we have full authority on the box. Enjoy!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store