PG — Wpwn — Walkthrough (Offensive Security Proving Grounds Play Boxes)
This article aims to walk you through Wpwn box produced by 0xatom and hosted on Offensive Security’s Proving Grounds Labs. Anyone who has access to Vulnhub and Offensive Security’s Proving Grounds Play or Practice can try to pwn this box, this is an easy and fun box. Hope you enjoy reading the walkthrough!
Since we are already provided with IP address of the box, we will scan it via Nmap.
We are going to scan the IP for all open ports by typing the following command on our terminal. -p- indicates that we want to check all open ports.
nmap -p- 192.168.x.x
After waiting for a while, we have got our results as shown below:
To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability.
nmap -p 22,80 192.168.x.x -sV -sC
In a short while, we have got our results and more details regarding open ports. And we decide to start enumeration on port 80 as port 22 is not a logical starting point for use because it does not provide us with a broad attack surface.
First of all, we type IP address in our browser.
We find it is just a webserver that tells us to have fun. So, let us have fun and check the source code.
We find nothing useful here as well.
In this case, we decide to run gobuster to bruteforce directories to see if we have something useful. We will use -u argument to specify URL and -w argument to provide the wordlist we want to use for directory bruteforcing. And to make bruteforcing process fast, we will specify threads as 30 by -t argument.
gobuster dir -u http://192.168.x.x/ -w /usr/share/wordlists/dirb/common.txt -t 30
After a very short while, we find a web directory which is WordPress that catch our attention since it indicates that there is a path to enumerate further.
We check the web directory and find that port 80 is hosting WordPress.
From this point on, we will enumerate this directory further to see if we can find a way to get a low shell on the box.
We will use wpscan that is a WordPress vulnerability scanning tool that can be used to scan remote WordPress installations to find security issues. So we will use following simple syntax to scan:
wpscan — url http://192.168.x.x/wordpress/
Wpscan updates its database, it starts to scan plugins, themes, and presents us with interesting findings.
We see that there is a plugin called Social-warfare and it is outdated, which may indicate a path for getting a low shell.
We search on google if there is a vulnerability related to WordPress plugin found, we find there is a Remote Code Execution (RCE) vulnerability which provides us with Remote File Inclusion (RFI) vulnerability that we can leverage to get a shell on the box.
Now, we will test if it works for us.
Following steps provided for Remote Code Execution, we create a payload.txt
And start an http server on our attacking box.
python3 -m http.server 80
We are still following the steps provided above and test our vulnerable URL.
After executing the URL, we see that the box is communicating with our attacking box;
And we are able to read /etc/passwd content.
Note: It is always good to remember noting down any names on the target box since they can be useful for later exploitation processes. So, we will note down user takis.
As we have Remote Code Execution on the target box, now we will try to exploit the machine and get our low shell.
We change content of our payload as such:
We see that our payload is being executed:
And execute the URL again and we have got a result. As it shows the output in a complicated format as shown below:
We will check the source code of the page that provide us with a very organized and clear page.
We see that we can log in on the box as SSH user, and so we have a low shell on the box. Then, we look for local.txt by the following command:
find / -name local.txt 2>/dev/null
Since Offensive Security hashes does not locate in user.txt, we find it in /var/www/local.txt and have got our hash.
Privilege Escalation of this box was very easy, there are some initial enumeration steps for privilege escalation after getting low shell, and the first on tried on this box, which was checking sudo permissions for the current user sudo -l, was the way for privilege escalation.
As we see that we have full access to the box, we will simply type sudo su and escalate our privilege to root level on the box and get our high shell hash.
And we have full authority on the box. Enjoy!
Basic Linux Privilege Escalation
Before starting, I would like to point out - I'm no expert. As far as I know, there isn't a "magic" answer, in this…
Proving Grounds Play and Practice | Offensive Security
Practice your pentesting skills in a standalone, private lab environment with the additions of PG Play and PG Practice…
Secure Shell Protocol — Wikipedia
The Secure Shell Protocol ( SSH) is a cryptographic network protocol for operating network services securely over an…
WSTG - Latest
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion"…
WPScan Package Description WPScan is a black box WordPress vulnerability scanner that can be used to scan remote…