- Author Description
- SQL Injection
- Wordpress - Reverse PHP Shell
- Privilege Escalation
- Post Exploitation Enumeration
Author Description
The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. If you can find the secret, send me an email for verification.
Port Scanning
Service Enumeration
Port | Service | Version Detection |
---|---|---|
|
HTTP |
64 Apache httpd 2.4.7 ((Ubuntu)) |
|
HTTPS |
Apache httpd |
|
HTTP |
Apache httpd |
HTTP Enumeration
Enumeration of port 80, discovered login.php
:
SQL Injection
The discovered form was vulnerable to a time-based SQL injection, SQLMap was used to expose the following databases:
SQLMap was used to dump the wordpress8080 database:
Discovered credentials:
Wordpress - Reverse PHP Shell
Wordpress was accessible on port 443
and port 8080
. Authentication was successful using the discovered credentials and a PHP reverse shell was introduced to the sites source code via the wordpress theme editor.
Username | Password |
---|---|
admin |
|
A reverse shell successfully connected back:
Privilege Escalation
Account credential reuse from the Wordpress admin password SuperSecretPassword
allowed su -
to escalate privileges to root.
Post Exploitation Enumeration
The file /etc/passwd
contained the text:
Additionally the file /etc/shadow
had incorrect permissions allowing a non privileged user read access, allowing for offline password cracking using Hashcat / JTR.
Thanks for the VM :)