ThisIsSoEasy1

Enumeration

Nmap

We can start by enumerating the services after getting the IP address.

nmap -sC -sV 10.10.235.212

Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-11 00:32 EST
Nmap scan report for 10.10.235.212
Host is up (0.39s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 0        0            4096 May 25  2021 secret
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.4.7.170
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3234d4a6b96105f8d97718822693dafa (RSA)
|   256 44dcabdd8827335928d945f6af2f1c3c (ECDSA)
|_  256 6774d81cb61647b7db4d82c4661b5ef3 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.83 seconds

As we can see, there are few ports open such as 80, 22, 21

We can first put the IP at the browser since port 80 is open.

HTTP

Flight Details page

For the Wordpress we can see it redirects to a specific domain. What we can do is add the domain to our /etc/hosts.

Reload the page and we get this!

FTP

For the FTP, we can login using anonymous login. We then found out there is a secret folder available inside. Inside the secret folder there is a TODO.txt

cat the TODO.txt

Interesting.

After poking around for some time, I found out that the flightPage is actually a rabbit hole and it contains nothing interesting in it.

WPScan

Moving to the Wordpress website, we can use a tool called wpscan to enumerate the wordpress website.

wpscan --url http://thisissoeasy.local/wordpress/ --enumerate u,ap --plugins-detection aggressive

Options:
u - users
ap - all plugins

We can see from the wpscan output, the users that detected by wpscan is administrator and jane.

We can navigate to /wp-admin to try to brute-force or login with default credentials.

Upon trying here and there, and also some hints we got from the TODO.txt, we got to log in to the WordPress admin dashboard with the username administrator and password admin

We can then navigate to Appearance -> Theme Editor

Navigate to 404 Template

Reverse Shell

We can replace it with PHP Reverse Shell

Website to generate various Reverse Shell -> RevShells

Choose the PHP PentestMonkey Reverse Shell.

Copy the contents and replace it to the 404 template

Update the file.

At our own Kali machine, set up a reverse shell listener

Navigate to this link

http://thisissoeasy.local/wordpress/wp-content/themes/twentytwenty/404.php

Got a reverse shell back!

User

Navigate to /var/www and we get the user flag.

Privilege Escalation

First thing we can do (before passing in any scripts) is by supplying sudo -l

we can see the user can execute env command by using sudo.

There is a website that list down all of the sudo and SUID privilege escalation -> GTFOBins

Got root right away!

Boom, flag! Congratz!