Here I will make a writeup of the Vulny machine on the HackMyVm platform and this is an easy rated VM, if you are interested you can click the link here. Let's start.
As always the first thing i do is port scanning. and at this point nmap only find one open TCP port that is HTTP (80):
The website display provided is only the default display, so we need to look for a hidden path or file using bruteforce directory tools such as dirb, dirsearch, etc.
Here we find 2 directories, namely /javascript
and /secret
. If we access /javascript
the response given is Forbidden or not permitted. but in the /secret
directory you can access it and find a note.
From this information, it is known that there is an endpoint config from WordPress which contains a password/username. but this is quite strange because if we use wappalyzer or wpscan we find no indication that the web server uses wordpress.
Next, we try to bruteforce the directory again using dirsearch specifically for the secret path.
From these results, 3 paths were found, namely;
/wp-admin
= The response given is the same as /secret
/wp-content
= Response 200
/wp-includes
= Forbidden
Next, we can focus on /wp-content
and in it there is the /uploads
directory and if we access it we find that this website uses the wp-file-manager plugin.
If we access http://192.168.1.38/secret/wp-content/uploads/2020/10/ You will find the version of wp-file-manager, namely 6.0. and this version vulnerable !
We need to download the exploit and make small changes to the location of the url by adding /secret
.
Then run the script.
Here we managed to get the shell, next we need to get the reverse shell.
After getting the reverse shell, we need to check the config file to find the user/password like the hint given in /secret
earlier.
idrinksomewater
A password was found, and we checked in /etc/passwd there was a user adrian
. and we can assume that this password belongs to Ari Adrian
.
Login as adrian
and the password you obtained earlier. and here we have successfully entered.
We need to do is check whether the user can exercise sudo access rights or not and to display a list of permitted commands with the command sudo -l
There is a binary flock and we can use it to carry out privilege escalation.
And root was successfully obtained. Vulny pwned!