TryHackMe-ColddBox

Rustscan

PORT 80

This looks like a wordpress site to ensure this let’s visit /wp-admin

Dirsearch

I started fuzzing for directories using dirsearch and expected to found wp-admin as it is a wordpress site

This gave us a valid username and we can verify it as wordpress allows us to know if the username is correct but the password is invalid

We can bruteforce password for this user account.

WPSCAN

For wordpress it is recommended to run wpscan to enumerate for user names ,plugins and themes installed also it looks for vulnerable plugins

We found a few more users along with hugo so let’s start the bruteforce attack through wpscan

We logged into the wordpress dashboard now goto Appearance -> Editor -> Select 404 Template-> Paste php reverse shell

Now we have to invoke the php reverse shell as setting up a netcat listener to do that we have added our malicious 404.php file now we need to navigate to where it is stored as we have edited theme twentyfiteen it is in wp-content/themes/twentyfifteen/404.php

But we need to escalate our privileges in order read user.txt

We see find as SUID so we abuse it to gain access to root

We can see that our prompt as changed as a root user to get a proper root shell just set SUID bit on /bin/bash and you will get the proper shell with /bin/bash -p

--

--

--

Pentester | CTF Player

Love podcasts or audiobooks? Learn on the go with our new app.

Redirect to my Mirror Blog

MOREKTZ

{UPDATE} 熟語集める - 漢字熟語 ゲーム Hack Free Resources Generator

EU countries cyberwarfare capabilities

Global Information Security Issue

500000 EVED liquidity added by the Evedo team

Defending the Three Headed Relay

Phishing Attacks Getting Sneakier Towards The End Of 2021

Phishing Attacks Getting Sneakier Towards The End Of 2021

{UPDATE} ズボラ女子 Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ARZ101

ARZ101

Pentester | CTF Player

More from Medium

HackTheBox-Horizontall

TryHackMe Steel Mountain Walkthrough

Vulnversity TryHackMe Write-Up

Bashed | HackTheBox writeup