Hey everyone I hope you are doing good,this is a write up for Literally Vulnerable machine. It is a easy boot2root machine. So let’s jump in by doing a port scan on the machine
21/tcp open ftp syn-ack ttl 64 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 ftp ftp 325 Dec 04 2019 backupPasswords
| ftp-syst:
| FTP server status:
| Connected to ::ffff:
| Logged in as ftp
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2f:26:5b:e6:ae:9a:c0:26:76:26:24:00:a7:37:e6:c1 (RSA)
| 256 79:c0:12:33:d6:6d:9a:bd:1f:11:aa:1c:39:1e:b8:95 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAnd9KWbuz1oyVBcGqABiFwm+tO2EGRsE5KzvvzYuzjYk/U2tgOx1joZAX/jeii3oK2oW/Kmtu
| 256 83:27:d3:79:d0:8b:6a:2a:23:57:5b:3c:d7:b4:e5:60 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhQsU6o12hyENGgq/DI3I4sWHsJpLCuxITMtMaiwh/A
80/tcp open http syn-ack ttl 64 nginx 1.14.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-generator: WordPress 5.3
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Not so Vulnerable – Just another WordPress site
|_http-trane-info: Problem with XML parsing of /evox/about
65535/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It worksMAC Address: 80:00:0B:3C:4A:7E (Intel Corporate)
We get a file having passwords
We have a wordpress site but css isn’t loaded properly because it’s using literally.vulnerable
So let’s add it to our /etc/hosts file
Running wpscan against the wordpress site we only find 1 user (admin)
Tried brute forcing against user admin
So I ran wpscan again for enumerating plugins
Let’s just keep it running in the background and enumerate another http port
PORT 65535 (HTTP)
Ran dirbuster on that port but nothing seemed interesting
Used the wordlist from seclists
And found /phpcms
We find a post regarding a note for john
Ran wpscan on this wordpress site and found two usernames
And we found a valid password for maybeadmin
by using the passwords we found from ftp
We got into the dashboard but we are not admin
So we cannot do anything but there was a password protected post maybe we can see what’s in there
Let’s login as notadmin
Edit the 404.php
page of the theme with a php reverse shell
But it seems we can’t do it manually so my next option is to use metasploit wordpress upload shell exploit
I used a php reverse shell so that I can get a stabilized one
We see some files in doe
's directory
On running the binary itseasy
it was printing the current path
So this means we must export PWD
and tamper with it
So here I edit the environmental variable PWD
with a command which will run the whoami command and save it's output in /tmp/output
So it means we can run commands as john
through this binary so I created a .ssh folder in john's directory now I can add id_rsa.pub in authorized_keys file
We get the user flag plus a note
On running find command for finding files owned by john
Now we can run test.html
file as root but there it isn't on the machine and we cannot make that file as john does not have the permissions but www-data
so going back to that user