Vulnhub-Literally Vulnerable

Hey everyone I hope you are doing good,this is a write up for Literally Vulnerable machine. It is a easy boot2root machine. So let’s jump in by doing a port scan on the machine

Rustscan

MAC Address: 80:00:0B:3C:4A:7E (Intel Corporate)

PORT 21 (FTP)

We get a file having passwords

PORT 80 (HTTP)

We have a wordpress site but css isn’t loaded properly because it’s using literally.vulnerable

So let’s add it to our /etc/hosts file

Running wpscan against the wordpress site we only find 1 user (admin)

Tried brute forcing against user admin

So I ran wpscan again for enumerating plugins

Let’s just keep it running in the background and enumerate another http port

PORT 65535 (HTTP)

Ran dirbuster on that port but nothing seemed interesting

Used the wordlist from seclists

And found /phpcms

We find a post regarding a note for john

Ran wpscan on this wordpress site and found two usernames

And we found a valid password for maybeadmin by using the passwords we found from ftp

We got into the dashboard but we are not admin

So we cannot do anything but there was a password protected post maybe we can see what’s in there

Let’s login as notadmin

Edit the 404.php page of the theme with a php reverse shell

But it seems we can’t do it manually so my next option is to use metasploit wordpress upload shell exploit

I used a php reverse shell so that I can get a stabilized one

We see some files in doe's directory

On running the binary itseasy it was printing the current path

So this means we must export PWD and tamper with it

So here I edit the environmental variable PWD with a command which will run the whoami command and save it's output in /tmp/output

So it means we can run commands as john through this binary so I created a .ssh folder in john's directory now I can add id_rsa.pub in authorized_keys file

We get the user flag plus a note

On running find command for finding files owned by john

Now we can run test.html file as root but there it isn't on the machine and we cannot make that file as john does not have the permissions but www-data so going back to that user

BS CS undergraduate | CTF Player