Our democracy has been hacked !
Lets start the VM and scan it with nmap . (bridged adapter because I had problems with host only)
nmap -p- 192.168.1.67 -sV
We see that there is an open http port. Lets navigate to the webpage.
Having seen the l33t homepage its time to solve the challenge.
Generating a 404 error we can see that the website run a wordpress installation .
Lets fire up wpscan to find something interesting . But… nothing ! A version without exploits and an installation with no plugins
What about robots.txt ? W00t w00t
We found one of the three flags + a dictionary. Bruteforcing time !!!
Lets enumerate the usernames with the old technique /?author=1 Nothing again .
What about the dictionary ? Also if you see the login page you can see that there is an indication if th username is incorrect + there are no brutefoce tokens ! Only default values.
I created a python script to help me find the valid usernames. I found the usename Elliot.
Now its time to find the password. We will use the wpscan for this reason . Running we can see that it will take hours to conclude to a result . Maybe the given wordlist hides some tricks inside it . Lets use python again to erase any duplicate passwds . From 850000 passwds we now have 12000 COOL! Fire up wpscan for passwd cracking .
wpscan –url 192.168.1.67 –wordlist /root/Desktop/fsocietyClean.dic –username Elliot –threads 40
Log in and yes we are admin so we can manipulate php code . Upload a reverse shell (I prefer metasploit but a simple nc would 101% do the job)
Now inside the system list the /etc/passwd to see the users. Going to the /home/robot there are two files , an md5 pass nad the flag. Decrypting the flag (google it) we must somehow cat the flag file (permission 400)
Lets switch to /bin/sh shell with python oneliner.
python -c ‘import pty; pty.spawn(“/bin/sh”)’
in order to switch to the robot user instead of daemon.
Now we can cat the flag .
With robot user we still do not have access to the /root directory . That has to be the place where the third flag is stored .
Lets try to find an exploit .
No luck …
Now lets search about misconfigured exetutable files.
find / -type f \( -perm /4000 -a -user root \) -ls -o \( -perm /2000 -a -group root \) -ls 2> /dev/null < root \) -ls -o \( -perm /2000 -a -group root \) -ls 2> /dev/null
There is nmap installed with admin privs and runnable to us. Lets see if we can run os commands with it.
After doing some research there is a command in nmap that turns nmap to interactive mode and from there we can run os commands with ! (many interactive programs do this ex.gdb).
So we have access to the /root directory . Listing its contents and then moving the file to /tmp gives us the third flag !
I really struggled with the secons flag because there was an error with the shell of the robot user . I was trying to cat with something like sudo -u robot and I didnt think of just switcing user with su so it took me some time to figure it out …