VM name:
Lazysysadmin
Objective:
Get root
Another boot to root! Arp-scan to grab our target IP followed with an Nmap scan to determine open ports/services to see what kind of attack vectors we have available.
Lotsa stuff going on here, but let's start with the http first.
I checked around the site, the source, and robots.txt, but nothing interesting really stood out.
Time to boot up Dirb and check if there is anything to be found.
Okay, neat. We have a php admin page and some wordpress goodness going on here. Checking out the php admin page first, I couldn't really figure out too much, so it was a dead end for the moment.
Next, I checked out Wordpress.
Togie? Seems like it could be a username that could come in use, so let's store it on the backburner for now, and in the meantime run a Wpscan.
Again, not too much here. There is a vulnerability applicable to this WP version, but nothing that is really too useful for our environment, so it's time to move on and recon some more. Next stop, SMB!
Loading up enum4linux, I checked out what was available from SMB.
Sumshare on share$ looks like a good prospect to check out, so off we go!
Checking around these files, there is one that straight up contains a password.
Tucking this away for the moment, we continue onwards to the wordpress config file.
Mmm...more creds. This prompted me to head back to the php admin site and log in; however, the databases were all locked down due to configuration settings, and it seemed like this was not the path to take. Okay, then, how to proceed? Well, perhaps we can just try togie as a username and '12345' as the password for SSH?
Whenever gaining access to a shell via SSH it's always fun to at least try to "sudo -i" yourself into root, even though 9/10 it's not going to work. BUUUUUT.... This time we got super lucky AND the password was the same as togie's! (And my luggage!)
We are root and got the flag!
While this was pretty easy, it was still interesting to explore various services until we found the proper vector to take in order to gain access to the box.
Friday, November 3, 2017
Subscribe to:
Post Comments (Atom)
Powered by Blogger.
0 comments:
Post a Comment
Note: Only a member of this blog may post a comment.