All in One

This is a fun box where you will get to exploit the system in several ways. Few intended and unintended paths to getting user and root access.

Reconnaissance

Let's start with an quick exploration nmap:

nmap -sC -sV -oN nmap/quick 10.10.199.82

With the quick scan we found the following open ports:

  • Port 21 - vsftpd 3.0.3 with anonymous access

  • Port 22 - OpenSSH 7.6p1

  • Port 80 - Apache/2.4.29

Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-27 11:42 EST
Nmap scan report for 10.10.199.82
Host is up (0.038s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.14.3.75
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e2:5c:33:22:76:5c:93:66:cd:96:9c:16:6a:b3:17:a4 (RSA)
|   256 1b:6a:36:e1:8e:b4:96:5e:c6:ef:0d:91:37:58:59:b6 (ECDSA)
|_  256 fb:fa:db:ea:4e:ed:20:2b:91:18:9d:58:a0:6a:50:ec (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.88 seconds

Let's start a full scan on the background, just to make sure nothing is missed.

No new open ports found.

Enumeration

Let's start at the top of the list,

Explore FTP

Connect to ftp as 'anonymous' and view the files served.

ls -al shows nothing, so looks like dead end.

Explore HTTP

Start a gobuster to reveal the directory structure.

  • /wordpress/

  • /Hackaton/

wordpress

Inspecting the Wordpress site,

Wordpress version: 5.1.1 Username could be elyana

view source /hackaton/ Dvc W@iyur@123

KeepGoing

WPscan

Found 2 plugins:

  • mail-masta 1.0

  • reflex-gallery 3.17

Mail-masta 1.0 Exploits found: LFI and SQi

Local File Inclusion

This shows the passwd file and confirms the user elyana, let's search for the wp-config.php

Exploitation

hydra -l elyana -P /usr/share/wordlists/rockyou.txt 10.0.94.83 -V http-form-post '/wordpress/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log in&testcookie=1:S=Location'

Collect

PreviousWrite-upsNextFirst writeup

Last updated

Was this helpful?