* Target IP (192.168.126.131)
The VM is setup with host-only in VMware workstation. I identified the IP address with a ping sweep.
* Full Scan (nmap)
Used nmap for a full scan to discover ports 21, 22 and 80.
* I took a quick look at port 80 to see what kind of web app was presented. I did not see much so I went to directory enumeration with DIRB.
Looks like there is a WordPress app in the weblog directory. Let's use the usual credentials to see if it will log me in: admin: admin
Ok, that worked. Did more searching while looking around in WordPress. Checked out more directories and did a NIKTO scan.
Ah, "try harder", still have nightmares. Anyway, trying more scans, I used the tool WPSCAN to see if there were any vulns for the WordPress app.
The scan picked up a Slideshow Gallery file upload vulnerability. I will try to use a webshell to upload. Once uploaded, I just need to start a meterpreter session listening on port 5555. I created a PHP meterpreter webshell using MSFVENOM for port 5555 and named it agoonie.php. I should be able to browse to it for the server to execute it.
Looks like that worked. Now, to find out the usual information about the server. It will help when I am trying for privilege escalation.
I can see two users to keep a look out for, stinky and mrderp. They have home directories that I cannot access yet. Let's look at some config files to see what credentials we may find.
We have credentials but they did not work for the wordpress app. Well we saw phpmyadmin and web have creds for that. Let's do the usual digging there.
I looked around at the tables and made notes. Let's try the root account for phpmyadmin.
We have hashes! Let's try to decode for more passwords. Well, we have 'unclestinky'.
Well we have the second flag and it is Mexico. I could not get the second hash. Some day I will build a dedicated password cracking machine like the OffSec guys build. Some day ...
We see more flag2 hashes. We have that one already. Let's do more digging around. Looks like more hashes. We have root, unclestinky and phpmyadmin to check out.
Let's try 'unclestinky'.
Looked around for new info. Nothing really stands out. Now that we have another credential for 'unclestinky', we should try FTP and SSH.
Ok. Checking out the files. Looks like the credentials belong to sysadmins. That's good. This key seems like the SSH key to log in. Of course, still requires a password so that is fail. Well, we know there is a packet capture somewhere that we need to find. Let's go back to our meterpreter session.
Well, let's see if I can just switch to stinky with the creds.
We have our third flag! Well take note of it and keep digging.
Oooookkkkk, so wireshark captured the creation of the mrderp account with its password, derp x 7.
Well, time to switch to mrderp??
Hmm, helpdesk.log has some info sudoers. Let's try the helpdesk log for mrderp pastebin URL ( https://pastebin.com/RzK9WfGw )
So the user can sudo as long as it is coming from a command in the binaries directory. Wait but there is no binaries directory. Well time to create one.
So we have the directory created. Time to make a command to sudo. I figured just make a command to open shell which would have root permissions.
Alrighty, command set. Let's sudo! We have root anddddd the fourth flag.
Well, if you want all the flags decoded. Here you go:
AB0BFD73DAAEC7912DCDCA1BA0BA3D05 md5 flag1
07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb sha256 Brazil
49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd sha256 United States