CTF - LazyAdmin

Home Blog


Description from Author:

Difficulty: Beginner — Intermediate

Boot2root created out of frustration from failing my first OSCP exam attempt.

Aimed at:

> Teaching newcomers the basics of Linux enumeration
> Myself, I suck with Linux and wanted to learn more about each service whilst creating a playground for others to learn

Methods used:

  • Dirb
  • enum4linux
  • wpscan
  • Hydra
  • Thoughts:

    There are probably different methods in getting root, however I didn’t want to waste countless of hours going down a rabbit hole that may not lead me anywhere. Peaking at the dirb results, I could see that there were php/wordpress sites. Lets start and I’ll try my best to explain my train of thought.

    Nmap

    I typed nmap -sV 192.168.56.4 -p- -oG nmap.txt to see which ports are currently opened on the box in greppable format.

    We can see a number of ports which gives us a lot of options to try. My immediate thought was to have a look at port 80 to see what the site content holds.

    Lets have a look at the contents now by browsing to 192.168.56.4 on Firefox.

    WEB BROWSER 

    Browsing the site, I wasn’t able to click on anything. The source code didn’t give me anything interesting as well.

    Dirb

    I ran a web vulnerability scanner against the website to see if there is anything that I can work with. I typed in dirb http://192.168.56.4 > dirb.txt. I cat the file to see the contents.

    From the above screenshot we can see that there is a php / wordpress / java script directories. Lets have a look at these.

    WordPress

    From the above screenshot we can see the wordpress site we can see a simple wordpress site. Some text that states that the person that created this is named togie

    After clicking around some more, I couldn’t actually find anything interesting. There is a login page, but I dont know the password.

    I decided to use wpscan to scan the WordPress site to see if there is any vulnerabilities.

    WPSCAN

    I typed in wpscan — url http://192.168.56.4/wordpress — wordlist /usr/share/wordlists/rockyou.txt — username togie

    Towards the end of the scan, we can see that it is trying to bruteforce with the username togie. Lets let that run and see what we can find.

    Mid thought:

    As we can see that there are a lot of different avenues we can take with WordPress. I dont want to go down this rabbit hole. Also, with the drib results, we can see /phpadmin which we can also exploit.

    From just port 80 we can confirm that there are different methods in trying:

    I’m going to try and Probe SAMBA port to see if there is anything there.

     

    HYDRA

    My immediate though is to bruteforce this password. I checked back at the wordpress bruteforce and it was taking ages.

    I typed in hydra -l togie -P /usr/share/wordlists/rockyou.txt 192.168.56.4 ssh

    Managed to get the password of 12345

    SSH

    My next thought is to log on to SSH with the password. I ssh togie@192.168.56.4 and entered the password

    I typed in id and whoami to see what groups I am in. Again, we can see that sudo is present

    Type in sudo -i and provided the password of 12345. I cat proof.txt and obtained the flag!

    Final Thoughts:

    This was an easier one. I bet I could go down the php /wordpress rabbit holes however I might do that another time. I am running through these VMs because I will be attempting the OSCP this year and I want to get as much practice in as possible.

    The more I fall for these rabbit holes, the more time I waste. I could have the bruteforce in the background while probing php /wordpress though. I also don’t want to be using metasploit as often because I will only be allowed to use it once during the exam.

    I want to try and use msfvenom on my next one.

    Until next time byeeeee rihhh