Try Hack Me!-ALL IN 1 Write up
ENUMERATION
SCANNING
Let’s begin with basic nmap scan,
nmap -A -T4 -p- <ip> -oN scan.nmap
FTP (PORT 21)
from the scan we now know that there are three ports open. We can see that ftp allows anonymous login so lets see if we can find something interesting.
you can use the following command to login to ftp,
ftp <ip>
looks like there is nothing in ftp.
PORT 80
Port 80 has Default Apache2 Default page.
let’s check if there is any hidden directories.
you can use any tools that you like as of now we are using gobuster.
command:
gobuster dir -u <url> -w <wordlists>
so now we know that there is a wordpress running.
enumerating the wordpress page we know that there is user named elyana.
let’s brute force login.
hmm, Don’t waste much time on brute force because you never know if you could find the right password.
Lets try running WPScan and see if we can find something interesting,
oh, There is a mail-masta plugin version 1.0 which is vulnerable ,
EXPLOITATION
looking for exploit for the plugin we know that it is vulnerable to LFI(Local File Inclusion) vulnerability.
lets try to get the config file.
you can use PHP wrapper.
/example1.php?page=php://filter/convert.base64-encode/resource=../../../../../wp-config.php
once you get the source code decode it using base64.
base64 -d <file>
since we got the password we can now login .
lets get the reverse shell by uploading a arbitrary code.
you can now set up the listener using netcat.
nc -nvlp <port>
how to access the file 404.php where we have uploaded the arbitrary code.
change the permalink settings to plain if the site is using any custom settings.
you can now access the file by typing the following url,
PRIVILEGE ESCALATION
lets check if there is any possible way to privesc as www-data,
after looking for sometime we find that we can use suid permission to escalate privileges.
we can use find command to find files with suid permissions.
find / -perm -u=s -type f 2>/dev/null
we can make use of bash to run the following command to escalate privileges.
/bin/bash -p
BoOM!!
we belong to root group.