Vulnhub - WestWild 2 writeup
Author: Hashim Alsharef
There are only two ports open. We’ll start our enumeration from HTTP(port 80)
CMS made simple running with version
I used gobuster to enuemrate this and there were lot of directories.
admin/ I found a directory listening named
This dir had two files named
I used burp suite’s Intruder to bruteforce the login for the CMS.
username list was small I decided to use the username that made sense to me i.e
west because of the name of the machine.
With username set to
west I loaded the password list in the Intruder and started the attack.
After waiting for a while I found the creds so my hunch was right about the username.
I logged in with those credentials and found that there was a plugin installed named
I searched it with
searchsploit and found one with metsploit.
I run msfconsole and used that exploit with the following options:
and with this I got the reverse shell
Horizontal Pivilege escalation
Since we are in the system now I downloaded the enumeration script and then ran it.
With that I found that one of the file was marked as
I ran the command
network_info to see what that binary does.
So it does what the name says, it prints the output of
We can run
cat /bin/network_info to confirm that.
Now usually we can simply make a new file named
ifconfig with shell in it and then run the command to get the root shell. That works because the absolute path is not given.
We can make a fake
ifconfig file and then run the
network_info to get a privileged shell.
/tmp folder run the following command:
echo "/bin/sh" > ifconfig
chmod +x ifconfig
Now run the
network_info and we’ll have a shell for
Vertical Privilege escalation.
So now we had the access to the
wside home directory so I made a new folder name
.ssh and added my public key in
authorized_keys file this way I was able to login via SSH.
Then @DCAU7 found out that
wside has access to
/etc/passwd file so basically we can edit that file and have a new user who will have the root access.
This can be found by running
find / -user wside -type f 2>/dev/null
I added the following line to
This entry means that we are adding a new user name
toor which will have password
Once we run
su toor and enter
toor as password we’ll get the flag.
This was a nice box even though we had some issue in the starting because the original VM had issues with
network_info file we found in the
Horizontal privilege escalation phase. But all in all it was pretty good.
Thanks for reading, Feedback is always appreciated.
Follow me @0xmzfr for more “Writeups”.