mzfr@home:~$

HTB

Vulnhub

CTF

About

Donate

Wordy writeup


Wordy

Author: raj chandel

Nmap

only one port is open so we’ll just start enumerating that.

HTTP

Okay so there is a wordpress website there.

Since it’s wordpress I ran wpscan on it and found 7 vulnerabilities and 2 users.

Along with those there were several other vulnerable plugins. I noticed that there was vulnerability in siteeditor

I tested it using the PoC mentioned in Wordpress Plugin Site Editor 1.1.1 - Local File Inclusion on exploitdb and it worked.

I tried few things to get RCE via LFI but that didn’t worked. Then I decided to go through other vulnerabilities that wpscan found and I noticed that reflex gallery had a arbitary file upload vuln.

I used metasploit to exploit that vulnerabiltiy and got the shell

Then I read the user flag.

Privilege escalation

I downloaded the enumeration script and then ran it to see if I can find something interesting to exploit. To my surprise I found 2 SUID files both of them can be used in some ways to get the root flag.

I used gtfo to search cp and wget on gtfbobins.

Obviously we can just copy the flag from the /root directory just to get the flag.

Method 1

Getting the root flag

  • cd /tmp
  • cp -ir /root .
    • This will ask you if you want to overwrite the files thus gives you the filename

  • cp /root/proof.txt /dev/tty

Thanks to @theart42 for showing me this method.

Method 2

Copying and editing a new /etc/passwd

Since we have cp as SUID we can just use that to copy a new /etc/passwd.

  • cd /tmp
  • cat /etc/passwd > passwd
  • echo "toor:sXuCKi7k3Xh/s:0:0::/root:/bin/bash" >> passwd
  • cp passwd /etc/passwd

Method 3

Use hacking article’s method which is similar to Method 2.

This was a beginner level machine with some really good rabbit holes.

Thanks to rajchandel for making this machine.

Thanks for reading, Feedback is always appreciated.

Follow me @0xmzfr for more “Writeups”.