Categories
Crypto Stuff, ctf, OS, pentest, Uncategorized, Web Attacks

After the previous article we got the first key. Now for the second key we needed to move a notch higher into the system. We had a loot.dic so the best option seeing we only have the web application facing us so far would be bruteforcing it.

root@mth3l3m3nt:~# wpscan -u http://192.168.238.101/ -U hacker123 -w ~/loot.dic -t 16

This gives us the password to the web application as we already have the username from the time we handled key 1 as below:

Bruteforce wordpress using wpscan

Bruteforce wordpress using wpscan

Now that we have the username and password it becomes easier to pivot into the server itself. There are a number of avenues in wordpress to gain a shell into the system  :

  • Edit an existing plugin or theme’s code and insert a minimal shell. 
  • upload a php shell via the add new plugin function – Access will be in the wp-content/plugins folder.
  • upload a php shell to the media library – Access will be in wp-content/uploads folder.

The first instance of the shell is a minimal test to get a feel of the server. I edited the theme to add this as below using mth3l3m3nt as the controller.

Infect Theme File

Infect Theme File

Add host to mth3l3m3nt

Add host to mth3l3m3nt

Check if it works and voila

Check if it works and voila

On needing more persistence however it became easier to have a shell that can connect back to meterpreter. so for this we simply generate a shell with msfvenom and setup a listener in metasploit to receive the shell.

Generate PHP shell using metasploit venom

Generate PHP shell using metasploit venom

Infect wordpress hello plugin with metasploit shell

Infect wordpress hello plugin with metasploit shell

PHP meterpreter success

PHP meterpreter success

Now the only problem so far is after dropping to shell we realize we are still the user daemon:

Daemon user can't read key 2 of 3 which is in the home folder

Daemon user can’t read key 2 of 3 which is in the home folder

we however notice that the password-raw.md5 allows us to read and we get a hash in there. We can crack this easy:

Cracked Chicken's password using hashkiller

Cracked Chicken’s password using hashkiller

so after this the one thing left is to read the file as chicken in our meterpreter shell, we drop to a native shell where we are daemon and run the command as below:

su -c “cat /home/chicken/key-2-of-3.txt” -s /bin/sh chicken

Get the second key

Get the second key

Decode the second key

Decode the second key

One key takeaway though from this was “pay attention to detail”. Missing the permissions difference between the two files in chicken’s folder  would not help one predict what is required to complete it, voila the second key is:

BrightheartschickenAfricaHackonKey2

Leave a Reply

Your email address will not be published. Required fields are marked *

February 2024
M T W T F S S
 1234
567891011
12131415161718
19202122232425
26272829