Vulnhub Aragog
Aragog
I started off like I always do and ran nmap and gobuster. We find that port 80 is open from nmap and found /blog from gobuster. upon viewing this we see that its wordpress. seeing this I try wpscan. nothing I ran wordpress_scanner in msfconsole found wp_file_manager v6.0 used CVE found on the internet for this version to exploit. uploaded reverse shell in php.
connection esstablished
found first flag in home folder for user hagrid98 used linpeas to enumerate found this
1
2
define('DB_PASSWORD', 'mySecr3tPass');
define('DB_USER', 'root');
in php files along with a backup.sh file in /opt
logged into database using
1
mysql -u root -pmySecr3tPass wordpress
then looked at what was there with SHOW TABLES; found a wp_users table
1
SHOW * FROM wp_users
and got the hash for the wp_admin hagrid | 1 | hagrid98 | $P$BYdTic1NGSb8hJbpVEMiJaAiNJDHtc. | wp-admin | hagrid98@localhost.local |
the hash was a phpass hash pasword for hagrid98 is : password123
i logged in as hagrid98 uploaded pspy to see if any background processes are running and saw that backup.sh is run by root every so often and as hagrid i can edit it i added a bash reverse shell and once root ran it bam im root and got the 2nd flag in /root