As always, we run nmap to see which ports are open and which services are running on those ports.
-sC : run default nmap scripts
-sV : enumerate service versions
The result shows that three port are open.
- Port 22 is for SSH service
- Port 80 and 443 is for HTTP service
We visit the HTTP service in the browser. A default test page is welcoming us.
We run nikto and get an uncommon header which contains “office.paper“.
We add it into our hosts file.
Run a ffuf scan.
Visit the page and start enumerating.
Nick’s comment leads to a point. Need to research Michael account especially his drafts.
Let’s run wpscan to find more information.
The version is 5.2.3.
Let’s google it to find any related vulnerability we can exploit.
According to the post, we can leak the content by adding “?static=1” to the URL.
We try it and get some disclosure successfully.
Add the subdomain into the hosts file before navigate.
We create an account and login.
So, there is a chatbot that we can interact and give specific commands.
Start chatting in direct message.
Let’s mess things up a bit.
There is local file inclusion vulnerability. Need to surf around to find interesting stuff.
After enumerating the system, we get some credentials in .env file.
Let’s ssh as user dwight.
Perfect. We are in and get the user flag.
Time to escalate our privileges to root user. To do so, we need to enumerate the box to get further information. Download linpeas.sh
Give the execution permission and run the script.
The script reveals that the system is vulnerable to CVE-2021-3560.
In other words, the vulnerability exploits the flaw in PolKit (policy kit) that allows an attacker to create a new superadmin.
We will use a script that automates the exploitation written by secnigma.
Download the script.
We can change the username and password. It is optional. So that, we leave it as default.
Run the script.
We see that the execution is successful.
Switch the user to secnigma by using the Polkit exploit and run “sudo bash” which gives us a root shell.
Finally, get the root flag.
Thank you for your time.
Cyber Security Blog 