Remote VulNyx Writeup

Scanning

We scan the open ports with the nmap tool with scripts and software versions:

Enumeration

We access to web server and we enumerate an Apache Debian default page:

We use to gobuster tool with a dictionary large, we can see the wordpress directory on the server:

We access the source code and see that the website loads a domain name:

We access WordPress and detect software versions deployed on the server:

We enumerate also the administration panel:

We confirm that the user is "tiago", so now we try to do an automated attack with the WPScan tool, but after several minutes we don't get credentials.

I launch nmap with the http-wordpress-enum script, it shows a plugin called "gwolle-gb 1.5.3" which has exploits:

Exploit: WordPress Plugin Gwolle Guestbook 1.5.3 - Remote File Inclusion - PHP webapps Exploit (exploit-db.com)

Exploitation

So we mount a PHP file with a webshell so we can execute commands from the URL:

We set a netcat to listen and run a reverse shell with mkfifo:

We get the database connection credentials:

We reused the password on the user "tiago" and managed to read the user flag::

Privilege Escalation

We run sudo -l and see that we can run the "rename" binary as the root user::

We see the binary help:

We see that it has the "Manual" (-m) option, so we press enter until we see that it lets us write, so we try the "classic !sh", we manage to escalate privileges as the root user and read the flag: