Blogger

Source: Proving Grounds OS: Linux Community Rating: Hard (I don't know how, this was really easy)

Enumeration & Reconnaissance

  • I began, as usual, with autorecon, which revealed two open ports:

    • SSH (22)

    • HTTP (80)

Service Analysis

  • A visit to the HTTP service showed a programmer’s personal site, nothing exciting at first. I proceeded with the usual checks (robots.txt, etc.) while letting fuzzers run in the background.

The "Programmer/Blogger"
  • The fuzzers revealed an "assets" folder. Upon checking that folder, I found a WordPress site located under /assets/fonts/blog/

/assets/fonts directory
  • After examining the blog, the hostname http://blogger.pg appeared, so I updated my /etc/hosts to properly resolve it.

  • Running wpscan in its default mode didn’t turn up any plugins; however, switching to aggressive plugin detection (using the -p --plugins-detection aggressive flag) exposed two plugins.

  • Additionally, two WordPress users were discovered during the scan. I then started a brute-force attack against these users while checking for known vulnerabilities in the identified plugins.

Gaining Initial Access

  • The vulnerable plugin, wpdiscuz, turned out to be the key.

  • A known CVE allowed me to upload a shell. Although my initial attempts to execute commands via the PoC failed, likely due to an issue with sending the commands in that PoC. However, the shell was successfully uploaded. I used the uploaded shell to secure a reverse shell on the target.

PoC Shell Upload
Using the uploaded shell
  • After gaining initial access, I checked the wp-config file for credentials and found the username root and the password sup3r_s3cr3t. However, these credentials didn’t work on any other services I tested.

Privilege Escalation

  • Once I had a foothold, I ran linpeas.sh to check for privilege escalation opportunities. The process was almost too easy.

  • I discovered the user vagrant, which was still using the default password "vagrant". Switching to this account was a no-brainer. Even more, the vagrant user was configured to execute all sudo commands without a password prompt, a quick sudo -i landed me straight into a root shell.

Privilege Escalation

Lessons Learned

  • Thorough Scanning: Using aggressive detection modes with tools like wpscan can reveal vulnerabilities that a default scan might miss.

  • Default Credentials: The discovery of the vagrant user with its default password highlights the risks of leaving default credentials in place.

  • Over-Privileged Accounts: A misconfigured sudoers file can turn a minor vulnerability into a full system compromise.

Last updated