Hacker Kayra
  • 📍Introduction Page
  • ⭐Learning Process
    • 🧠Learning Mindset
    • 🖇️Learning Dependencies
    • 🧮Learning Process
  • 🔠Fundamentals
    • 🛜Networking Fundamentals
    • 🐧Linux Fundamentals
    • 🪟Windows Fundamentals
    • 🕵️Active Directory
    • 🕸️Introduction to Web Applications
    • 🗃️Other Useful Concepts
      • Regular Expressions (RegEx)
    • Cyber Security Products
      • Lab Setup
      • ✅Fortigate Firewall
      • MDM Lab
      • IAM Lab
      • PAM Lab
      • DLP Lab
  • 🧰Tools
    • Nmap
    • Nessus
    • Ffuf
    • Hydra
    • John The Ripper
  • ✍️Write Ups
    • 🗃️Hack The Box Machines
      • 🐧Linux
        • Code
    • 🗃️Proving Grounds Boxes
      • 🐧Linux
        • Stapler
        • eLection
        • Loly
        • Blogger
        • Potato
        • Amaterasu
        • Exfiltrated
        • Pelican
        • Astronaut
        • Cockpit
        • Levram
        • Extplorer
        • LaVita
        • pc
        • Scrutiny
        • Zipper
        • Flu
        • Twiggy
        • Codo
        • Crane
        • Hub
        • BlackGate
        • Boolean
        • ClamAV
        • PayDay
        • Snookums
        • Bratarina
        • Nibbles
      • 🪟Windows
        • Algernon
        • AuthBy
        • Craft
        • Kevin
        • Squid
        • Jacko
        • DVR4
        • Hepet
        • Shenzi
        • Nickel
        • Slort
        • MedJed
        • Active Directory
          • Access
          • Vault
    • 🪪Certificates
      • Certified Professional Penetration Tester (eCPPTv3)
      • Web Application Penetration Tester eXtreme (eWPTXv3)
    • 🚩CTF Events
      • Cyber Hub 2025 CTF
  • 📚Study Notes
    • Penetration Tester (HTB CPTS)
      • Penetration Testing Process
      • Reconnaissance, Enumeration & Attack Planning
        • Network Enumeration with Nmap (Continue Here)
        • Footprinting (Just Do Formatting)
        • Vulnerability Scanning (Check)
        • File Transfers
        • Using the Metasploit Framework
        • Web Information Gathering
        • Shells & Payloads
      • Exploitation & Lateral Movement
        • Attacking Common Services (Just Do Formatting)
        • Password Attacks
        • Active Directory Enumeration & Attacks (TBC)
        • Pivoting, Tunneling, and Port Forwarding
      • Web Exploitation
        • Using Web Proxies (Check)
        • Attacking Web Applications With Ffuf (Check)
        • Login Bruteforcing
        • Cross-Site Scripting (XSS)
        • Command Injection
        • SQL Injection
        • File Upload Attacks
        • File Inclusion
        • Web Attacks (Check)
        • Attacking Common Applications (Check)
      • Post-Exploitation
        • Linux Privilege Escalation
        • Windows Privilege Escalation (TBC)
      • Documentation & Reporting
  • 🧑‍💻Other
    • Leet Code
      • Quick Guide: Big-O Notation
      • Problem 01 - Two Sum
    • Data Structure & Algorithms (DSA)
  • 🗄️Archive/Backup/Bin
    • Sysmon Usecases (IBM)
    • 🐧Linux Fundamentals (TryHackMe)
      • Introduction
      • Basic Commands
      • Wildcards & Operators
      • Permissions
      • Common Directories
      • Terminal Text Editors
      • General/Useful Utilities
    • 🪟Windows Fundamentals (TryHackMe)
      • Introduction
      • The File System
      • User Accounts
      • Settings & Control Panel & Task Manager
      • System Configuration
    • Active Directory (TryHackMe)
      • Breaching Active Directory
    • FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
      • Book 2 - Intrusion Analysis
        • Credential Theft
        • Event Log Analysis for Responders and Hunters
    • Certified Threat Hunting Professional (eCTHPv2)
      • Threat Hunting: Hunting the Endpoint & Endpoint Analysis
        • Event IDs, Logging, & SIEMs
    • OSCP
      • Report Writing
      • ✅Passive Information Gathering
      • ✅Active Information Gathering
      • ✅Vulnerability Scanning
      • Introduction to Web Application Attacks
      • Common Web Application Attacks
        • ✅Cross-Site Scripting (XSS)
        • ✅Directory Traversal
        • ✅File Inclusion
        • ✅File Upload Vulnerabilities
        • Command Injection
        • SQL Injection Attacks
        • Client Side Attacks
      • ✅Locating Public Exploits
      • ✅Exploiting Walkthrough
      • Fixing Exploits
      • ✅Antivirus Evasion
      • Password Attacks
      • Windows Privilege Escalation
      • Linux Privilege Escalation
      • Port Redirection and SSH Tunneling
      • Tunneling Through Deep Packet Inspection
      • The Metasploit Framework
      • Active Directory Introduction & Enumeration
      • Attacking Active Directory Authentication
      • Lateral Movement in Active Directory
      • Assembling the Pieces
      • Other General Information
    • ⚡Port Swigger (Web Penetration Testing)
      • ✅Information Disclosure
      • ✅Path Traversal (Directory Traversal)
      • ✅OS Command Injection
      • Business Logic Vulnerabilities
      • ✅Authentication
      • ✅Access Control
    • Certified Bug Bounty Hunter (CBBH)
      • Web Requests
        • HTTP Fundamentals
    • Getting Started
      • Introduction
      • Pentesting Basics
    • Certified Penetration Testing Specialist (CPTS)
      • Introduction
        • ✅Penetration Testing Process
          • Penetration Testing Overview
          • Laws & Regulations
          • Penetration Testing Process
          • Pre-Engagement
          • Information Gathering
          • Vulnerability Assessment
          • Exploitation
          • Post-Exploitation
          • Lateral Movement
          • Proof-of-Concept
          • Post-Engagement
          • Practice
          • Academy Module Layout
        • Getting Started with Hack The Box (HTB)
      • Reconnaissance, Enumeration & Attack Planning
        • ✅Network Enumeration with Nmap
          • Enumeration & Introduction to Nmap
          • Host Discovery
          • Host and Port Scanning
          • Saving The Results
          • Service Enumeration
          • Nmap Scripting Engine
          • Scanning Performance
          • Firewall and IDS/IPS Evasion
        • Footprinting
        • ✅Information Gathering - Web Edition
          • Introduction
          • Passive Information Gathering
          • Active Information Gathering
        • Vulnerability Assessment
        • File Transfers
        • Shells & Payloads
        • Using the Metasploit Framework
      • Exploitation & Lateral Movement
        • Password Attacks
        • Attacking Common Services
        • Pivoting, Tunneling, and Port Forwarding
        • Active Directory Enumeration & Attacks
      • Web Exploitation
        • Using Web Proxies
        • ✅Attacking Web Applications with Ffuf
        • ✅Login Brute Forcing
        • SQL Injection Fundamentals
        • SQLMap Essentials
        • Cross-Site Scripting (XSS)
        • File Inclusion
        • File Upload Attacks
        • Command Injections
        • Web Attacks
        • Attacking Common Applications
      • Post-Exploitation
        • Linux Privilege Escalation
        • Windows Privilege Escalation
      • Reporting & Capstone
        • Documentation & Reporting
        • Attacking Enterprise Networks
    • Old Active Directory
    • Tib3rius Privilege Escalation
      • Linux Privilege Escalation
    • HTB Archived Write-Ups (Check)
      • Irked
      • Nibbles
      • Brainfuck
      • Lame (Check)
    • 📋Cheat Sheets
      • Penetration Testing Cheat Sheet (In Progress)
Powered by GitBook
On this page
  • Enumeration & Reconnaissance
  • Service Analysis
  • Gaining Initial Access
  • Privilege Escalation
  • Lessons Learned
  1. Write Ups
  2. Proving Grounds Boxes
  3. Linux

Loly

PreviouseLectionNextBlogger

Last updated 2 months ago

Source: Proving Grounds OS: Linux Community Rating: Hard

Enumeration & Reconnaissance

  • I started off with autorecon on Loly, which revealed that HTTP (port 80) was the only service up.

Service Analysis

  • With just one open port and it being HTTP, I ran fuzzers in the background while manually checking the site.

  • The robots.txt yielded nothing, and the default nginx page was all I saw at first. I was at a loss for a while untill the fuzzer uncovered a the directory: /wordpress/.

  • After discovering the /wordpress/ path, I started exploring the site.

  • I needed to add the hostname loly.lc to my /etc/hosts as well.

  • I started running wpscan against the target and I found the WordPress user loly.

  • I launched a brute force attack using wpscan, and while it was running, I also searched for vulnerable plugins but that was blocked way.

  • The bruteforce attack eventually revealed the password for the user loly to be fernando.

Gaining Initial Access

  • With the credentials in hand, I logged into the WordPress admin panel. I then began looking for ways to escalate my foothold, specifically any editable PHP files or file upload functionalities that might let me drop a shell.

  • I noticed the adrotate plugin which had a file upload function, it imposed restrictions (accepting only jpg, jpeg, gif, png, svg, html, js, and zip files, with a 512Kb size limit). However, it automatically extracted zip files and removed the original archive. This rendered the file extension validation basically useless.

  • I created a custom payload, zipped it, and uploaded it through adrotate. Once the zip was extracted, I could access my shell via: http://loly.lc/wordpress/wp-content/banners/shell.php

  • I upgraded the shell to an interactive one using Python and then started exploring.

Privilege Escalation

  • Once I had a shell, I ran linpeas.sh to check for privilege escalation vectors. The tool revealed that the kernel version (kernel-4.4.0-31-generic) was vulnerable.

  • I started trying out several known CVEs, but I couldn't compile any of my payloads, I kept getting the error: gcc: error trying to exec 'cc1': execvp: No such file or directory

  • It turned out I had to switch to the OS user loly. The WordPress password (fernando) differed from the operating system’s password. However, the correct OS password matched the database password that's stored in the wp-config file. lolyisabeautifulgirl.

  • I then switched the users and kept experimenting with multiple payloads until the exploit from 45010.c on searchsploit worked, giving me root access.

Lessons Learned

  • Exploiting File Upload Vulnerabilities: The file extension validation was rendered useless because the zip extraction bypasses the placed restrictions.

  • Credential Management: Always check config files and make sure to try found credentials on different services, there will most likely be reuse on different services.

  • Kernel Vulnerabilities: The outdated kernel version was a gateway for privilege escalation.

✍️
🗃️
🐧
Nginx Default
Password Bruteforce