Init FootHold
we started a service discovery with nmap.And we got the following output.
So there are not much ports are open.
Upon browsing to the http://loly.lc:80 we saw a nginx default page.
So we performed a directory brute forcing and found a directroy called wordpress which was the wordpress installation directory.
So we quickly ran the wpscan to enumerate all the installed plugins,themes and users.
we got to know that this box has a user names loly and a plugin installed called adrotate.
So i thought to to bruteforce the password for loly in the background while i try to findout some cve related to this adroate.
adrotate has some sql injection bugs but they are authenticated bugs and also the version was different from the vulnerable version.Mean while i got the password for loly.
I logged in and tried to uplaod a shell to get rce.But surprisingly i was admin but didn’t have any feature enabled to upload a shell not in themes not in plugins no where.
So while exploring this adrotate plugin I saw it has feature to add a advertise banners,and it receives a list of file types which are whitelisted,and one of those file types are zip file.
So I quickly put my php shell in a zip file and uploaded it,
I wasn’t much familiar with wordpress site .So Ilooked into adroate plugin docs to see where the file gets uploaded.and it says in wp-content/banners.
So I quickly headed over to the dir and tried to trigger my shell,and sure enough Igot the shell back.
PrivEsc
I tired running linpeas to see if i can get some easy win but this box didnt have any misconfig or unnecessary priv that we can exploit to get root.But this box was vulnerable to DirtyCow.
To figure this out i ran Linux-exploit-suggestor and then checked the version and /etc/*release file.
So i downloaded the POC form exploit db and ran it to get root.
And we got root.
