Plotted 1 – Medium
- Ports Open: 22 (SSH), 80 (HTTP) and 2222 (SSH)
- Add ‘plotted.thm’ to /etc/hosts
- Web Application – WordPress
- Access to WordPress by bruteforcing
- Reverse shell by modifying theme file in WordPress
- Escalate privilege using SUID:
- SSH key for
plot_adminat 2222, encoded in Base64 and placed in
- .notes.zip file located inside
- Crack the hash for .notes.zip using
- Password for
plot_admininside the extracted file
sudo -lshows that
plot_admincan run any command with sudo
- Escalate privileges by using
fdisk -lto find the host drive
/mnt/root/root.txtfile to access the root flag.
- All done 😀
- NMAP and Rustscan show that there are three ports open;
- 22 : SSH
- 80 : HTTP
- 2222 : SSH
- Browsing to the IP address on machine redirects us to “http://plotted.thm”
- Once we add “plotted.thm” to /etc/hosts, we can access the wordpress application: http://plotted.thm
- As we know the running application is wordpress, we run wpscan.
- Additionally, we run GoBuster to enumerate directories.
- wpscan found:
- Theme In-Use: Twenty Twenty One
- WordPress Version: 5.8.1
- Users: plot_admin, plot_actor
- GoBuster doesn’t find anything interesting with the common wordlists.
- As we have multiple usernames for WordPress, we attempt to bruteforce their accounts.
wpscan --url http://plotted.thm --usernames plot_actor --passwords /usr/share/wordlists/rockyou.txt
- We successfully crack the password for plot_actor user :
- Cracking approximately takes around 3 minutes using rockyou.txt
- After logging in to the application, we find that the user is an admin.
- We also try SSH on port 22 and 2222 for password re-use, but no luck.
- As we are an administrator, we can try get a reverse shell on the underlying host by modifying one of the theme files.
- In this scenario, we modify the 404.php file of the Twenty Twenty theme to contain our reverse shell payload
- We can execute the payload by browsing to
- Once the shell has been execute, we get a shell as
- By looking at the hostname and the contents of the “/” directory, we know that we are inside a docker container.
- Looking inside the
/var/www/html/directory, we find that there is a file called
ThisFileSeemsInteresting.txt. This file contains the 1st flag.
- Looking at the home directory, we find that there is the directory for plot_admin.
/home/plot_admin, there is a file called note.txt, However, it is owned by root and only accessible by root. Therefore, we need to escalate our privileges.
Privilege Escalation - Container 1
sudo -lgets nothing, as there are no ‘NOPASSWD’ entries for www-data user.
- When looking for SUID binaries, we find that
/usr/bin/findhas SUID set. Therefore, we leverage that to escalate our privileges.
- Now, we can read the note.txt file inside /home/plot_admin
- Here, we find our 2nd flag and reference to /var/backups
- The /var/backups directory contains a file called
- Looking at the contents of this file, we can see
plot_adminand some encoded text.
- We use CyberChef to decode the text and find that it is SSH key encoded as Base64.
- We try using this key to authenticate as the user
plot_adminusing SSH on port 22, no luck. However, we can login over port 2222. This brings us to another docker container.
Gaining Access - Container 2
- In the home directory of
plot_adminuser, we find that there is
flag3.txtfile, but again it is owned by root and only accessible to the owner.
- We run
sudo -lto see if the current user can run any sudo commands without password, no luck.
- Looking through the file system for helpful information, we find that there is a
/optdirectory. However, it is encrypted.
- We can use zip2john for extracting hash password for the zip file.
zip2john .notes.zip > notes_hash
- We can then crack the hash using john:
john --wordlist=/usr/share/wordlists/rockyou.txt note_hash
- We can use the password obtained to extract the contents of zip file.
- Inside the extracted file, we have a string which looks like a secret/password.
Privilege Escalation - Container 2
- We try to use the
stringfound inside notes.txt as
plot_admin'spassword, it works.
- We run
sudo -lagain and find that
plot_admincan run any command with sudo.
- We use
sudo suto spawn root shell.
- Now, we can read the contents of the
- Since, we are still inside a container, we try to escape.
- By running
fdisk -l, we find that we can see the host disk,
- As we are root, we try to mount
/mntinside the container.
- Finally, we find that the mount was successful and we can access all the files on the host system.
- We can read the
/mnt/root/root.txtfile to get the root flag.
Hope you enjoyed reading this writeup. 😀
Posted by: infinity