Introduction
In this video walkthrough, we demonstrated how vulnerable WordPress plugins would lead to a complete system compromise. We then escalated our privileges by taking advantage of security misconfigurations in the permissions. We used So simple box from Vulnhub for this walkthrough.
Finding the Vulnerability
First, I started by scanning the target machine’s WordPress installation. The scan flagged two outdated plugins: Social Warfare and Simple Card Solution. I decided to focus on Social Warfare because a quick search revealed a critical remote code execution exploit for a version very close to the one on the target.
Gaining Initial Access
With the exploit in hand, I created a payload file designed to read the /etc/passwd
file. I then triggered this payload by visiting a specially crafted URL. Success! The contents of the /etc/passwd
file were displayed in my browser.
Next, I modified the payload to establish a reverse shell connection back to my machine. I set up a Netcat listener on my end and, by revisiting the crafted URL, I was able to get a limited shell on the target machine.
Escalating Privileges
Now for the fun part: escalating my privileges.
- From Limited Shell to User “Max”: My initial shell was pretty restricted. I navigated to the
/home
directory and found two users: “max” and “steven”. After some digging in “max”‘s home directory, I found his.ssh
directory and, within it, his private key (id_rsa
). Using this key, I was able to SSH into the machine as “max”, giving me a much more stable and flexible shell. - From User “Max” to User “Steven”: As “max”, I checked what commands I could run with
sudo
. It turned out I could run a service as the user “steven”. By running a specific command, I was able to spawn a shell as “steven”. - From User “Steven” to Root: One final privilege escalation was needed. As “steven”, I again checked my
sudo
permissions and found that I could run a script as root without a password. The script didn’t exist, so I created it, gave it execute permissions, and then ran it withsudo
. And just like that, I had full root access to the machine! 👑
Technical Commands Used
Here are the commands I used in the terminal throughout this process:
ls
cd home
cd max
cat user
ls -la
cd .ssh
cat id_rsa
ssh -i id_rsa max@192.168.1.56
sudo -l
sudo -u steven /sbin/service ../../bin/bash
cd /opt
mkdir tools
cd tools
nano server-health.sh
chmod +x server-health.sh
sudo -u root /opt/tools/server-health.sh