Beloved

We found the IP address of the victim machine using the arp-scan tool and looked for a MAC address starting with 08:... This MAC address is assigned to the virtual machines.

Next, we conducted a scan using NMAP to identify open ports.

As a result, we observed that ports 22 (SSH) and 80 (HTTP) are open. Inside the web, we can see the following:

If we click on any link, we notice that it doesn't load because it's a domain that our local machine is not aware of.

So, we are going to edit the /etc/hosts file and add this domain with its corresponding IP:

sudo nano /etc/hosts

Now, upon entering the victim machine's IP address again in Firefox, we see a website with an improved appearance.

Upon entering 'Hello world!', we encounter a user and a comment.

As we have seen earlier, the website is built with WordPress. So, let's use the wpscan tool to gather more information. Using this tool, we can confirm the existence of the user 'smart_ass'.

Enumerating users:

wpscan --url http://beloved/ -e u

Now, with the following command, we will enumerate the WordPress plugins used by this website:

wpscan --url http://beloved/ --plugins-detection aggressive -t 50 --api-token='YOUR_API'

As a result, we can observe a plugin called wpDiscuz with an old version that is vulnerable.

I go to Metasploit and find that it has an exploit that we can use for Remote Code Execution (RCE).

And we execute it with the run or exploit command, and now we would be inside:

Now we use the 'shell' command to create a shell. And we configure the TTY.

When navigating to the /var/www directory, we can observe the bash_history and see some commands.

Later, upon entering sudo -l, we see that we can execute the nokogiri binary as the beloved user.

So, I decide to copy and execute the command I saw in the bash_history, and an Interactive Ruby (IRB) session opens.

So, we can execute commands with the following structure:

system 'COMAND'

So, I execute a command to create the shell for beloved, and there you go, we are now the beloved user.

system '/bin/bash'

And we obtain the user flag:

For the next privilege escalation, we will use pspy64, which is a program that monitors the processes occurring on the machine.

Now, let's transfer pspy64 from our local machine to the victim machine by creating a web server with Python on port 8080.

We grant permissions with 'chmod +x pspy64' and run it with './pspy64'.

chmod +x pspy64

./pspy64

And we observe that a command is executed every 1 minute:

The chown command is used to change the owner and group of a file or directory. It appears to be applied to everything in the /opt directory. In the /opt directory, we see the root user's id_rsa, and we have write permissions in this directory:

Now, we will exploit chown to change the owner of the root's id_rsa to beloved. Link where it explains how to exploit this vulnerability: exploit chown

We can do it by executing the following commands in /opt:

touch reference

touch -- --reference=reference

And after waiting for 1 minute, we will see that the id_rsa becomes our property. In case the id_rsa is not in that directory but, for example, in /root/.ssh/id_rsa, we should have created a file that is a link to /root/.ssh/id_rsa like this:

ln -s /root/.ssh/id_rsa id_rsa

With this approach, we can obtain any file owned by root without any issues. But since we already have the root's id_rsa, we don't need anything else.

After 1 minute:

We copy the contents of the id_rsa and save it on our local machine. Now, we will grant privileges with: