My School: 1 Vulnhub Walkthrough
Hey guys! Back again with what could possibly be this year’s last documented Vulnhub walkthrough. As usual , the trend has been documenting the OSCP like boxes which might be useful for OSCP aspirants and also in general to keep in touch with my skills acquired from OSCP . This is again a very nice machine from which even I learnt a few useful tips and tricks. Honestly , the box was extremely straightforward and also very real as well! So let’s start !
Full nmap port scan:
Nmap identified some ports open . For me , port 80 and 8080 seem to be the avenues for attack. Let’s see what port 80 is about:
So it seems to be hosting a cmsms install. Having heard of it before, I knew that this cms with the version install was vulnerable to an authenticated RCE. I tried with some default credentials because as of now , I had no idea about the host. In these scenarios atleast from a ctf point of view, cewl works best if any custom data was available. Anyhow, we kept it aside and moved over to port 8080. There we were greeted with this:
This seems to be an incomplete wordpress install to me. It struck me with the idea that maybe we can simply install wordpress which would mean wewould have complete authority over a wordpress server which in turn roughly translates to complete takeover of the server. We hit continue to go along with it. After that we get to the configuration page:
Basically here we have to connect a database to wordpress in order to complete the installation . For that I would have to set up a working database in my machine and link it with the wp install. So let’s setup our mariadb(in built with kali, can be used interchangeably with mysql server) server.
Let’s start up the server and see whether it’s listening in localhost(which is default) only or it can accept connections from other servers as well. Below I have started the server plus checking for it:
So it is still set in default. Let’s change it in the config file. Lets open the file mentioned below to change the setting:
Modify the bind address from 127.0.0.1 to 0.0.0.0:
Save the file and restart the server and check whether the config has changed. As you can see , it has:
Now that the mariadb server will accept connections from the victim machine, let’s set up a separate database and login for it to connect with. Follow are the below commands to set it up:
Once everything is done, you can simply fill up the config file details based on the server you set up:
If you did not set it up carefully or if firewall is creating an issue, you will have to manually fix it using ufw.
After this you’ll be presented with the final page setup, the wplogin details. Fill accordingly:
After this, wordpress will be automatically installed and the user you created would have admin rights.
Now, you can simply fire up metasploit and get a shell using the well known admin shell file upload vulnerability. I know here OSCP fan boys are gonna frown upon me ,but well ,I already passed it 😛 .
And we can read the user flag:
Now for the privilege escalation. I did a lot of recon both manually and with a script to hunt for misconfigurations and ended up empty. Normally after that, I like to check for sensitive files having credentials. Looking into this file as shown below, I found some creds:
I tried this password for the root user and it did not work. But if you remember in the screenshot of the user flag, we were in the directory of another user by the name of armour. I tried to use this password to change into him and I was successful:
Now onto root, here I check for it’s sudo permissions:
So it seems that we can run rclone as root. As the program seemed new to me, I tried to learn about it. Turns out, it is a command line utility usually used in cloud storage. But the main takeaway is that we can use this to run commands as root based on some rules. Here I try to read the help menu of the tool like this:
If you notice, we can run cat and ls commands as root here. To read the root flag , those commands are enough. Run the commands accordingly and read the root flag:
And that was all for now. Hopefully this writeup helps someone preparing for OSCP . Have a good day . Also please checkout arnavtripathy.com if you already haven’t to know more about me 😄.