I spent the weekend at a red teaming class -- when I returned, I jumped up on Vulnhub and I found a new batch of boxes waiting to be exploited.  Needless to say, it's like winning twice in the same week. 

I'm so appreciative of people who are willing to spend the time building these boxes because it allows others in the community to work on their skills -- for free.  Needless to say, I've downloaded a number of boxes from this recent batch and while perusing the list, I randomly picked Web Developer as my first to attack.  

If this box is any indication of how the rest will go, I will be very pleased because the author tossed in a couple of new avenues that I've yet to see.  While not particularly hard, if you have some knowledge with these avenues, this box still makes you think and jump through some hoops.  

Bottom line, this one was clever and a lot of fun!

Kicking off with an Nmap scan:





We see a web server running and we also have an entry for the hosts file. 

In another window, I already had Nikto running:





And in another window, I also had a browser opened:





And in this window, I'd finally added the hosts entry and started using the proper name:





Nothing revealed so far but moving in parallel with separate tools, I'm enumerating with GoBuster:





That is when I discovered the /ipdata directory.  When we hit it with the browser:





We find a capture file which we take over to WireShark:





If my hunch is correct, we're looking for a POST to the WordPress login page:





Which is exactly what we find.  At first, I try to login with what I see but then I realize the password is URL encoded.  I take it over to a decoder:





Yes, I'm lazy.  I used a tool on the web because it's easier than using sed but for the purists, this can be done locally without going to the web:





Same result, we get the password to pair with the username we see in the .cap file. 

Attempting to login to WordPress:





We're in!

Initially, I tried using the Media upload with a reverse shell but I was denied that path. 

The handy standby is to edit the footer:






Removing the footer content and replacing it with Pentest Monkey's PHP reverse shell:





When we hit save, we're greeted with:





Ouch!  Denied again!

Sidebar:  When I first started to learn hacking, I stumbled upon a WordPress site and at the time, I really didn't know much about it.  With few skills, I would use a WordPress plugin which allowed me to insert PHP into a Post or Page and that was my method for getting shells.  I used that method for quite some time until I found other avenues.  

Well, it seems that avenue really isn't such a bad method:





Uploading the plugin:





Success!  





We activate the plugin:





And we're ready to roll. 

This plugin is a little different than the one I've used previously but the concept is still the same.  With this one specifically, we're creating, what they call, a snippet:





And then we're calling the snippet from within the Post:





When we Preview the Post, and our handler setup:





We catch our shell. 

I attempt to clean up the environment with the standard Python pty but Python is not installed.  Moving to our backup plan:





We get the environment cleaned up but we have an echo which we also clean up but we're still left with something wonky going on with the backspace key.  

Checking our environment:





We see that we're running Ubuntu 18.  

Heading over to the wp-config.php file to grab some creds:





As an added bonus, we not only find creds but we also move from www-data to the user account for webdeveloper.

Checking sudo -l :





We see that we can run tcpdump as root. 

A quick search shows us that we can abuse this tool.  To test it, we're going to try to read /etc/shadow through a roundabout way:





That works! 

I try a couple of things for privilege escalation but between ideas that don't work and the backspace issue requiring 100% typing accuracy, I decide to work on my system. 

First a little setuid program in C:





And something to change the owner, change the permissions to execute, and finally, the last command which creates the setuid binary:





Downloading to the victim and executing:





Root!  

Going for the flag:





It probably wasn't as elegant as I would have liked but root is root.  

What a fun box!  My WireShark game is a little weak right now.  It's been a while since I've used it regularly and I seem to recall there being a better way of viewing the credentials.  Perhaps I'm mistaken but I think not.  

As I mentioned above -- a very clever box.  Not particularly hard if you know the tools but still quite fun.  Many thanks to the author!