you can find what you want, which is a vulnerable plugin called wpDiscuz. Now according to that page it has a metasploit module but it’s not loaded by default in my version of Kali anyway. I did load it but it still wouldn’t run so just do it manually with Burp Suite. It’s a pre-auth unrestricted file upload so you can get a shell or whatever.
Note the first time I tried this it wouldn’t work; I had to reinstall the box in VirtualBox and after I’d done that it was all good.
Privesc
There are a few rabbit holes here; at least that’s how it looks. We have a root cron job running a wildcard tar; but in order to exploit it we need to be James. We can get the hash from mysql after we get the creds from wp-config.php but the hash doesn’t want to crash. The mysql password is not reused for James. And even after I got root and read the shadow file, the system hash for James doesn’t want to crack either. So the tar/cron path appears to be a rabbit hole. We also have a file called /opt/.creds that looks like gibberish:
Maybe I’m supposed to be able to decrypt that; dunno. Anyway we have a user (vagrant) with a weak password (vagrant) who can do anything:
Looking through auth.log and in the home directories:
It seems pretty clear we were supposed to use vagrant and the rest was a distraction.
Hacksudo FOG
We had to bruteforce FTP on this box:
The file dict.txt was on the server; but you needed a pretty thorough enumeration to find it. Next, we got some files from the FTP server and did some stego to get back some more creds:
Which was rot23 from ‘zzzz.orfdokrvw/irj Xvhuqdph=irj:sdvvzrug=kdfnvxgrLVUR’
Next we could login to the CMS on the website and get ourselves a shell; nothing too complicated.
On the box, look had the SUID bit so we could read the root flag or shadow file. The hash for isro cracked extremely quickly (qwerty) and isro could do this:
Erm yeah ok. Anyway fog had the cap_setuid capability and running it opened a python shell so that was that:
I probably left out some detail here but whatever. It was good; I’m just a bit weary. And possibly a bit over CTFs at the moment.