Difficulty: Easy
Tested: VMware Workstation 15.x Pro (This works better with VMware rather than VirtualBox)
Goal: Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root).
Really the only thing on the webserver is a Wordpress installation, and we find it easily with gobuster. wpscan reveals only a single user (loly), and easily finds the password:
So I logged in, expecting to perhaps upload a plugin zip file, or edit a theme or something. But, no.
We have several plugins (AdRotate, Helly Dolly and Akismet) - only AdRotate is ‘unusual’. It’s version 5.8.6.2. Searchsploit reveals SQLi vulnerabilities in several older versions - all version 3.x.
We have several themes, including Feminine Style and Virtue, but these don’t seem to be vulnerable.
We can’t upload a new plugin (the button to do so is missing), and I’m … stuck.
After a while I consult a writeup to see what the move is. It turns out that the AdRotate plugin can be exploited by uploading a shell in a ZIP file format as a ‘banner image’. PHP files are blacklisted but ZIP is okay; the plugin automatically unzips the file and places it in the banners directory:
I did the rest of the box by myself, but then I returned to this point. I tried googling for this exploit method, but the only references I found were in Loly writeups! And here’s what they had to say about it:
w found a vulnerable plugin( AdRotate ) we upload a shell by compressing our payload a zip file as a new banners file
i found a way to upload a shell & execute it
Make sure that first, we need to upload the reverse shell as zip format
For this, I saw that we have a plugin named “AdRotate” installed where we can upload a zip file
Huh? None of these say how they knew this plugin was vulnerable, or how to exploit it, or provide a link to a CVE, blog post or anything else. I understand my writeups aren’t always detailed; they aren’t meant to be. But I don’t quite understand how all of the ones I looked at just somehow magically knew that this method was available with AdRotate? Presumably there was an article about it somewhere; maybe my google-fu has failed me.
Loly
Anyway, I’m on as loly.
I run linpeas and find a password then su loly.
Root
Linpeas also says we have an older kernel, which is true.