This is Beloved. It’s Easy rated.
Just SSH and HTTP only.
It’s wordpress, so we need wpscan. Kali hates wpscan for some reason; it used to work but now no dice. Presumably some update killed it:
Yeah well that’s great.
Did that fix it? Lol no. Plan B: purge and then….
Did that fix it? Yes, hooray.
Yeah, that’ll do.
D’oh! Nevermind, the file is still there.
A few slightly different things here. Firstly, nokogiri:
What the hell is that? GTFOBins doesn’t have an entry. It’s a Ruby XML parser, uh yay I guess.
For some reason that I couldn’t be bothered reading about, putting a URL gives you an IRB (interactive Ruby) prompt, so let’s just go with that.
I noticed we owned /opt, so I ran pspy64 in case there was a cron - something funny was going on. Sure enough:
2021/12/22 11:11:01 CMD: UID=0 PID=31493 | /bin/sh -c cd /opt && chown root:root *
I don’t recall doing this before but we can take advantage of this wildcard.
We need a file that get’s chowned to root, plus a reference and a symlink. First, we create our empty file (called reference in this case), and wait for the cron to fire:
Now we can create our actual ‘reference’ (the names are slightly poorly chosen here, the first thing probably should’ve been called something else) plus our symlink to /etc/passwd:
Now we can add my old mate root2 and we’re away:
Yes, ‘easy’ but not trivial and a bit left-field so worth making some notes on.