Vulnhub AdmX: 1.0.1 walkthrough
Found only port 80 open, Wordpress installed on the box. Wpscan enumerate the admin user and also found the valid password for it. Used metasploit to gain reverse shell. User in the box use same password, access user using it. User has sudo rights on Database, can run system command from database console as root user.
As a first step use nmap to find all open ports on the box. Only port 80 is open that’s good. So we need to focus only on web.
Service version detection, really not need, but still.
Dirb found two interesting directories, tools and wordpress. Need to use wpscan to further enumerate the Wordpress.
Users, vulnerable themes and vulnerable plugins enumeration using wpscan. Wpscan found admin user.
Used wpscan to brute-force password for user admin.
wpscan — url http://192.168.2.10/wordpress -U admin -P /usr/share/wordlists/rockyou.txt -t 25
Found valid password for the admin user.
Due to some issues with the Admx box, I am unable to login through the GUI so thought of using msfconsole to get reverse shell.
Set below options:
Got the meterpreter shell on the box.
If you are on system with Wordpress installed, always check for wp-config.php.
So now we have user admin and couple of passwords adam14 and Wp_Admin#123.
We have wpadmin user on the box, lets try both the above password to gain access as user wpadmin. The password is adam14 same as wordpress, not good practice to use same password.
sudo -l command shows the user wpadmin can run /usr/bin/mysql -u root -D wordpress -p (basically access the wordpress database) as root no need for password.
We can execute the shell command from the MariaDB console, just need to append keyword system before the command.
Lets add another root into the /etc/passwd file so that we don’t need to use the MariaDB console.For that I used openssl. Can use any password, but use one without any special character.
Use echo command to append below line into the /etc/passwd file.
That’s it, hope you like it. Thanks for reading.