Vulnhub Shenron-3 writeup
Hello guys, Welcome back to another vunhub machine write-up. In this write-up I will walk you through steps to solve another machine Shenron-3, from Shenron series. Shubham mandloi created this CTF.
Lets begin by nmap scanning. Only port 80 is open and it is running Wordpress. Before running anything, added the IP and hostname shenron in /etc/hosts file.
As it is clear, Wordpress is running on port 80, I used wpscan to enumerate wp-users, vulnerable themes and plugins.wpscan discovered “ admin” user on Wordpress.
I tried brute-forcing password for user admin Wordpress login. And found the valid combination.
We have the admin access to the WordPress, is it possible to get the reverse shell if one has admin access to the WordPress. To get the reverse shell, I followed below steps.
Created a PHP file with below payload and saved it.
Created a zip of the above file.
Started the netcat listener on port 443.Uploaded the above zip into the wordpress. Login to wordpress, navigate to plugin → AddNew → Upload Plugin.
Click on Install Now and got the reverse shell.
We have a couple of passwords “iloverockyou” and “Wordpress@123”. Lets try to switch user to shenron. Password for wordpress admin and shenron user is same i.e “iloverockyou”.
As we can see, the network has the suid bit set, and it is running with the root privileges.
Running strings on network shows it is using the netstat command that’s too without complete path.
To get root access, I created a file with reverse shell payload, set read, write and execute permissions for it and modified the path.
Started the necat listener on port 5555, and got the root shell.
The Final Flag:
Thanks for reading, hope you like it.