May 12, 2021•364 words
Run your favourite scan, there should be three ports open on this machine. At first, port 80 is the only viable option (the others are SSH and a web server on 8080 that requires a password). If you are a Batman fan, take the time to check out all the quotes, including the ones in the source code. They are pointless CTF-wise, but they are awesome. Find the secret directory using a buster (add common extensions so you are sure not to miss it, as I did). That file gives you a username (two actually, but it's an easy guess). No sight of a password, so brute forcing must be the way in. Here is a possible command to brute force HTTP basic authentication:
hydra -l <username> -P /usr/share/wordlists/rockyou.txt -s 8080 -f <ip> http-get /
Once you have the password, login. The CMS is fairly empty, you should have no trouble running another bust to find the directories that interest you (one gives you a zip file, one would allow you to access the management dashboard if you had proper credentials).
Download the zip, it's password protected. You must use zip2john or something similar to crack it.
Restore the database from the file: if it's your first time, the steps are to first create a new database, and then pull the file into it to be able to use it. As always, Google gives you more than enough HOW-TOs to survive on your own. Once you are done, navigate to the "users" table and extract the hash, then crack it.
Once you have access to the administrator dashboard, it's almost the same as the usual Wordpress trick. Navigate to a template, select one and write a reverse shell code onto it. Then, on the website, trigger its activation by navigating to the page you modified.
You should get a reverse shell as a user that is in the lxd group. If it has already happened to you, you might remember that this is going to mean instant root with a few basic steps. If this is the first time you see something like this, check out https://www.hackingarticles.in/lxd-privilege-escalation/ or search "LXD local privesc" on Google.