# All in One ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mceuszphqa9azlyVHXN%2F-McewcSZoq1LxWVCGLSU%2Fimage.png?alt=media\&token=979a9c1d-c114-4cb5-9ff4-95834c02a61a) ## Scanning Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.117.119 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mceuszphqa9azlyVHXN%2F-McexNWUsoD2g_ugmzWz%2Fimage.png?alt=media\&token=7371ed36-1817-4cc4-a41b-de2349c91acf) Detailed Nmap Scan : ``` nmap -sV -sC -p 21,22,80 -oN nmap 10.10.117.119 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mceuszphqa9azlyVHXN%2F-McexQDmnhOIftyzQnqn%2Fimage.png?alt=media\&token=616bd8ab-be09-49e2-b661-123571ee79ed) ## Enumeration Lets look at FTP as `anonymous` login is allowed ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mceuszphqa9azlyVHXN%2F-Mcexl-cvQ2hzXDfyf3r%2Fimage.png?alt=media\&token=ea842e97-6196-49c0-8a51-396d2d0590af) And there is nothing in the FTP server, lets look at the webserver ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mceuszphqa9azlyVHXN%2F-MceyW4WHKB0AzrUh9kE%2Fimage.png?alt=media\&token=3455a335-a658-4197-93b6-2546b07a0206) Its an Apache2 default page, lets run `gobuster` to look for hidden directories. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mceuszphqa9azlyVHXN%2F-McezL9oQksb3rEcmkqU%2Fimage.png?alt=media\&token=915ffb13-6133-4206-809e-a4673ab50086) Lets check these directories out, first `/wordpress` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mceuszphqa9azlyVHXN%2F-McezhfVNBnkrRN1RWbo%2Fimage.png?alt=media\&token=ebd373ec-dd00-4849-a353-7c6795ea56ff) Its a wordpress site, we can explore this but first lets look at the other directory we found ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mceuszphqa9azlyVHXN%2F-Mcezx0H9CUnhPCGMPmn%2Fimage.png?alt=media\&token=f7ee444b-a2ae-419b-816b-68debcf27add) There is nothing interesting, lets look at the source code, scrolling down we see something interesting ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mceuszphqa9azlyVHXN%2F-Mcf-OaSOezw6jvx_qdx%2Fimage.png?alt=media\&token=a2a7a412-b368-4ef6-92d6-63c895a0f828) It looks like a cipher, lets crack it ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mceuszphqa9azlyVHXN%2F-Mcf-kH3vvadlh5PnfCH%2Fimage.png?alt=media\&token=1bae5268-d6b7-4a29-a7ab-7e12e4503971) Looks like a password, but we do not have a username to login through ssh. Lets go back to the wordpress site. We have username `elyana`, but the password is not the right one. Lets run `wpscan` to find information about this site. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcf0sDQu_qwwFOVPDCR%2F-Mcf1idt9BDLbrSf-lra%2Fimage.png?alt=media\&token=e262dda6-881a-41d5-875d-77bf3da94ab3) Looking through the output, we see 2 vulnerabilities ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcf0sDQu_qwwFOVPDCR%2F-Mcf2-o8aHzut9a-ItXp%2Fimage.png?alt=media\&token=371d4aad-4374-4ddf-b2f3-3959d3d63f51) We have a LFI vulnerability and a Arbitrary File Upload vulnerability. Lets first login with the credentials we found. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcf0sDQu_qwwFOVPDCR%2F-McfA8UH1wJ509lbYlx8%2Fimage.png?alt=media\&token=329b771d-d4b8-4a41-a0d6-17649e0c781e) Once logged in, we can go to Appearance > Theme Editor and replace the `404.php` file with a reverse shell and click update ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McfAHTdbrbVxAcBZeNs%2F-McfAvdSoiYPHGvNybYd%2Fimage.png?alt=media\&token=5b0f4a4d-e74b-4928-bbeb-3834c2bc3b13) Once we do that, we have to start a netcat listener. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McfAHTdbrbVxAcBZeNs%2F-McfB7DrB0MLukgFy2AL%2Fimage.png?alt=media\&token=b2b8d61f-dfc2-44c3-8080-b30f6fb99ca8) Now we visit this URL to get the reverse shell. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McfAHTdbrbVxAcBZeNs%2F-McfBVBYTNaySXovVHn1%2Fimage.png?alt=media\&token=d9b209dd-bf5f-4562-99e5-1c015b531b38) Lets stabilize the shell. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McfAHTdbrbVxAcBZeNs%2F-McfBsB8IYOuO8EXuOCE%2Fimage.png?alt=media\&token=22710579-7b1a-485b-85a4-fb49ac075779) Lets look at the files ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McfAHTdbrbVxAcBZeNs%2F-McfCKM2QJnTbwQi7DOM%2Fimage.png?alt=media\&token=0544f90f-cb2f-464f-b84b-8d5b868a8a6f) So the password for the user `Elyana` is hidden on the system. Lets find all the files that belong to the user elyana ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McfCP15WbtBTFAK6iLG%2F-McfClcsx0BHTtpetSSM%2Fimage.png?alt=media\&token=e84fc6a7-99a7-4c4d-b4e4-647acf25a589) This is an interesting file, lets read it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McfCP15WbtBTFAK6iLG%2F-McfCrXtNLLD1yFSNHj1%2Fimage.png?alt=media\&token=ab756734-1de3-487c-86f5-2604015372cf) We have the username and password, lets login through ssh ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McfCP15WbtBTFAK6iLG%2F-McfCzcFOevE8Bq1pza6%2Fimage.png?alt=media\&token=96bc5f3e-7daf-4b8b-8250-4c5c08112f35) We can now read the user flag. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McfCP15WbtBTFAK6iLG%2F-McfD63M1Gm_vU_z7dk0%2Fimage.png?alt=media\&token=2c61efed-2071-474b-9578-cf1756591e65) Looks like it is encoded, lets decode it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McfCP15WbtBTFAK6iLG%2F-McfDOSS_8v3XTHeEQTR%2Fimage.png?alt=media\&token=a4c24365-8d14-4891-9471-282208314f64) ## Privilege Escalation Lets run `sudo -l` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McfCP15WbtBTFAK6iLG%2F-McfDYeLWauFujQdWRsy%2Fimage.png?alt=media\&token=a039067c-6329-497a-8c63-1a53b7d3c289) Looks like we can run `socat` as sudo, lets go to [GTFOBins ](https://gtfobins.github.io/gtfobins/socat/#sudo)and the get the command to privilege escalate to root. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McfCP15WbtBTFAK6iLG%2F-McfDm420F7dF31_nhoM%2Fimage.png?alt=media\&token=a82725d5-9795-47e8-80d4-496a4f403f06) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McfCP15WbtBTFAK6iLG%2F-McfDoK1FkL-ecaw3Die%2Fimage.png?alt=media\&token=9dc327d9-8285-46d0-9b67-4092e39e159c) We are root. We can read the root flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McfCP15WbtBTFAK6iLG%2F-McfDxNT87OKFzik52kw%2Fimage.png?alt=media\&token=068bd8e1-ef7e-4945-97ce-308d7a471ca2) Lets decode this ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McfCP15WbtBTFAK6iLG%2F-McfE3eaD6dcnJnKzL29%2Fimage.png?alt=media\&token=99ed3d1e-559c-4faf-9437-ecdaf201ee0a)