KB-VULN: 2 ~ VulnHub – Walk through

Name: KB-VULN: 2
URL: https://www.vulnhub.com/entry/kb-vuln-2,562/
Release Date: 17 Sep 2020
Author:MachineBoy
Difficulty Stated: Medium
Difficulty I found: Beginner
OS used: KaliLinux 2020.2
Things you can learn from this VM: Enumeration, Directory finding, Adding hostname in /etc/hosts, SMB anonymous login, WordPress plugin based shell upload, Privilege Escalation, Reverse shell

As always we will start from NMAP

Next I tried to login Samba as anonymous user and got successful. Found a backup.zip file and downloaded it.

Unzipped the backup.zip and got some credentials.

Next, I ran gobuster to find directories present and found wordpress.
Command -> gobuster dir -w /usr/share/wordlists/dirb/big.txt -x php,txt,zip -u http://192.168.10.6 -t 100

Visited the wordpress website and found its domain was “kb.vuln“, so added this entry in my /etc/hosts file.

I used the credentials admin:MachineBoy141 to login wordpress portal.

I tried editing 404.php file with malicious php script but it failed :-(

So, I uploaded & installed a malicious wordpress plugin. I used the plugin WordPress Plugin ACF Frontend Display 2.0.5 – Arbitrary File Upload

Next, I ran the following command to upload php reverse shell file from my Kali box to kb.vuln.
curl -k -X POST -F “action=upload” -F “files=@php-reverse-shell.php” “http://kb.vuln/wordpress/wp-content/plugins/acf-frontend-display/js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php

Started a netcat listener at my Kali box and accessed the following web location:
http://kb.vuln/wordpress/wp-content/uploads/uigen_2020/php-reverse-shell.php

As a result I got reverse shell as ‘www-data‘ user.

I read the user flag.

Next, I used the same password “MachineBoy141” for switching as user kbadmin user.

Ran “sudo -l” command and found that kbadmin can run any command. as root.

Finally read the root flag.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: