Name: KB-VULN: 2
Release Date: 17 Sep 2020
Difficulty Stated: Medium
Difficulty I found: Beginner
OS used: KaliLinux 2020.2
Things you can learn from this VM: Enumeration, Directory finding, Adding hostname in /etc/hosts, SMB anonymous login, WordPress plugin based shell upload, Privilege Escalation, Reverse shell
As always we will start from NMAP
Next I tried to login Samba as anonymous user and got successful. Found a backup.zip file and downloaded it.
Unzipped the backup.zip and got some credentials.
Next, I ran gobuster to find directories present and found wordpress.
Command -> gobuster dir -w /usr/share/wordlists/dirb/big.txt -x php,txt,zip -u http://192.168.10.6 -t 100
Visited the wordpress website and found its domain was “kb.vuln“, so added this entry in my /etc/hosts file.
I used the credentials admin:MachineBoy141 to login wordpress portal.
I tried editing 404.php file with malicious php script but it failed :-(
So, I uploaded & installed a malicious wordpress plugin. I used the plugin WordPress Plugin ACF Frontend Display 2.0.5 – Arbitrary File Upload
Next, I ran the following command to upload php reverse shell file from my Kali box to kb.vuln.
curl -k -X POST -F “action=upload” -F “firstname.lastname@example.org” “http://kb.vuln/wordpress/wp-content/plugins/acf-frontend-display/js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php
Started a netcat listener at my Kali box and accessed the following web location:
As a result I got reverse shell as ‘www-data‘ user.
I read the user flag.
Next, I used the same password “MachineBoy141” for switching as user kbadmin user.
Ran “sudo -l” command and found that kbadmin can run any command. as root.
Finally read the root flag.