Date
Apr 2, 2024 → Apr 3, 2024
Tag
Linux
Local privilege escalation
Password Cracking
SQLI
Scan
Tcp Port:
22 / ssh
80 / http
80/HTTP
after click no comment, you can see the url are changed, so maybe it is a chance use SQLi
so the only way that can get more information is explore the index.html…
we found out that was a parameters call “cat=1” and when we change it to 2.
website will show you a search website, maybe we can search some interesting things.
structure a sqli payload,
we can see we cannot use ‘ and “ even url encode %27, so we just give ‘ and “ try some pure way.
we can found it this table have 5 columns, and if we change cat=1 to cat=2 the return data will changed.
so, the payload will be:
as we cannot use ‘ and “, so there are two ways to bypass ‘ and “ to use = operator.
- use Hex trans
- use database() func
for now, we get wordpress data all table name, we need to look forward to see if any useful data that can help us login to somewhere.
Table Name | To Hex | Column name | Result SQL |
wp_categories | 0x77705f63617465676f72696573 | “cat_ID,cat_name,category_nicename,category_description,category_parent” | |
wp_comments | ㅤ | ㅤ | ㅤ |
wp_linkcategories | ㅤ | ㅤ | ㅤ |
wp_links | ㅤ | ㅤ | ㅤ |
wp_options | ㅤ | ㅤ | ㅤ |
wp_post2cat | ㅤ | ㅤ | ㅤ |
wp_postmeta | ㅤ | ㅤ | ㅤ |
wp_posts | ㅤ | ㅤ | ㅤ |
wp_users | ㅤ | ID,user_login,user_pass,user_firstname,user_lastname,user_nickname,user_nicename,user_icq,user_email,user_url,user_ip,user_domain,user_browser,user_registered,user_level,user_aim,user_msn,user_yim,user_idmode,user_activation_key,user_status,user_description | ㅤ |
we can see this database should be wordpress initial SQL, so we can try brute force the path again, but with uri /Hackademic_RTB1.
we are interested in wp_users, so let explore more.
wp_users
user_login | user_pass | After cracking | Work? |
GeorgeMiller | 7cbb3252ba6b7e9c422fac5334d22054 | q1w2e3 | yes(post manager) |
MaxBucky | 50484c19f1afdaf3841a0d821ed393d2 | kernel | yes |
NickJames | 21232f297a57a5a743894a0e4a801fc3 | admin | yes |
JasonKonnors | 8601f6e1028a8e8a966f6c33fcd9aec4 | maxwell | yes |
TonyBlack | a6e514f9486b83cb53d8d932f9a04292 | napoleon | yes |
JohnSmith | b986448f0bb9e5e124ca91d3d650f52c | PUPPIES | yes |
we can found out those account and login, but user GeorgeMiller are admin, so we can do more thing then others users.
we can edit plugin file, such as php file, so we can injection a reverse shell.
and wala~
we can see passwd but cannot see shadow.
nothing find in this account, try find the kernel problem.
by searchsploit we can find a 15285.c that can help us to local privilege escalation, so now we just need to upload this C file to the machine and we found out that was a function call import links help upload file to /wp-content/*
compilation c file
give the run privilege, and then try it.
Root!!!!
