nmap
WPScan – enumerate users
WPScan – Plugin Vulnerability (IDOR) found
https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/
As the PoC explained in the above URL, I tried to upload CV files first
Since wp saves the uploaded files as /wp-content/uplaods/{year}/{month}/{file name}
I checked if the I uploaded exist, and yes it’s uploaded
Also in HTML code of application page, I observed that the uploaded application name appears
I brute forced the pages (idor vulnerability) and interesting application name appeared
One can also do the brute force via Burp Intruder
I used the PoC exploit in the blogpost above and modified the exploit a bit as below:
And found a file with the name HackerAccessGranted
I downloaded the jpg file and checked for any info hidden in it using the following tools
strings HackerAccessGranted.jpg | less
exiftool HackerAccessGranted.jpg
binwalk HackerAccessGranted.jpg
steghide –extract -sf HackerAccessGranted.jpg (-sf for source file option)
Look the content of id_rsa file
Since it’s encrypted, we need to decrypt it first to use it
Turn the file into john crackable form with sshng2john tool
Then crack the passphrase
Change the permission of rsa file to 600 and login to takis user with the passphrase cracked
Priv Esc
So takis user can run /bin/fuckin as root
The content of the file can be seen below, it gets arguments and executes them
We use sudo /bin/fuckin bash and become root