Vulnhub UA: Literally Vulnerable — Walkthrough
According to the maker, the initial shell is easy and privesc is intermediate, but I don’t think so. The machine was very easy from start to end and took 1 hour and 30 minutes to complete. There is WordPress running on port 65535 which is exploited to get initial shell as user www-data and after that there is a binary which is taking input from env variable on exploiting that got shell as user John and exploited sudo permissions to root.
Started with nmap scan
In nmap found 4 open ports
From nmap we found that there is anonymous login enabled on port 21 and a file with read access
backupPasswords took that file in local machine and on reading found that there is a list of password for a user Doe, from which one is correct.
This password looks like the passwords generated by WordPress, WordPress is running on port 80, then why I am here
A newly deployed WordPress, Nothing in the posts, from wpscan found nothing other that user admin, When I clicked on Log In it redirects to
http://literally.vulnerable/wp-login.php , adding this domain in
/etc/hosts , then I can access the login page
Brute force on login
# hydra -l admin -P pass.txt literally.vulnerable http-post-form ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:F=ERROR’
No passwords found, On trying directory brute forcing and nikto found nothing interesting…
But then I remembered that there is one more to be enumerated
On home page there is default Apache page, after directory brute forcing from some wordlists, found a directory
/phpcms inside that there is WordPress with a password protected blog and a comment
From this comment we know that there is a WordPress password for John user in that blog, but how to access that.
In wpscan found two user
notadmin , saved both username in a file user.txt and brute forced with the passwords we got from ftp
# wpscan --url http://literally.vulnerable:65535/phpcms --usernames user.txt --passwords pass.txt
After login found that it is a simple user and we can’t do much with it, but we can view the password protected blog, from that found password for user notadmin
Logged in with user notadmin and found that it is WordPress admin user
Go to plugins section and in Add New > Upload plugin and upload any php shell you prefer, in my case I will use php-reverse-shell.php, for using that edit the script and put the IP and Port on which you want reverse connection
it will show a error that the plugin cannot be installed then go to
There will be the uploaded php shell, running nc on given port and click on the shell
To get a proper shell:
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
# stty raw -echo
Privilege Escalate to User John
There are two users doe and john, in John’s home directory there is only user.txt which we can’t read, doe’s home directory is a bit interesting, a message from admin not to delete sensitive file, local.txt which is not accessible and a binary named
itseasy which we can execute as user john due to sticky bit set of that user.
-rwsr-xr-x 1 john john 8632 Dec 4 12:26 itseasy
on running this binary it is printing current directory
Your Path is: /home/doe
Initially I thought that it is executing
pwd command and we can exploit it something like did in
pwnlab:init , but it is not that case after running strings on the binary I found some keywords like
getenv and the thing that striked in my mind is the env variable
PWD and then I thought it must be printing the value of
PWD so I changed that
$ export PWD=";/bin/bash"
The semicolon will separate that line into two commands and bash will be executed, then on running the binary I got user john
Privilege Escalate to root
In user.txt it is written that
Almost there! Remember to always check permissions! It might not help you here, but somewhere else! ;)
Permissions…., I thought the scope to work is sudo and suid, we do not have credentials for sudo so I focused on suid but after some time found nothing and then when I am out of mind remembered about
https://guif.re/linuxeop , which helped me in OSCP so much
I was going through the blog and found the find command to harvest passwords files
$ find . -type f -iname "*password*"
I though lets give it try, when I executed it found a file with john’s password base64 encoded, decoded that
Now we can run
sudo -l to see the permissions
On looking at the permission I thought it’s so easy and really it is.
take another shell with user www-data and created a file
/var/www/html with content
and modified it’s permission to 777(anyone can read, write and execute)
Then with john’s shell just executed it with sudo rights and got root user
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
vj0shii - Overview
Sign up for your own profile on GitHub, the best place to host code, manage projects, and build software alongside 40…