This system was setup in a CTF with virtualbox 6.1.

Download from vulnhub or magnet

Services

nmap shows port 80 is open and browsing port 80 with a web brower looks like wordpress is installed.

wpscan shows authors:

• recon
• reconauthor

Footholds

wpwscan finds password:

• Username: reconauthor, Password: football7

The usual tricks of altering theme files and uploading malicious php code don’t seem to work without effort.

After clicking around. There’s a vulnerable plugin: e-Learning. https://www.exploit-db.com/exploits/46981

Upload a .zip file with at least a .html, but as many .php as you want. Hit them directly:

• http://$IP/wp-content/uploads/articulate_uploads/…

Escalation

A quick enumeration shows that the www-data user can execute gdb as the offensivehack user. GTFObins tells us how to exploit this: https://gtfobins.github.io/gtfobins/gdb/#sudo

sudo -u offensivehack gdb -nx -ex '!sh' -ex quit

docker is on the box. GTFObins tells us how to exploit this: https://gtfobins.github.io/gtfobins/docker/ My preferred method is to use docker to make a small executable that calls /bin/sh suid, then execute it from the host side.

docker run --rm -i -v $PWD:/opt -w /opt ubuntu