Jack

Try Hack Me

Introduction

Enumeration

Let's add jack.thm to the /etc/hosts:

We always start scanning our IP to find open ports with NMAP.

Since it is a WordPress service tuning on port 80 we can use the wpscan to find vulns:

wpscan -e u,ap --url http://jack.thm

We find 3 users:

Let's do a brute force against the 3 users:

wpscan --url http://jack.thm/ -t 3 -P fasttrack.txt -U users.txt

Let's log in and we get with low privileges':

Exploitation

USER.TXT

If we fire burpsuite on with foxy proxy and load the update profile and add &ure_other_roles=administrator  and forward the request we will be admins:

Let's make a reverse shell on the plugins section fire up a nc connection and spawn a shell and get the flag:

ROOT.TXT

Let's check what's on the reminder.txt and check the backups and we get the id_rsa which we will copy as jack user:

Before we move forward for installation follow this:

git clone https://github.com/DominicBreuker/pspy.git

cd pspy

sudo apt install golang

go get github.com/dominicbreuker/pspy/cmd

go build

Let's load the pspy to the machine:

We find an interesting file (checker.py) running a /bin/sh -e which we can use to elevate our privileges:

We find an interesting file (checker.py) running a /bin/sh -e which we can use to elevate our privileges.

Than we check the id of jack and realize he has a family group.

And we find the  os.py module with read and write permission that we can exploit when the checker.py with the crobjobs runs again to open a root shell.