1.) Target Discovery
‘# netdiscover -i wlan0’
The ip address of target VM is ‘192.168.1.8’ .
As many VMs have port 80 running on them so I directly jumped on the web browser without nmap scan to check is their any web service running on the VM ??
And yes we have a web service running on this VM, but it is a default apache page.
In the source code of the page I found something interesting. The comment in page source pointing towards ‘/alohomora’ directory.
Well in ‘/alohomora’ directory we found a hint for credential for user Draco. ‘The draco’s house’ . I don’t know what is the name of draco’s house or who is draco, but I know that this VM is based on “harry Potter’s” theme
So with the help of google I found the right password for the user Draco, which is slytherin.
Till now I had user ‘Draco’ and password ‘slytherin’ ,but I don’t had any login form or page to use these credential.
To enumerate web more I used gobuster for directory brute-forcing.
In gobuster’s result I fond a page ‘log’.
The log page point towards another directory ‘/DiagonAlley’.
And in that directory I found a wordpress installation.
3.) Uploading Shell
So I have found wordpress installation and right credentials for the user Draco to login.
For reverse shell I used Metasploit’s module “exploit/unix/webapp/wp_admin_shell_upload” with credential ‘Draco:slytherin’.
And I got the meterpreter session.
4.) Privilege Escalation
‘$ find / -perm -u=s -type f 2>/dev/null’
I fired the above command to get the list of binaries who had SUID permissions.
I found ‘find’ command had SUID permission, To exploit this and get the root shell I used the below command.
‘$find . -exec /bin/sh -p \; -quit’
Successfully got the root privilege and the ‘proof.txt’ flag.