Open in app

Sign in

Write

Sign in

So-Simple Walk-through

Sarthak joshi
4 min readAug 16, 2020

--

Hey there ! My name is sarthak joshi and I’m back with another walk through of an amazing vulnhub machine So-Simple. Here is the link you can download it ,link :- https://www.vulnhub.com/entry/so-simple-1,515/

Network scanning and target discovery :-

I prefer nmap for network scanning but you can use what ever tool you want

“# namp -sn 192.168.43.1/24”

Here we got our target’s ip address , which is 192.168.43.52.

Target Scanning with nmap :-

“# nmap -vv -sT -p- 192.168.43.52”

This command of nmap will give the details of the service running on the target machine.

Great here we got two service running 80 For http and 22 for ssh

HTTP Enumeration and Exploitation:-

Let’s move towards http service running on the target machine

So here is image on the web server. Now its time to use “dirb” for directory brute-forcing

“dirb http://192.168.43.52/”

Through “dir” we found a wordpress directory on the web server, It means wordpress site is running on the web server. So without wasting time I fired up “wpscan” tool for wordpress enumeration

Here we found a plugin installed Social-warfare which is vulnerable to a remote code execution. I used “searchsploit” for searching the exploit code for this vulnerability and I found that

Now Let me Explain this exploitation process. In this vulnerable plugin their is vulnerable url where we can run an remote code by placing the url of another webserver

As you can see the vulnerable url, Now the another web server will be our localhost from where we will execute the command

As you can see I created a payload called “pay.txt” which i placed in may “/var/www/html/” directory and I stated my apache web server too.

And Now will will put this payload url to that vulnerable url

See we can run command from here

Now this time with some enumeration we know that their is a user max, So I tried to get its id_rsa ssh key to get the ssh session

So I simply changed the payload text and then

Yeee ,I got max’s ssh private key. With this private key I tried to make a ssh connection

I got a max user ssh connection and I successfully captured the user.txt flag. Now its time for escalation of privileges.

With the help of “sudo” we successfully switched to another user called steven

“# sudo -l”

“# sudo -u steven /user/sbin/services ../../bin/bash”

“# sudo -l”

From steven we again fired sudo -l to obtain the sudo info of steven and I found that I can run a file in /opt/tools/server-health.sh as root

But their is no such file ,So I created it manually and added a code in it

“echo “bash -i ” >server-health.sh”

After running that file with sudo ,We got root shell.

“# sudo /opt/tools/server-health.sh”

We are root now

So I successfully completed this challenge and captured root flag.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Sarthak joshi
Sarthak joshi

Written by Sarthak joshi

29 Followers
58 Following

Penetration Tester, CTF player, Full time Learner and Part Time Blogger. Twitter :- https://twitter.com/Exploiter_21, Linked :- https://www.linkedin.com/in/sart

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams