# Proving grounds Play: SunsetMidnight Proving grounds Play - SunsetMidnight CTF writeup. ### NMAP ```sh PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-title: Did not follow redirect to http://sunset-midnight/ | http-robots.txt: 1 disallowed entry |_/wp-admin/ 3306/tcp open mysql MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1 | mysql-info: | Protocol: 10 | Version: 5.5.5-10.3.22-MariaDB-0+deb10u1 ``` ### Fuzzing ### Files ```sh ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://sunset-midnight/FUZZ Total requests: 37050 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000005: 405 0 L 6 W 42 Ch "xmlrpc.php" 000000036: 200 87 L 300 W 4869 Ch "wp-login.php" 000000130: 200 97 L 823 W 7278 Ch "readme.html" 000000206: 200 384 L 3177 W 19915 Ch "license.txt" 000000248: 200 3 L 6 W 67 Ch "robots.txt" 000000263: 200 0 L 0 W 0 Ch "wp-config.php" 000000413: 200 0 L 0 W 0 Ch "wp-cron.php" 000000462: 200 11 L 24 W 228 Ch "wp-links-opml.php" 000000838: 200 0 L 0 W 0 Ch "wp-load.php" ``` ### Brute Forcing Mysql Credentials ![img](/files/UFcybJcXy59kESAlpDtD) ### Logging into Mysql DB ![img](/files/EoM8mWVChqR56fIBXpcJ) Get user credentials. ![img](/files/EY79Utdq9HraGodZ7gsS) Generate new password MD5 hash. ![img](/files/wh6t629unibJy8wnpXeZ) Update user password. ![img](/files/YqmIRgFSoAF0YOCbbqOE) Sucessfuly logged into wordpress admin portal. ### Uploading Reverse Shell in themes Uploading revershell in the themes resulted in failure. ![img](/files/LyZ0zhzTyx23bbPgczNS) #### Generate Malicious wordpress plugin [GitHub](https://github.com/wetw0rk/malicious-wordpress-plugin) The python code allows to create malicious reverse shell payload and write it to the zip file. ![img](/files/7A91h03lgSROfrD2xnkp) Upload and install the malicious plugin ![img](/files/bE4SMsRUdoDOGFmF9Rsf) #### Trigger reverse shell ![img](/files/x7DcPs8K071wcWVYQKyz) Shell obtained ![img](/files/lJkMezEvSYCBFTI3tfDT) ![img](/files/Qjwnvdv4PcxeGJGykSsG) Post obtaining shell, hardcoded user credentials were found in the wordpress config files. Found credentials for user `jose` ![img](/files/qaDDBYxaAqNNUaBeOuOO) **SSH to user jose** ![img](/files/Px3Eggo4zM40MlBXZzsk) ### Privilege Escalation #### SUIDs ![img](/files/p7TKQ1WcKyB2t5MrSvcZ) The status binary in the SUID runs services. * Create a service * Apply executable permission * Run `/usr/bin/status` binary **Service file contents** ```sh /bin/sh ``` ![img](/files/PSIlOdmP4zM0iMutPjtx) **Root obtained** Thanks for reading! For more updates and insights, follow me on Twitter: [@thevillagehacker](https://twitter.com/thevillagehackr). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://thevillagehacker-security.gitbook.io/ctf-writeups/writeups/2023-07-28-proving_grounds_play-sunset-midnight.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.