Proving Grounds: Loly
Today we are looking at Loly on Proving Grounds. This is an intermediate rated box that was also rated intermediate by the community. Starting off as usual with a port scan we can see the following ports are up and running:
Heading over to that page we know that it is running nginx:
Running a feroxbuster we find the following:
We now know that wordpress is running, lets run wpscan to see if we can find out more information:
Alright, we know now there is 1 user on the machine, lets see if there are any plugins that may be vulnerable:
At first we do not find any, this does not mean that there are not any plugins available, we may have to do an aggressive scan to find any. For now I will move onto brute force:
We find a password! Lets login and see if we can run a 404.php reverse shell on this WordPress:
Lets put loly.lc into our /etc/hosts:
From here we see that we can upload .zip files, lets try to zip a shell.php file and gain a reverse shell:
Going to the following site with a listener up and running, we get a call back:
From here we need to priv esc, after looking around a lot I realize this is most likely going to be a kernel exploit. The kernel is:
Looking up exploits we see that is vulnerable to cve-2017-16995 however, when we try to compile this on the machine it will not work. There is a trick to be able to compile an exploit on your own machine and run it on another machine without getting the glibc error:
We will run it with — static:
Now transfer the 45010 over to the other machine and make it executable:
And that is it, we are root. Hopefully you liked the writeup and learned something throughout the process.