Pre-engagement Briefing

I understand the scope of work

No answer needed

Deploy and Engage the Client Environment

User.txt Flag

Use nmap -A -p- IP to gather information of all open ports. Only http and ssh ports are available. For the http-port we run gobuster dir --url http://IP -w /Path/to/wordlist to check the directories. You will find a blog that is written using Wordpress. To scan this blog you can use wpscan --url IP/blog to check for possible users of the blog. You will get the information that there is one user called "admin". To brute-force the admin-user run wpscan --url IP/blog -U admin -P /Path/to/wordlist and you'll get the password. The blog does not seem to function correctly but by adding the IP to "/etc/hosts". By visiting the login you can use the credentials to gain access to the admin dashboard. In the dashboard navigate to the Theme-Editor and edit the 404.php-template to include a php-reverse-shell. After you altered the template you have to access it (IP/blog/wp-content/themes/twentyseventeen/404.php) to establish the initial shell. Establish a more stable shell by running python -c 'import pty; pty.spawn("/bin/bash")'. In the "/opt"-directory you can find a file called "wp-save.txt" run cat /opt/wp-save.txt and you will get the info regarding the credentials for the user "aubreanna". Run su aubreanna and enter the password and you get access to aubreannas account. Run cat /home/aubreanna/user.txt to gain the flag.

Root.txt Flag

As Aubreanna you are not able to access the root-flag. Additionally Aubreanna does not have any sudo-rights we can use to escalate. But in addition to the user-flag we also find a file called jenkins.txt informing us that there is an internal service on port 8080. To gain access to the server we can run ssh -L PORT:172.17.0.2:8080 aubreanna@IP and access jenkins by visiting "localhost:PORT". Default credentials do not work so we have to brute-force the login. We can do so by running hydra -l admin -P /Path/to/wordlist -s PORT 127.0.0.1 http-post-form "/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in&Login=Login:Invalid username or password" and use the credentials to login. After you logged in to jenkins you can establish a shell by navigating to the script-console, entering a groovy-script-shell of your choice, starting you listener and running the script. The shell itself does not have any special rights, but in the "/opt"-directory there is a "note.txt"-file. In the file we get the password for a root-user. Switch back to the initial shell and run su root, enter the password and you become root. Run cat /root/root.txt to get the final flag.