The box starts with an Unauthenticated SQL Injection on the Wordpress website. Thanks to this vulnerability it will be possible to read the hashes of the users' passwords present in the database. After carrying out a bruteforce attack it will be possible to access the wordpress control panel as a manager user.The next step will be to exploit a second known vulnerability XXE which will allow to read any file like www-data. In the most juicy file of wordpress (wp-config.php) there will be the credentials for the FTP server. By downloading and analyzing the files on the FTP server you will find the credentials to access via ssh as user jnelson. Finally, in the privilege escalation we will have to bruteforce the password that protects the gpg private key used by the passpie password manager. Once the private key is cracked, it will be possible to access the root password saved by the password manager.
7 December, 2022 00:00 CET