Skip to content

WalkingCMS Writeup

Platform Dockerlabs
OS Linux
Difficulty Easy
InitialVector Wordpress, php
Privesc SUID env

Information Gathering

I began by verifying connectivity to the target with a simple ping check. The response returned a TTL of 64, which strongly suggested that the machine was running Linux.

ping -c 5 172.17.0.2
Screenshot

To identify exposed ports and running services, I performed a full TCP scan with service and default script detection enabled.

nmap -sV -sC -p- --min-rate 5000 172.17.0.2 -n -Pn
Screenshot

The scan showed that the target was exposing Apache 2.4.57 on port 80. No additional open ports were identified, so the next step was to focus on web enumeration.

Web Enumeration

I browsed to the target at http://172.17.0.2 to inspect the default web content. At this stage, the site only displayed the standard Apache default page.

Screenshot

To discover hidden directories and additional web content, I used Gobuster against the web server.

gobuster dir -u http://172.17.0.2 -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x .php,.txt,.html -r

The enumeration revealed only three relevant paths:

  • index.html (200)
  • wordpress (200)
  • server-status (403)
Screenshot

This was a strong indicator that the server was hosting a WordPress instance. Accessing http://172.17.0.2/wordpress confirmed that assumption.

Screenshot

WordPress Enumeration

Since the target was running WordPress, the next logical step was to enumerate it with WPScan.

wpscan --url http://172.17.0.2/wordpress --enumerate vp,u,vt,tt

WPScan reported the following useful details:

  • WordPress version: 6.9.4
  • Active theme: twentytwentytwo 1.6
  • Valid user discovered: mario
Screenshot
Screenshot

With a valid username identified, I attempted a password brute-force attack using WPScan and the rockyou.txt wordlist.

wpscan --url http://172.17.0.2/wordpress -U mario -P /usr/share/wordlists/rockyou.txt

This successfully revealed the password for the user mario: love.

Screenshot

Using those credentials, I authenticated through the WordPress login portal at http://172.17.0.2/wordpress/wp-login.php.

Screenshot

Initial Access

Once inside the WordPress admin panel, I navigated to the plugin section and enumerated the installed plugins. The following entries were visible:

  • Akismet Anti-spam: Spam Protection
  • Hello Dolly
  • Theme Editor
Screenshot

Because plugin editing was available, I used the Plugin Code Editor to modify the Hello Dolly plugin and replace its contents with a PHP reverse shell based on Kali's default php-reverse-shell.php located at /usr/share/webshells/php/php-reverse-shell.php.

Screenshot

I selected the Hello Dolly plugin for editing.

Screenshot

To make the uploaded code valid as a WordPress plugin, I added the following plugin header at the top of the file:

/*
Plugin Name: Revershell PentestMonkey
Description: ReverseShell BadPlugin
Version: 1.0
Author: Kuchiki-PentestMonkey
License: GPL2
*/

I then modified the reverse shell so that it pointed back to my attacking machine and set the listener on the port I intended to use.

Before activating the plugin, I started a Netcat listener:

nc -nvlp 3312

After saving the changes with Update File, I returned to the plugins section and activated the modified plugin.

Screenshot

As soon as the plugin was enabled, the reverse shell connected back successfully.

Screenshot

To improve shell usability, I spawned a more interactive terminal.

/bin/bash -i
export TERM=xterm
Screenshot

Privilege Escalation

With a foothold established, I began looking for local privilege escalation vectors. A standard SUID enumeration quickly revealed an interesting binary.

find / -perm -4000 2>/dev/null
Screenshot

Among the results, /usr/bin/env had the SUID bit set. Checking GTFOBins showed that this binary can be abused to spawn a privileged shell when executed with elevated effective privileges.

The relevant technique is:

env /bin/sh -p

Executing that command successfully granted root-level access on the target.

Screenshot

Conclusion

This machine was compromised by abusing weak WordPress credentials for the user mario, which provided administrative access to the CMS. From there, the built-in plugin editor made it possible to weaponize the Hello Dolly plugin and obtain a reverse shell. Finally, a misconfigured SUID permission on /usr/bin/env allowed straightforward privilege escalation to root.