Lab 5: Privilege Escalation with Sudo

In this lab we will exploit a vulnerability in a WordPress website, and then once we got into the
machine, we will do privilege escalation with sudo.
The vulnerable machine:
https://download.vulnhub.com/hackerfest/HF2019-Linux.ova

Penetration Testing Methodology

• Network Scanning
• Nmap port scan
• Enumeration
• Browsing HTTP Service
• Scanning WordPress (wpscan)
• Exploiting
• WordPress Google Maps Plugin SQL Injection
• Use ssh to gain access to victim machine
• Privilege Escalation
• Abusing Sudo Rights
Network Scanning
1- The teacher should give you the IP address of vulnerable machine. (also you can use
netdiscover command).
2- Do nmap (aggressive mode) >>make sure you use the correct IP address of the victim:
nmap -A 10.0.2.17

We learned from the scan that we have the port 80 open which is hosting Apache httpd
service, along with the ports 21 and 22 open.

Enumeration
3- Open the website on the browser:

Dr. Sarah Abu Ghazalah

 4- This gave us a site that looks like a WordPress site, it’s time to perform a wpscan on
the target machine.
wpscan --url http://10.0.2.17/

5- If we move further down in the wpscan result, we find the WordPress google map
plugin. It is not updated. So, this could help us. Let’s try and exploit it.

WordPress Google maps Sqli Exploit

6- Let us search for this on Metasploit.
7- Open msfconsole
8- Type search wp-google-maps

Dr. Sarah Abu Ghazalah

 This exploit works on a SQL injection vulnerability.
9- So let us use this exploit as follows:
msf5 > use auxiliary/admin/http/wp google_maps_sqli

msf5 auxiliary(admin/http/wp_google_maps_sqli) > set rhosts 10.0.2.17

msf5 auxiliary(admin/http/wp_google_maps_sqli) > exploit

So, we got the username >>webmaster and the hash of user webmaster as follows:
webmaster $P$Bsq0diLTcye6ASlofreys4GzRlRvSrl

10- Now we can copy the hash in a file and call it hash, then we can use John the Ripper
tool to crack the hash password.
john --wordlist=rockyou.txt hash

Hint: you must unzip the file rockyou from /usr/share/wordlists and extract the file in
/home/kali
Go to the zip file >>right lcik and Extract All>>>chose the destination as /home/kali
11- Now we have username and passwd : webmaster:kittykat1. Try these credentials on
ssh port.

Dr. Sarah Abu Ghazalah

Privilege Escalation
12- After successful login in the victim’s machine now executes below command to know
sudo rights for the current user.
sudo -l

Here it is shown that the user webmaster has ALL sudo privilege so we can then open through
sudo /bin/bash which gives us the root privilege.

13- Type sudo bash, then to make sure you are root, type id:

Ac�vity:
On this machine try to find flag file, open it and show the teacher the flag.

Dr. Sarah Abu Ghazalah