A freshly squeezed cup of pwnage

Rainy weather can only mean one thing… VulnHub challenge time. Today’s menu @TopHatSec’s Freshly challenge.

The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. If you can find the secret, send me an email for verification. :)

There are a couple of different ways that you can go with this one. Good luck!

Locate the host:

What ports do we have open:

Let’s browse to port 80 on the webserver and see what we have:


The page source doesn’t show anything too interesting, so we intercept the request with Burp Suite.


Unfortunately modifying or removing the If-Modified-Since and If-Non-Match headers did not present us with any newer or different version of the page. Next stop, wfuzz.

Nothing useful there, apart from a possible bruteforce dictionary attack against phpmyadmin. Let’s check for any php files:

Login.php… let’s take a look:


The obvious first thing to check is whether we can log in with default credentials such as admin/admin. No luck. It’s php so let’s try an SQLi vulnerability by entering a user of admin and a password of ‘. The page doesn’t respond with any *sql errors, however it does respond with a 0, so let’s take a closer look at whether there is an SQLi vuln present. We fire up Burp Suite, intercept the POST, and send it to Intruder in order to perform a sniper attack using wfuzz’ SQL.txt for the payload.


Sadly, no results. I’m still pretty sure there’s an SQLi vulnerabiltiy, so let’s fire up sqlmap and see if it can help us out.

As I suspected, there is an SQLi vuln. The user parameter is injectable with a time-based blind attack so let’s continuing enumerating with sqlmap.

A wordpress8080 database? I quickly browse to port 8080, click on the “Nice Fine!…Proceed” link, and wouldn’t you know it.. a wordpress blog which offers some pretty awesome candy! :)


Usually I would fire up wpscan as soon identifying a site as running wordpress, but we’ll save that for later if needed as we’re progressing nicely with our SQLi.

Let’s dump the tables in the wordpress8080 database:

And last but not least, let’s dump the contents of the users table:

Nice… very nice. Let’s log in as admin shall we..


Time to get a shell to this box now that we have admin rights. The easiest way to exploit a wordpress box once you have admin rights is to edit the themes’ php files and add your own code. I’m a big fan of Pentestmonkey’s php shell, so I add the code for the webshell to the first template available; in this case, 404.php.


We start up our netcat listener and navigate to 8080:wordpress/404.php; and voila! We have our shell.

Onwards and upwards! Let’s enumerate the box and see what we can/can’t do. I always start with checking the obvious, /etc/passwd and /etc/shadow.

“YOU STOLE MY SECRET FILE!”. um… not yet I haven’t, but thanks for the push.

Next step, let’s push the 3 user’s hashes through john and see if we have any luck:

I was only lucky to get candycane’s password. I pottered around as the user candycane for quite a while trying to find any vulnerabilities I could exploit, but nothing was jumping out. For shits and giggles I decided to try the same password as that used for the wordpress admin for the root account….

Grrrr! I was kicking myself for not trying the SuperSecretPassword first up. I wasted so much time performing a dictionary attack and my standard process is to always try passwords I know first, just in case there is a simple password re-use vulnerability. Oh well, serves myself right.

Thank you @TopHatSec for the challenge; thoroughly enjoyable.

As always, thank you @vulnhub and @g0tmi1k for hosting these challenges.

Until next time, tight lines and happy hacking.