dpwwn: 2

[ vulnhub  boot2root  walkthrough  ]

Goal

root

Download

https://www.vulnhub.com/entry/dpwwn-2,343/

Walkthrough

nmap
alt text

default 80
alt text

dirb web enum found wordpress instance
alt text
alt text

wpscan found an lfi vuln
alt text
alt text

testing lfi worked
alt text

with nothing else, looked to other ports. nfs was able to be mounted and written to
alt text

with lfi vuln we’re able to call newly created file
alt text

created reverse shell file, setup listener and we have low priv access
alt text

using known priv esc technique for nfs we setup for root
alt text

technique fails though
alt text

looking at /etc/exports there is a root squash for unknown ip address, but a static has the ability
alt text

set static on host
alt text

update reverse shell and reconnect
alt text

setup nfs for priv esc again
alt text

we have root
alt text

and flag
alt text

Written on September 4, 2019
Share on: