Blocky priv-esc

I’m able to get shell as www-data, however i’m struggling to find a way to get priv-esc.
Anyone have any tips?

www-data is not the intended entry method, although it is possible (just waaaay more effort, and different esc method). I don’t want to spoil, but there is a known exploit that works from www-data (so I’ve been told, haven’t done it myself). Take a look on exploit-db in the privilege escalation category and try a few things.

What @Arrexel said, although without trying to spoil I’m sure you have all the details you need for intended way.

think simple before complicated…

@hahahakebab said:
I’m able to get shell as www-data, however i’m struggling to find a way to get priv-esc.
Anyone have any tips?

I’m in your exact same situation right now. I hope we can get this! Good luck!

this is killing me too

All of you guys are most likely overthinking it.

Well, after many hours of sleep deprivation, I’ve managed to root the box. Alas, not the intended way but rather what @Arrexel said. I’d love to know what I was missing…

Pm on slack :wink:

@Arrexel, @SirenCeol filled me in. My tears have yet to dry ;(

FYI: I believe every time I used this “alternative way”, the system would crash after about two seconds. I ended up tweaking some lines of the priv esc code for it to do by bidding within that timeframe. Ultimately, this method should probably be discouraged.

Folks, need hint on initial way to get into the system. Web app testing is not my strong skill, and after almost 4 days of trying to figure out results of dirb I am throwing a towel and asking for help. Search over web resources for the possible way did not produce anything clear.

@ndabbot said:
Folks, need hint on initial way to get into the system.

Never mind already solved it.

Hi all. Do you mean “Don’t use wordpress to get in as www-data”? I got the shell as www-data and can not progress on root or user txt for 6 days and close to madness.

Use the various Enumeration scripts.However,I think it’s tough as www-data.

I can confirm that PrivEsc through the www-data shell method is quite a bit more challenging.

Can I got root directly from phpmyadmin?

I had a feeling you could get in through www-data… I dropped it and found the intended method. I would love to come back and learn that someday though.

I am sure I will regret this an have probably overlooked the intended method a number of times. Could someone pm me a hint or what the the ■■■■ I am missing? I too am not able to escalate past www-data, with meterpreter and a tty shell

I owned this, but did it the ‘www-data’ shell and ‘2 seconds of root’ priv-esc method. I would love to know the intended path in that i missed. Someone want to pm me?