One of my friends rents a VPS on which he runs around 20 websites, some of them

Question

One of my friends rents a VPS on which he runs around 20 websites, some of them for small businesses. He has been having some security issues and has asked me to help assess the vulnerability of his box (I'm just an undergraduate interested in infosec).

I have managed to gain root on the MariaDB database, and am now attempting to get root on the box itself. From what I see, most of the sites run Wordpress, so I figure I can inject some php in a page to print the content of /etc/shadow and from there I can crack the passwords.

My question is is there a better way to pivot from root on the database to root on the box?

Explanation / Answer

Database and web service should be running with their own privilege sets, if configured correctly. So, it might not be possible from a binary point of view. Database access gets you data access, though, which usually means credentials. Mine the database for creds that might point to entry vectors.

This is what I would do: try loading a PHP shell (many to chose from) in the db and see what is possible from there. You might find a misconfiguration, or a vulnerability to exploit in order to escalate your privileges.

Cracking passwords can take a long time. PHP shell to vuln to escalation can be efficient.

Related Questions

Navigate

• Browse (All)
• Browse O
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.