Scanning the host with dirbuster, the host running WordPress:

Now we run wpscan to enumerate users and vulnerable themes and plugs wpscan –url http://192.168.1.2/wordpress -e u

Running dirb with –X .txt found robots.txt


Nothing to see here lol,but ok looks like we have an .html pages too, using dirb again came with this:


Ok searching for API in the source of the home page i found these:

I tried each one as a password for login for phpmyadmin page and for wordpress page and for ssh service but didn’t work, till i gatherd them all as 5F4DCC3B5AA765D61D8327DEB882CF99 and then tried all and the ssh service worked for yash user:


I used the LinEnum.sh script and i got this back:

To become a root with this vulnerability we use this command python -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’
And then we access the root directory:

As you can see after grabbing the root flag i went back and got the other flag from the user haclabs 😀 guess i’ve made a deception but the lab started it first lol.