Vulnhub – Player1.1 Walkthrough

Scanning the host with nmap –A –T4 –p- –vv

The apache webpage got these lines which is different:

Navigating to the address turns out it’s a WordPress page:

We use wpscan –url -e u to enumerate the usernames on this site:

We got user wp-local and when clicking on the link:

Ok when trying to login as wp-local and the password hackNos@9012!! didn’t  work, so what i did is tried this exploit copied it and saved it as login.html, then opened it and then logged in as administrator:

Unfortunately there isn’t much to be done so let’s try another method, then i found this exploit where we can upload any type of file, so we going to upload a shell, what are we going to do is next, first copy the code from the exploit page and save it as upload.html, then rename your shell.php to shell.phtml, and now open the page upload.html in your browser and chose the shell and upload it and you will get this message:

Now to visit our shell we go to this link and you will find the shell

Now prepare your listing port and open the shell:

in the home directory we got 3 users hackNos-boat, hunter, and security, i tried the password hackNos@9012!! and i got to login as security:

To switch to the other user hachNos-boat we can run this command: sudo -u hackNos-boat /usr/bin/find . -exec /bin/sh \; -quit

And the new user hackNos-boat can run sudo:

The command is sudo -u hunter ruby -e ‘exec “/bin/sh”‘

And the flag for the user hunter:

And the last user hunter can run sudo:

And the command to be root sudo –u root gcc –wrapper /bin/sh, -s .

After that we catch the flag from the root directory and we DONE!!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s