Scanning the host with nmap –A –T4 –p- 192.168.1.9 –vv
From nmap we can see it’s a WordPress site, so let’s see dirb http://192.168.1.9
Enumerating WordPress with wpscan –url 192.168.1.9 -e u
Then brute force it with rockyou.txt
wpscan –url 192.168.1.9 –U admin –P /root/pass/rockyou.txt
Guess should have started by testing it lol, anyway the password is admin:admin and we got in, now let’s try to upload a shell to the target
We can install new plugins, so i installed the File Manager plugin:
Then i uploaded a shell.php file to the upload directory:
And just like that we got a shell opening the file or viewing it’s info:
We got the flag of the user ck home directory
We can view the conf file of the WordPress in /var/www/html/wp-config.php
i used the password bla_is_my_password to ssh to the host trying the name bla and it worked:
And the user bla can run sudo:
According to THIS site we can abuse it to upload ssh file from our machine to the target:
And as soon as i ssh to it we got in, and we can see the user bla1 can run sudo as well:
sudo –u ck-00 /bin/rbash
Once again according to THIS site again we can sudo using dd command like this:
echo “ck-00 ALL=(ALL) NOPASSWD: ALL” | sudo dd of=/etc/sudoers
Actually it’s easy as all we do is to append the user ck-00 to the sudores file without any passwords:
