VulnHub – Victim01 Walkthrough

Start by scanning the host with nmap –A –T4 –p- –vv

Visiting the sites port by port we got a page on port 8999 listing the files and folder of WordPress site, the site is running up but we can see the files and there is that file WPA-01.cap we can crack it with Aircrack-ng:

We ran the command aircrack-ng -a2 -w /root/pass/rockyou.txt  /root/Downloads/WPA-01.cap and we got back the password which is p4ssword for the ESSID dlink, now we can login using ssh:

The user can run sudo BUT i guess it’s a troll:

Kept searching and i finally used find / -writable -type d 2>/dev/null and found:

Any one of these folders are writable we can use to run a reverse shell to our machine:

We copy out shell.php file to the path /var/www/bolt/public/files and open it in the browser as and with our listening port ready we should get a reverse shell as root:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s