All in One
Scanning
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Enumeration
Lets look at FTP as anonymous
login is allowed
And there is nothing in the FTP server, lets look at the webserver
Its an Apache2 default page, lets run gobuster
to look for hidden directories.
Lets check these directories out, first /wordpress
Its a wordpress site, we can explore this but first lets look at the other directory we found
There is nothing interesting, lets look at the source code, scrolling down we see something interesting
It looks like a cipher, lets crack it
Looks like a password, but we do not have a username to login through ssh.
Lets go back to the wordpress site. We have username elyana
, but the password is not the right one.
Lets run wpscan
to find information about this site.
Looking through the output, we see 2 vulnerabilities
We have a LFI vulnerability and a Arbitrary File Upload vulnerability. Lets first login with the credentials we found.
Once logged in, we can go to Appearance > Theme Editor and replace the 404.php
file with a reverse shell and click update
Once we do that, we have to start a netcat listener.
Now we visit this URL to get the reverse shell.
Lets stabilize the shell.
Lets look at the files
So the password for the user Elyana
is hidden on the system.
Lets find all the files that belong to the user elyana
This is an interesting file, lets read it.
We have the username and password, lets login through ssh
We can now read the user flag.
Looks like it is encoded, lets decode it.
Privilege Escalation
Lets run sudo -l
Looks like we can run socat
as sudo, lets go to GTFOBins and the get the command to privilege escalate to root.
We are root. We can read the root flag
Lets decode this
Last updated