All in One
Last updated
Was this helpful?
Last updated
Was this helpful?
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Lets look at FTP as anonymous login is allowed
And there is nothing in the FTP server, lets look at the webserver
Its an Apache2 default page, lets run gobuster to look for hidden directories.
Lets check these directories out, first /wordpress
Its a wordpress site, we can explore this but first lets look at the other directory we found
There is nothing interesting, lets look at the source code, scrolling down we see something interesting
It looks like a cipher, lets crack it
Looks like a password, but we do not have a username to login through ssh.
Lets go back to the wordpress site. We have username elyana, but the password is not the right one.
Lets run wpscan to find information about this site.
Looking through the output, we see 2 vulnerabilities
We have a LFI vulnerability and a Arbitrary File Upload vulnerability. Lets first login with the credentials we found.
Once logged in, we can go to Appearance > Theme Editor and replace the 404.php file with a reverse shell and click update
Once we do that, we have to start a netcat listener.
Now we visit this URL to get the reverse shell.
Lets stabilize the shell.
Lets look at the files
So the password for the user Elyana is hidden on the system.
Lets find all the files that belong to the user elyana
This is an interesting file, lets read it.
We have the username and password, lets login through ssh
We can now read the user flag.
Looks like it is encoded, lets decode it.
Lets run sudo -l
We are root. We can read the root flag
Lets decode this
Looks like we can run socat as sudo, lets go to and the get the command to privilege escalate to root.
