Enumeration

Nmap

Initial nmap scan revealed HTTP, SSH and FTP ports were open.

00 - nmap

The nmap showed FTP had anonymous session enabled. But the ftp did not have anything in it.

01 - 0 ftp anon

Web Enumeration

Website just showed a gif file.

01 - web

The robots.txt file revealed wordpress endpoint.

02 - robots txt

Enumerating the wordpress endpoint with wpscan revealed two valid users.

03 - wp users

Then brute forced the users and got a valid credential.

04 - cracked

Exploitation

Wordpress Theme Editor

The user was administrator. So I could simply open wordpress theme editor and edit 404.php file as reverse shell.

05 - wordpress theme editor

Then all I need to do is setting up a reverse shell and visit /wp-content/themes//404.php endpoint.

06 - visiting

07 - revshell

Then visiting the home page of the btrisk user revealed user flag.

08 - user flag

Privilege Escalation

WP Config

The wp-config.php file revealed a valid root password for the mysql database.

09 - wpconfig

I used that password to login to mysql with the command ‘mysql -u root -p’ which prompts for password login. Then checking the wp_users table revealed hashed password of the root user.

10 - found passwords

Used crackstation to crack the hash of the root.

11 - cracked

Then, tried it with ‘su root’ command and it worked. I simply got the root.

12 - root

<
Previous Post
Seppuku - Proving Grounds Play
>
Next Post
Funbox - Proving Grounds Play