Scanning
We scan the open ports with the nmap tool with scripts and software versions:
Enumeration
We access to web server and we enumerate an Apache Debian default page:
We use to gobuster tool with a dictionary large, we can see the wordpress directory on the server:
We access the source code and see that the website loads a domain name:
We access WordPress and detect software versions deployed on the server:
We enumerate also the administration panel:
We confirm that the user is "tiago", so now we try to do an automated attack with the WPScan tool, but after several minutes we don't get credentials.
I launch nmap with the http-wordpress-enum script, it shows a plugin called "gwolle-gb 1.5.3" which has exploits:
Exploitation
So we mount a PHP file with a webshell so we can execute commands from the URL:
We set a netcat to listen and run a reverse shell with mkfifo:
We get the database connection credentials:
Privilege Escalation
We run sudo -l and see that we can run the "rename" binary as the root user::
We see that it has the "Manual" (-m) option, so we press enter until we see that it lets us write, so we try the "classic !sh", we manage to escalate privileges as the root user and read the flag:
