1. Do the usual scan to find the DHCP address. Once found, do a nmap scan.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir3-RVk1oADhj-h6FJ_RTm-_UzH3RF_W3OVf8IKk4aB7O2duJLkSnAEWHegFPRj2y3isoFsWdQJyMp0TFFjGafbAakimordZords_OxqNpkB3QU7cbs2QcudzAA008KbzPfWUmvZnmdf2A/s640/screenshot1.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOiheHOykjxEwwajkDfy7sxEsevojgdGueIJTc0pdZ-d_SpkZkfKSWzfFPHN9DJwFhyvf5CjqqfV4XAoM3ASvgRwarDkzX-rHpJNiDICSkk1qmiZjlnL-alMyJ5ijfTU9jU1FbG5tH2X25/s640/screenshot2.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYpmUv88Yy3YL-0mTRHAMlFIHMA5rTaIWxNIbgGgCi-zMuFK-NoBQmj_Xnh-wwTHt47POHT5312IcRHqzZgjIw9rDBXiIAsNHYsm35SDdFLpkOijGFwctJaOMM1eT4ikATfslDwQ8pKU6p/s640/screenshot3.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEAxOuttaT7zJ26aJOmCW_e2t_vjP8-btiZGleUM9W8VIIuWcBAEBoVBKJP0TH4MqggEdWHPwLCXFg94H9bt5yvoFAurwoEDIYyMh7fbCpgp2zZr6TyIO8QG9zzLgLRLSgPVB_d6_ZZiMU/s640/screenshot4.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLgpjFPQAw60-rIGHrdDbAo-t-HJy4nJhXcMwyGElXR-ajd5OrvwTuG3ONItCvFqeiQBBw4F8lj8xZUD3tRR3csU1u0XZon2Ahu7wCewB8RdH36J3ayTc3Hsqzh8YOxw1g4Q7awwKogbPo/s640/screenshot5.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8-lmIjSsDghgKU_Gtr6hyphenhyphen_-kBQN8ZWDoRQovn7jBSGKVPKqH31hKhOqYpVgsYRKLEBgWqzJV4C81Ci7-VgF6Bqv7crKtlpexvSA_BjZfQ9h-bAsSYDHzQiB_ad0XXuQzhogoGhrZMlwSi/s640/screenshot6.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2Pa39Vp5ik7Wh_MYvQIjWocMHKnXo93QRINNWzKzB2JwDdHzmhj2SrRaOQBetz4dpxmAXaOQh-mqV36d3SfjGkaN34wWxCvS9KMAaAyHaLBbovsAgwcCwY4yZeAUcyBHyEEGgKXGUHlYs/s640/screenshot7.png)
3. We see that there is a wordpress installation. We use the wpscan tool to investigate users, plugins, themes, versions.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeI62FAkfD8L1_vg3S9gkBZLJ7cNeiTRin-1dHwJBSJkXg9zIIuBOev6RzUI_Cxgy945_EMEWHLuyVOJJciQ1b6zUAMT1V7W66r7BQhUa4W4LDrlL7gPPDJMn_wQRQ7T7_TSAG24R5Zok2/s640/screenshot8.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4YZ_9PqzXdf1rPhtsSTUS5ciW55wicB-0shyphenhyphentC2qW7lNq34wBk2aDxzh_Jky3p9bVw1gsOqjnhIXw_DJl7SVJ63WOL5hPVcU1M2GzIxIytMgu6tmsq68cYxqppQ2wI91WVT08d5uGmnkr/s640/screenshot9.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNxZlp6ERkqZD48PCsZH4f2GK6KSe0avWJPBkudNrvL-ARkQ12nyBp4kYVA0gi2lgr1r0Oan5eqKjqFNe9P5JONDOXs1AXe0Mi3URx32fb3bmRsFSIYe2hPyCrM8e46-92TVzVYeg_xr3m/s640/screenshot10.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhedwIvnsNiC5iU5IJ7C53iJMPJhjPfgg5bebIwUqw89QF-VBk-ayR4Q2Ts5FieUv8co4CLfZQSBNdDSvurXtzGmoEUENsj2JaQaVkdh5qWxOv6NOct0NqRXGKJGQ1yT7QxJOt6Cylg6BTm/s640/screenshot11.png)
4. We have two logins for the wordpress installation (michael and steven). Maybe we can try to test passwords against the login page.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7cKIyxPaFBVKVHOpP-CtXxql1Hd_CKH8VeJf1Dc0_aSFp30KFDnugwa6mq1ezUhDHaYYqJfRKnr1TcK9zs07a7_3WxbyJQOHJ-t1fa8NZTfvFSgilIP5R6jIs7QJD0YNd7azo_JqxG05E/s640/screenshot14.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSozNF75M_vByDMfZSjKLAfcJQgsK65Ixz5fsVNZFoZds21iBGL9GMoxca_vEnf1P5Ygi-B9yCBJ3ncekgDa96Sf7Z2LRCZOZvGxWfvTUrfbgGBakPAhBnuNzKXeHk0rc2nbUq4kLxBA7k/s640/screenshot15.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2y3QT-DXt5_bzzlAUF-ORWDvZhrqo4wlzGAzNt2g6RGroh5yByYFsccKOeeTL9SBnTsrKvpHbSr0njxnC1EvK4qseSJtB9sXtEURK4cm6HJYoQChlxI2qKMEAd_IEdb2hJnji6tQY7bRZ/s640/screenshot16.png)
6. Now, that we are in the machine. Look around the web folder structure to see if we get more creds.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdjlLc1DVr5lo_pCQN9sjh1FlBynr6Nx7rC5Yzd8KmbKifScd5Rgsmx-zdy5HqL-iaNCkbN3vzI5yj9090TdqtJxUapxw50IHXjtIfQiVDLzun3hS5Wcpyhpf2dyd9UMNMj68bAoVYwnJn/s640/screenshot17.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizD3IGOVRA9pIDrVsIGbbuLBhJhLwEfjTevklSeBqM_z_CAmIB86WrcadAGOTaklVxltvABzOw4z_F72SbIv5zrN97YU7sx0V3TMeylZxEy4q1Yip3aWD7TCkYqd4YnNbh44iPSL9DKMpe/s640/screenshot18.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiE_ZFiRhgKJPJbMMcO27qA7MaQvN2Wy5hLGxCvEkrDl5B-o4RL3njTdnmDqRG1Cnc8DDaSXnSwX3gAfsFqR-G6ZJf2h3EiXJKglV9Z7arwW3PcewVw1O91TGiKK_iEaWWr3lAws5_3DEqK/s640/screenshot19.png)
7. We have creds for root for mysql. Maybe steven used the same password. Nope. At least we should be able to log into wordpress now.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu5mQbjfbqDvCfEfdzKEgh2JBKl5R76ZAj6v059UfhMKWoqF_MJV-UPh_OD9q2Y1nhRIpsmEeVKhas4mPDbQKUijFmUuSIRXql0GSrIvBas-Cy6xdoyjjJQ0Ni9rlBCRvsBjzCk6hvmqWf/s640/screenshot21.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja1dPjKdWZNxwmk2A0ym9mC2d9gpIFj1v5998YKOVVAa7HM0BNHR3vrHvui5i614ggkieMPheZGWbQLmdqAIczLFq21POHEN3VFxi2GB_KRjNbJdrmsU3xuje1VW2oGztdLX6EcwVwbcLD/s640/screenshot22.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfX4xsl5fVenB12VYJmRG9QxEm027S5oz1kltQM2FJfcJhltaNZk12u4yFFVpBioAieZm1OGMWHExTh_rKhZHMfgRqCR0qqDrdBnwwOjPMpmaoDZM1ffzjqLxMlyryKCJcHJZrDvOV3Ygi/s640/screenshot23.png)
9. We have found hashed passwords in the wp_users table. We can try to find the passwords.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8Y4aXB6JXCMSmVX_I0-kbhMi9neUiydEgfDUk3vf3ZiqI4-hqrXpBw76ox41OG9CfiPIp80VLOzjzjVlzC8oNqFulFYRK-EJZ5hEgWlpTGuTJARNUBzVQ7ahlVgjdEIrB-Y83ijjwkmkF/s640/screenshot24.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYgKetZmFI2Somx0VJWV9SERpJCaXlOhj28fyrBMIXr9rA1Kbb4cqp06_xUJr3cTxHsLcvbNg33nNNDO1ip8b4oR3Yp0Y8HbmxioPtLtFdqUj3ealSSTKpSHs_kuAJ32-4-1coxj2tStpt/s640/screenshot26.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgui_XjbrueCoR0juHVthhHd_aWLrYlG2PegtRDuRItdA-QmbeJG8Mca3mfdp3BVBG-OOfBWvDS_v7UGM65aH0ahCp7XHf-8jP2TH16liApnOmDL9TbkbUjgEHEGSQzVW12t9G32dHZuJl0/s640/screenshot27.png)
10. We can use hashcat to find the password. Found it. (Of course I closed the terminal before taking a screenshot.)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPQUYIIs0Qp7N-fzgtxEoO6e_nDZg8ijt6WLfuIj4IMGDJfL-sfKsOIFBX1TE7SRsGdj_NmHhTR71aFXoxXlYeeSjpcKki-vWQxF_2GFTV62IpO25IEGMTxf7-VHXnvfSFVXlcXmGHuwPY/s640/screenshot28.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgncOAwbxIyuBlaVFDrO1vkg21QVJSaUjMurShst537EF7adcf3OU2xqIKX1V4r7ksEj7HpYihUFbcMdjy-NsfVICVwSbeaMkae1iUF9i-qTB-zyujhg1z2_WWmZLyVEsqyF3upJun9WDti/s640/screenshot30.png)
12. Well, it looks like steven can sudo python command. Well, we can use python to get into a shell.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQA4xfGbulNwwkbtN3OcOIgRGohm26_NqhAWGUIEE0FsfMx-PeHXT0tV0NZ6-a4ThyphenhyphenxS7NdAjKp_0MHapbi_zs6WvqFKkJzINz1Yp-R_RVbA1CERdO8uetPxAC21a9r1TrbRpUKW7EOPEe/s640/screenshot32.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_oB-gUuiBXdZBfX1MI2-YJ7ZmEj1UoBZkOPbH37kyLZPaFE8wHO985cTBkkUt-IgbwxKqk3bYG2iBUo8MDRYt3Gvtemj7Mi2iMMflsZvenN3sVvAJ46ektXsW5JlAJ6YadHTKXjvggCxe/s640/screenshot33.png)
13. That looks like game over. I also wanted to list where I found the other flags.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBqVXJcUEiTDCBvyrxGo3TU5fre6JHBZn59Pz9nPMMhurq2GmXJ6isGluQ8-NRUcrT5g1m_yYFP17om4KCWrRjKjozsSLExUK0jVnA6li0RSbHWO8bjXyG393KPK7-00XZinvr-PLH5y46/s640/flag1.png)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjIX2gQMOy9V-0FeqeeobL3d3wGLD99KCDtxezfw4lR_VEjwFvr-UW03PX9uw0Y_WqmLp1CLWLFfVAVYPRW1JCEiemeGSox8pmpqUtpNMIfYL-kIFeJjb_hSGxsxf_80X20QCUtmvSdeG4/s640/flag2.png)
No comments:
Post a Comment