1. Do the usual scan to find the DHCP address. Once found, do a nmap scan.
3. We see that there is a wordpress installation. We use the wpscan tool to investigate users, plugins, themes, versions.
4. We have two logins for the wordpress installation (michael and steven). Maybe we can try to test passwords against the login page.
Also, to make life easier, we add an host record so we can browse using the DNS name raven.local.
6. Now, that we are in the machine. Look around the web folder structure to see if we get more creds.
7. We have creds for root for mysql. Maybe steven used the same password. Nope. At least we should be able to log into wordpress now.
8. We have an interactive shell so maybe we can use mysql to find more data.
9. We have found hashed passwords in the wp_users table. We can try to find the passwords.
10. We can use hashcat to find the password. Found it. (Of course I closed the terminal before taking a screenshot.)
11. Now, try the found password with the steven login. Is steven a sudo user?
12. Well, it looks like steven can sudo python command. Well, we can use python to get into a shell.
13. That looks like game over. I also wanted to list where I found the other flags.
No comments:
Post a Comment