Navigate to the IP address of the box in the browser
Go to /robots.txt to find pages the owner doesn't want crawled
Find key-1-of-3.txt for the first flag and fsocity.dic dictionary
Use Gobuster to find what subdomains exist
Find: sitemap, wp-login, license, intro, readme, robots
Go to wp-login, find that there's a too-verbose error code: Invalid Username
Use Hydra to find valid usernames, using fsocity.dic as a source file
hydra -L fsocity.dic -p test 10.10.85.7 http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^:Invalid Username" -t 30
Find the valid usernames Elliot and elliot
Use Hydra to run a password attack, using fsocity.dic as a source file
hydra -l Elliot -P fsocity.dic 10.10.85.7 http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^:The password you entered for the username" -t 30
Wait forever...
Log in as Elliot and use his employee number
Notice that Elliot has "editor" access
So we can insert a PHP reverse shell
Go to github.com/pentestmonkey/php-reverse-shell/.. and copy a PHP reverse shell script
Paste it into the archives.php section of the website
Add in the listener's IP and port
Save
Navigate to /wp-content/themes/twentyfifteen/archive.php
That activates the reverse shell
Check "whoami" and "hostname"
ls /home to see list of users ~> Only "robot"
cd /home/robot
Shows key-2-of-3.txt and password.raw-md5
Cat the key, doesn't work, access denied
Cat the password md5, get a hash, crack it online to get the password "abcdefghijklmnopqrstuvwxyz"
Run python script to get an interactive shell
python -c 'import pty;pty.spawn("/bin/bash")'
Change to user robot
su robot, enter password, read flag 2 of 3
Next, privilege escalate to root
Run this command:
find \ -perm +6000 2>/dev/null | grep '/bin/'
Find NMAP binary at /usr/local/bin/nmap
Search on GTFObins.github.io for NMAP
See that the command nmap --interactive gives us a shell with root access
Get dat flag
