Rustscan
PORT 80
This looks like a wordpress site to ensure this let’s visit /wp-admin
Dirsearch
I started fuzzing for directories using dirsearch and expected to found wp-admin as it is a wordpress site
This gave us a valid username and we can verify it as wordpress allows us to know if the username is correct but the password is invalid
We can bruteforce password for this user account.
WPSCAN
For wordpress it is recommended to run wpscan to enumerate for user names ,plugins and themes installed also it looks for vulnerable plugins
We found a few more users along with hugo so let’s start the bruteforce attack through wpscan
We logged into the wordpress dashboard now goto Appearance -> Editor -> Select 404 Template-> Paste php reverse shell
Now we have to invoke the php reverse shell as setting up a netcat listener to do that we have added our malicious 404.php file now we need to navigate to where it is stored as we have edited theme twentyfiteen it is in wp-content/themes/twentyfifteen/404.php
But we need to escalate our privileges in order read user.txt
We see find as SUID so we abuse it to gain access to root
We can see that our prompt as changed as a root user to get a proper root shell just set SUID bit on /bin/bash and you will get the proper shell with /bin/bash -p
