Site = VulnHub
Creator = KDSAMF
Difficulty = 🍕
Basic Summary:
This machine is pretty easy just http and ssh
running on the usual ports. The webpage is running
wordpress there on the page we have wordpress
password for kira. After logging on the page we check
the media section there’s a wordlist and then by
checking the wp-content upload directory we found
the userlist and then by bruteforcing we found our
intital foothold. There can ssh user kira without
password and then in /opt we have kira’s password
and we can run every thing as root. Boom Done!!
##QUICK LINKS
##RECON
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 5eb8ff2dacc7e93c992f3bfcda5ca353 (RSA)
| 256 a8f3819d0adc169a49eebc24e4655ca6 (ECDSA)
|_ 256 4f20c32d19755be81f320175c2709a7e (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)##WEB
Visiting the webpage presents a wordpress page.
Interesting…
Well lets do some directory busting.
Well lets try iamjustic3 for logging into wordpress. I was successful in logging in using kira username.
Lets press some buttons!!
BOOM
Notes.txt hmm lets check the upload directory in wp-content
Checking the first directory, we found users.txt and notes.txt
checking both files, look like username list and wordlist we can try to bruteforce ssh
Lets get to Bruteforcin’ Then!!
Well lets log in!
FLAG1 = i think u got the shell , but you wont be able to kill me -kira
HMMM
Theres nothin in our directory
Well we our in kira’s authorized keys. Lets login as kira
Letz goo!!
Lets protect L cz why not, he did stop WWIII at the age of 8 lol.
Well lets try the password for kira.
Well we are R00T
DONE!!!
And yes later i check the /var for misa
but…
Yeaaah!!! 🤫
Thanks for reading! Always waiting for improvement so if theres
something i can do to improve the writeups why note msg!
HAPPY HACKING 😈
