1. Scan reveals tcp 22,80
2. gobuster/dirb shows us a wordpress installation
3. wpscan –url http://$targetIP/wordpress –enumerate u shows us two user names. (Redacted here. Figure it out.)
4. curl http://192.168.233.34/wordpress/robots.txt shows us: allow : /robots.html which shows us:
5. http://192.168.233.34/wordpress/robots.html which shows us:
6. <html><body>
<p>Please collect all the API tokens available on the home page</p></body></html>
7. curl -s http://192.168.53.34 | grep API yields this.
API old0 : 5F4DCC3B5AA
<!–API old2 : 327DEB –>
<!–API old 1 : 765D61D8 –>
String these back together to get: 5F4DCC3B5AA765D61D8327DEB882CF99
8. SSH with that plus a username from #3 here and you’re in for flag 1 in his /home/dir
9. username@haclabs:~$ cat /home/username/.systemlogs reveals a big string of characters with some embedded “strings” in it which reduce to if you only take characters between quotes ( ” ). It’s weird.
“haclabs”
“A=123456789”
“+A[::-1]” (a way in python to reverse a string.)
haclabs with reversed characters is => haclabs987654321
10. Su with haclabs and haclabs987654321 gets us uid0
11. cat /root/proof.txt ftw
Takeaway learning items
1. Look for intel anywhere as with #7 where they expect you to somehow know to grep for API values then think to string them together.
2. Some of the tricks here go along with experience of being a pentester so keep notes on such practices so you think to employ them later.
3. Be creative with your approach to hacking because some of the situations force you to think outside the proverbial box to proceed.
Greg