ThisIsSoEasy1
Enumeration
Nmap
We can start by enumerating the services after getting the IP address.
nmap -sC -sV 10.10.235.212
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-11 00:32 EST
Nmap scan report for 10.10.235.212
Host is up (0.39s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 4096 May 25 2021 secret
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.4.7.170
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 3234d4a6b96105f8d97718822693dafa (RSA)
| 256 44dcabdd8827335928d945f6af2f1c3c (ECDSA)
|_ 256 6774d81cb61647b7db4d82c4661b5ef3 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.83 seconds
As we can see, there are few ports open such as 80, 22, 21
We can first put the IP at the browser since port 80 is open.
HTTP

Flight Details page


For the Wordpress we can see it redirects to a specific domain. What we can do is add the domain to our /etc/hosts.

Reload the page and we get this!

FTP
For the FTP, we can login using anonymous login. We then found out there is a secret folder available inside. Inside the secret folder there is a TODO.txt

cat the TODO.txt

Interesting.
After poking around for some time, I found out that the flightPage is actually a rabbit hole and it contains nothing interesting in it.
WPScan
Moving to the Wordpress website, we can use a tool called wpscan to enumerate the wordpress website.
wpscan --url http://thisissoeasy.local/wordpress/ --enumerate u,ap --plugins-detection aggressive
Options:
u - users
ap - all plugins

We can see from the wpscan output, the users that detected by wpscan is administrator and jane.
We can navigate to /wp-admin to try to brute-force or login with default credentials.
Upon trying here and there, and also some hints we got from the TODO.txt, we got to log in to the WordPress admin dashboard with the username administrator and password admin

We can then navigate to Appearance -> Theme Editor

Navigate to 404 Template

Reverse Shell
We can replace it with PHP Reverse Shell
Website to generate various Reverse Shell -> RevShells

Choose the PHP PentestMonkey Reverse Shell.
Copy the contents and replace it to the 404 template

Update the file.
At our own Kali machine, set up a reverse shell listener

Navigate to this link
http://thisissoeasy.local/wordpress/wp-content/themes/twentytwenty/404.php

Got a reverse shell back!
User
Navigate to /var/www and we get the user flag.

Privilege Escalation
First thing we can do (before passing in any scripts) is by supplying sudo -l

we can see the user can execute env command by using sudo.
There is a website that list down all of the sudo and SUID privilege escalation -> GTFOBins


Got root right away!

Boom, flag! Congratz!
Last updated
Was this helpful?