Download machine from here

Start by identifying the victim IP with netdiscover.

Run a nmap scan to look for open ports.

Port 80 and a type ssh port 4512 is open

Head to website and it is run by a wordpress site.

Let’s use wpscan to scan for users.

wpscan –url –enumerate u

3 Users found

Let’s use wpscan again with c0ldd user.

wpscan –url –passwords /usr/share/wordlists/rockyou.txt –usernames c0ldd

password found

Login to the wordpress site and head to the editor section. Upload a php revershell on the header section. Start up netcat too.

Reload the main site again and access is gained.

Look at the wp-config.php file and get user credentials.

Use the python shell exploit to gain and shell and switch user.

Find the first flag.


Sudo -l to find what we can use to exploit.

Head to gtfobins to find the exploit.

sudo vim -c ':!/bin/sh'

Head to the root folder to get the final flag.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s