Funbox: 1,518/


  • Enumeration will lead to a WordPress site
  • Use WPscan to enumerate for users and passwords
  • Same credentials are used for the other services
  • Escape the restricted shell with SSH
  • Find a cronjob script and add a python reverse shell
  • Rabbit hole : Two users are executing the cronjob script including root user.


Run nmap scan to find for open ports.

Run a gobuster scan to find for hidden directories.

Port 80



Used WPscan to enumerate users and bruteforce users.

Found two users with passwords joe:12345 & admin:iubire

Login to WP as admin.

I’m unable to upload any reverse shell plugins. Since I got the user Joe and the password I can check if its the same passwords for the SSH and FTP service.

Looks like its the same for both services.


Joe access gained.

However the shell is restricted. We can use the following method to by the restricted shell.

Found a inbox for joe.

We find another user called funny and the user has a hidden script that runs uploads a backup.

Let’s try to add a python reverses hell into the script and start a netcat listener.

Funny user access gained.

However I couldn’t find any method for privilege escalation.

In Joe’s inbox the first message is from the root user stating the backup script is completed. The root user could potentially run the script too.

Privilege escalation

I tried to run another netcat listener after and we got the root user.

Checked the crontab and indeed the root user runs the backup script.

Found the final flag

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s