Wpwn OffSec Walkthrough

2 Min Read

Wpwn OffSec Walkthrough: This is a walkthrough of Wpwn from offensive security playground. Let us see how we can compromise this machine. Its Available in OffSec Play and Vulnhub.

Reconnaissance

We run nmap scan to see which ports are open and which services are running on those ports.

nmap

We get back the following result showing multiple open ports:

  • Port 22: OpenSSH 7.9p1
  • Port 80: http

Enumeration

  • Port 80: On visiting the website we are not presented with much information
  • Let’s use gobuster and see if anything comes up.
  • We found only one directory and on visiting /wordpress, we are presented with below page
web server
  • After this I ran wpscan and got a vulnerable plugin.
wpscan
social warfare vuln

Exploitation

exploit
  • As suggested in the POC, I created a file and started python Http server.
upload payload
payload
  • We got a valid user: takis
  • Now we will read the “wp-config.php” file.
get config
  • Read the file and we got a potential password : R3&]vzhHmMn9,:-5
  • Tried ssh with user takis and got a user privilege shell.
ssh takis

Privilege Escalation

  • Checked user privileges using the command “sudo -l”
  • User can run any command without a password, we escalate the privileges using the command “sudo su” and we get the root shell of the target machine.
root flag

Finally this lab solved see you on next lab 😉

Also Read | Inclusiveness OffSec Walkthrough

Share This Article