Let\u2019s dive in!<\/p>\n\n\n\n
Scanning the Target<\/h2>\n\n\n\n
The first step in any penetration test or CTF is scanning. I ran an Nmap scan<\/strong> to gather information about the machine, checking for open ports, service versions, and other useful information that could hint at potential vulnerabilities.<\/p>\n\n\n\n Here\u2019s what the flags mean:<\/p>\n\n\n\n This showed the following open ports:<\/p>\n\n\n\n This gave me a list of open ports, and I noticed that a web server<\/strong> was running on the target machine. Time to open it in a browser!<\/p>\n\n\n\n The web app was simple, but I immediately started exploring it. It had some JavaScript<\/strong> running, so I decided to dig deeper and see what other parts of the web application I could access. I then ran a Nikto scan<\/strong> to check for any obvious vulnerabilities or misconfigurations.<\/p>\n\n\n\n Nikto discovered several WordPress-related paths<\/strong>, so I followed up with WPScan<\/strong>:<\/p>\n\n\n\n WPScan confirmed the WordPress version and showed an outdated theme, but I couldn’t find any public vulnerabilities tied to it. For a moment, I hit a dead end \u2014 but that\u2019s part of the process. I went back to the Nikto output and examined the following paths manually:<\/p>\n\n\n\n That\u2019s when I thought of checking In normal websites, Sure enough, this A massive wordlist \u2014 perfect for brute-forcing WordPress login, but it would take a long time. So I kept looking for a shortcut. Another common file in WordPress installs is Looks like valid credentials! I used these to log into WordPress as user Once inside, I tried to launch a Meterpreter session using Metasploit:<\/p>\n\n\n\n I ran into an error that said WordPress wasn\u2019t detected. Turns out, this is a known issue \u2014 I bypassed it by running:<\/p>\n\n\n\n Even then, I couldn\u2019t get a shell. So I fell back to the tried-and-true Pentestmonkey reverse shell<\/strong>. I uploaded it to the 404 template<\/strong> in the WordPress theme editor and triggered it in my browser. Boom \u2014 I had a shell.<\/p>\n\n\n\n Exploring the system, I found this in $ nmap 192.168.68.66 -sV -T4 -v -A<\/code><\/pre>\n\n\n\n\n
![\"\"](\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/04\/Schermafbeelding-2025-04-15-103607-1024x498.png\")
<\/figure>\n\n\n\nWeb Application Discovery<\/h2>\n\n\n\n
$ nikto -host 192.168.68.66<\/code><\/pre>\n\n\n\n$ wpscan --url 192.168.68.66<\/code><\/pre>\n\n\n\n\n
\/index<\/code>: Infinite refresh loop<\/li>\n\n\n\n\/admin\/<\/code>: Same refresh behavior<\/li>\n\n\n\n\/readme\/<\/code>: A short message: \u201cI like where your head is at. However I’m not going to help you.\u201d<\/em><\/li>\n\n\n\n\/image\/<\/code>: Linked to a blog post, but nothing useful there… yet.<\/li>\n<\/ul>\n\n\n\nrobots.txt<\/code>.<\/p>\n\n\n\n![\"\"](\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/04\/Schermafbeelding-2025-04-15-110012.png\")
<\/figure>\n\n\n\nrobots.txt<\/code> is a file placed at the root of a domain to guide search engine crawlers<\/strong> on what pages to index or ignore. For example, a company might want to hide \/admin<\/code> from being indexed on Google. But in a CTF or pentest, this file can leak sensitive directories or hidden files.<\/p>\n\n\n\nrobots.txt<\/code> contained a wordlist file:<\/p>\n\n\n\n$ file fsocity.dic\nfsocity.dic: ASCII text, with very long lines\n\n$ wc fsocity.dic\n858160 fsocity.dic<\/code><\/pre>\n\n\n\n\/license.txt<\/code>. It typically contains licensing information for the WordPress software \u2014 harmless on real websites. But here, it had a Base64-encoded string<\/strong> that decoded to:<\/p>\n\n\n\n$ echo <string> | base64 -d\nelliot:ER28-0652<\/code><\/pre>\n\n\n\nelliot<\/code><\/strong>, and sure enough, I was in \u2014 with admin access<\/strong>.<\/p>\n\n\n\nGaining Shell Access<\/h2>\n\n\n\n
$ msfconsole\nmsf6<\/span> > use exploit\/unix\/webapp\/wp_admin_shell_upload\nmsf6<\/span> exploit(exploit\/unix\/webapp\/wp_admin_shell_upload) > set password ER28-0652\nmsf6<\/span> exploit(exploit\/unix\/webapp\/wp_admin_shell_upload) > set username elliot\nmsf6<\/span> exploit(exploit\/unix\/webapp\/wp_admin_shell_upload) > set rhosts 192.168.68.66\nmsf6<\/span> exploit(exploit\/unix\/webapp\/wp_admin_shell_upload) > run<\/code><\/pre>\n\n\n\nset wpcheck false<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/04\/Schermafbeelding-2025-04-15-140057.png\")
<\/figure>\n\n\n\n\/home\/robot\/<\/code>:<\/p>\n\n\n\n$ ls home\/robot\nkey-2-of-3.txt\npassword.raw-md5<\/code><\/pre>\n\n\n\n
![\"\"](\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/04\/Schermafbeelding-2025-04-15-141820.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/04\/Schermafbeelding-2025-04-15-143123.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/04\/Schermafbeelding-2025-04-15-151453.png\")
<\/figure>\n\n\n\n