As we approach any penetration testing engagement we start with information gathering, information gathering in Cyber Security is a crucial step that should not be avoided, same goes for enumeration.

There are many tools that can be used for enumeration or information gathering.

Lets start with an nmap scan:

from the nmap scan I can see that there is two open ports, port 80 & SSH!

I can see that the web server is running wordpress with version 5.4.2 on port 80 which hints to be vulnerable, the perfect next tool to check the wordpress web server is wpscan!

Lets use it in the next steps and see if we can get a foothold on the webserver.

from the wpscan shown below I can find that there is a file called robots.txt in the web directories:

Then next I go to the secrets directory :

From there I found a base64 encoded text, I use this command to decode it :

echo “base64 encoded text” | base64 — decode

From the decoded text, I found a Private OpenSSH Key:

lets give its permission and try to connect:

first of all lets add this SSH Private key to a file and change the required permissions:

chmod 600 id_rsa

next :

for this machine the username is known as OSCP since it’s a infosec prep machine, which makes our job much easier with dealing with it!

after gaining foothold using the ssh private key, our time has come to elevate our privilege, we can start searching for PE vectors using our handy tool Linpeas.sh.

from this screenshot I’ve found that bash and sudo are possible Privilege escalation vectors

I got the information on the priv escalation method from this website:

GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.

Thanks for reading my write-up and stay tuned for the next info sec write-ups!

Cheers!

Cyb0rgBytes Out!