Active reconnaisance

Enum ports and services

sudo nmap -sV -Pn -A -v 10.10.24.229

PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
| http-methods:
|_  Supported Methods: GET HEAD OPTIONS
|_http-title: Site doesn't have a title (text/html).
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-server-header: Apache
443/tcp open   ssl/http Apache httpd
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| ssl-cert: Subject: commonName=www.example.com
| Issuer: commonName=www.example.com
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2015-09-16T10:45:03
| Not valid after:  2025-09-13T10:45:03
| MD5:   3c163b1987c342ad6634c1c9d0aafb97
|_SHA-1: ef0c5fa5931a09a5687ca2c280c4c79207cef71b
|_http-server-header: Apache

Vuln analisis

Port 80

Fuzzing

http://10.10.24.229/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt
http://10.10.24.229/key-1-of-3.txt

Exploitation

http://10.10.24.229/fsocity.dic

cat fsocity.dic | sort | uniq -u

ER28-0652
abcdefghijklmno
abcdEfghijklmnop
abcdefghijklmnopq
ABCDEFGHIJKLMNOPQRSTUVWXYZ
c3fcd3d76192e4007dfb496cca67e13b
abcdefghijklmnopqrstuvwxyz
iamalearn
imhack
psychedelic
uHack

http://10.10.24.229/login
http://10.10.24.229/wp-login.php

Wordpress 4.3.1

Usernames:

Get access

Upload a php reverse shell in wp admin console plugin, shell.php -> shell.zip
upload, install and activate the plugin
get a bash

Privilege Escalation

Dehash the file with john

/home/robot/password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

Get acces as a robot

su robot
abcdefghijklmnopqrstuvwxyz

second flag got it

DirtyCow

Using linpeas we see CVE-2016-5195 vuln

It works ant we get the flag3