So we do a normal nmap scan first and we find that first we need to add the IP and apocoalyst.htb

10.10.10.46 apocoalyst.htb

to the /etc/hosts and we will get a live server that is running on wordpress sooo lets use the tool wpscan to enumerate for vulnerabilities and see if we find something.

And while we are doing that lets also start directory busting i prefer dirbuster but you can use any tool like gobuster or dirb.And we can use the wordlist from cewl to make a list or something like that.

cewl <http://10.10.10.46> > directories.txt

And then in the result of this dirbuster we see some intresting directory like Rightiousness where there is ust one image which we can use steghide on totry to find if there is some something like hidden in it or something.And the syntax for that would be →

steghide extract -sf image.jpg

and in the password just leave it blank and press enter and intrestingly enough it gives us a list.txt which has a wordlist for what looks like passwords.

And now that we have passwords lets look around the site and try to find a possible username and if you look around the site and it over every post has an author name which is falaraki in our case now lets use the tool wpscan to brute force the wordpress login.

wpscan --url 10.10.10.46 -U falaraki --passwords list.txt 

And it should show you possible password combination with that username now lets go to wp admin page and login with these credentials and then basically its simple stuff cause all we need to do then is go to Appearance > Editor and then try to edit a page it can e like maybe the 404 page or something and get php reverse shell of github here is the one i used

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

and then lets just use this after changing our IP , port and then start a netcat listener .To use it we basically just have to change the code in the page we selected and paste this reverse shell scriptin there and we do that lets publish it or save it and then traverse to the page where thats stored which is gonna be in the /wp-content/themes/twentyseventeen/404.php in this case and when this runs we should get a listen back on our netcat listener and now we should have the shelll and here lets see what we can do i like to try 3 things on linux boxes for priv esc-

  1. sudo -l → Look for stuff we can run as sudo