We covered the solution of LazySysAdmin VulnHub machine where we covered WordPress Penetration Testing & exploiting SMB shares.

Initial Reconnaissance

I started by performing an nmap scan to identify the server’s IP address, which was 192.168.1.147, along with any open ports and services. A more detailed nmap scan then helped me identify specific service versions, including SSH and Samba (on ports 139 and 445). After that, I used nikto to scan for web vulnerabilities, which revealed a WordPress installation and phpMyAdmin.

WordPress Enumeration

Next, I used wpscan to enumerate WordPress vulnerabilities, and during this process, I managed to identify the username “admin.” I attempted to brute-force the admin login, but unfortunately, that didn’t work out.

Samba Exploitation

Since Samba was running, I decided to use smbclient to connect to the server. I discovered shares like “brains” and “IPC.” After some trial and error, I successfully accessed the server and listed its directory contents, where I found WordPress files and a particularly interesting file named “to_do_list.txt.” I downloaded two files from there: wp-config.php and to_do_list.txt.

Credential Discovery & Initial Access Attempts

The wp-config.php file was a goldmine as it contained database credentials (username and password). I tried using these credentials to access the database, but it didn’t lead to any further progress. I then used the same credentials to attempt a login into the WordPress dashboard. I also generated a PHP reverse shell payload using msfvenom and placed it in a WordPress theme template, but this attempt to get a shell failed.

Finding the Key

The to_do_list.txt file proved to be crucial. It contained a note and a password: “12345.” The note explicitly stated that the admin had forgotten to remove this file and password.

Gaining SSH Access & Privilege Escalation

Armed with the “12345” password, I used it with the username “togie” (which I had identified as a user in the WordPress dashboard) to successfully SSH into the server. Finally, I used the command sudo -i to escalate my privileges to root, which completed the challenge.

Here’s a summary of the technical commands I mentioned:

  • nmap
  • nikto
  • wpscan
  • smbclient
  • ls (implied when listing directory contents)
  • msfvenom
  • ssh
  • sudo -i

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles