Below is the nmap output of the IP: 10.10.10.37
Let’s visit the webpage on port 80 as the name itself is blocky.
In the website they mention something about the plugin and the wiki, and they give a hint of not to check in the other places.
Now we can run gobuster to check if any directories matches plugins and servers.
I checked server-status and its forbidden.
After that checked plugins, two jar files are present in the folder.
Downloaded the first one and unzipped, it looks like java assembled class files, so disassembled and found there is a password for root user as below:
Used the creds in phpmyadmin page:
After logging to phpmyadmin, opened wordpress wp_users to see which users are present in the system.
It shows there is notch user present in the system. We have observed that ssh is enabled on the system.
so tried ssh into the system with notch user id and password found in the disassembled file and it worked :-p
user flag is present right there, after that ran sudo -l to see notch permissions, it shows that notch can run all the commands, so ran sudo su to elevate privileges to super user.
And that’s it we got the root flag and root privileges!