I was able to login with FTP on anonymous login. However, no files are listed and was unable to upload anything. Moving onto port 80 the default page take us to a GIF:
dirsearch.py against the the target machine reveals robots.txt
Which advises on the WordPress directory as being allowed.
WPScan against the target soon reveals two users of which one is admin.
WPScan reports the credentials
admin:admin are valid. Heaving over to /wordpress/wp-admin we can sign in with these credentials to access the WordPress dashboard.
We now head over to Appearance > Editor and select the index.php. From here we can remove the PHP contents and replace it with a PHP reverse shell.
Once updated we can set a
netcat listener and then reload the main page on: http://192.168.120.50/wordpress/index.php. This should hang the page and we should then receive a reverse shell.
I then transferred over
linpeas to the target machine and soon after running linpeas identifies database credentials in /var/www/html/wordpress/wp-config.php.
From here we can connect to MYSQL and then enter the WordPress database. We can then extract users information from the table wp_users as shown below.
I was unable to crack the root MD5 hash so run I it against some online databases and got a hit on crackstation.net.
We now have the credentials
root:roottoor. We can
su to the root user for a root shell.