First up checking FTP we have anonymous access. In what appears to be a WordPress directory. First we can grab the wp-config.php as this will likely contain credentials we can use.
Reading the contents of wp-config.php shows some credentials we can use later. The credentials are:
dirsearch.py against port 80 reveals the directory /phpmyadmin
I then tried to login with simple credentials such as
root:root and was informed by the web server we cannot use root as a login.
I tried the database credentials from earlier and was permitted access:
Opening up the WordPress database we find a password hash for the user webmaster.
This hash was cracked with
hashcat on Windows.
We have the credentials:
webmaster:kittykat1 We can then browse to http://192.168.152.32/wp-admin/ and login with the credentials above.
Once logged in we notice we are working in a language other than English. Follow the image below to change this back to English if required.
After doing so we can head over to Appearance > Theme Editor and replace the contents of index.php with a PHP Reverse shell.
Once completed start a
netcat listener then browse to the main index.php page to execute the shell.
From here the path to root is super simple. As the user webmaster exists on this machine we can simply
su into the user with the credentials we obtained earlier. Check
sudo -l and then run /bin/bash using sudo.