EVM machine — Walkthrough

Hi guys, this is the eleventh day and eleventh box (11D-11B for my personal reference). I will be trying to complete at least one box per day (if could two or more) so I could gain my confidence, learn new knowledge, and prepare for OSCP.

Wish me luck!

So, today I would like to work on EVM machine, which is from VulnHub. Let’s get started!

################################################################ — — — — — — — — — Please read to the end! Thank you! — — — — — — — — —
################################################################

Enumeration

Nmap

There are a few ports opened, such as 22, 53, 80, 110, 139, 143, and 445.

Port 80 — HTTP

There is a comment left there.

Trying gobuster on /wordpress/.

/wordpress/wp-includes

There is a ton of file here

Using Wpscan, we can scan the wordpress.

/uploads/

Nothing useful found here.

After few trial and error, I found something useful with “-e u” arguments with wpscan.

There is a user with c0rrupt3d_brain as username. We can use wpscan to brute force the password.

Then we can make use of msfconsole to login to it, as wp-login is unable to be loaded.

Use 5, and input the following:

Then we can exploit it.

METERPRETER TIME!

Now try to find some juicy files so we can escalate further. On root3r, we can see there is a root password ssh text file which gives us willy26.

Now, create a shell and upgrade it. Then, we can switch user to root with the password we obtained just now.

Then the PROOF.TXT.

Voila! Another room done, and SO MANY new things learned in this room!

Thank you for reading my write-up. I would like to improve my write-up skills in the future and can reach me through Twitter or comments. Any sponsors also welcomed.

Twitter: https://twitter.com/curse_jk

Buy me coffee:http://buymeacoffee.com/Cursemagic

Other medium write-ups: https://cursemagic.medium.com