Open in app

Sign in

Write

Sign in

LemonSqueezy machine — Walkthrough

Cursemagic
4 min readDec 31, 2023

--

Hi guys, Happy New Year! Hope you guys have a great year!

This is the twelveth day and twelveth box (12D-12B for my personal reference). I will be trying to complete at least one box per day (if could two or more) so I could gain my confidence, learn new knowledge, and prepare for OSCP.

Wish me luck!

So, today I would like to work on LemonSqueezy machine, which is from VulnHub. Let’s get started!

################################################################ — — — — — — — — — Please read to the end! Thank you! — — — — — — — — —
################################################################

Enumeration

Nmap

It looks like it has only one port open and it will be our main focus.

Gobuster

/wordpress

This looks weird, it is like unarranged site.

It looks like we will need to add this to /etc/hosts file. So, open /etc/hosts and add the IP to it with lemonsqueezy.

Wpscan

wpscan — url http://<target_ip>/wordpress/ -e ap,at -e u

After the scan, there are two usernames found.

Then we can run wpscan for the usernames found to obtain the passwords.

orange:ginger

We can try it on http://lemonsqueezy/wordpress/wp-login.php.

And yes.

Now we explore a bit and we found something interesting here.

And we get this string which is most likely password! n0t1n@w0rdl1st!

Tried on wp-login.php and it works!

And we get here.

And we can press the “Database” on the top navigation, then press “wordpress” on the left side and choose “wp-users”. After that, we can see there is a userpass section where there are password listed.

Then, we can change the password for the user lemon. To do so, we can copy the hash for user orange, and paste it on user lemon.

Then, we can login to lemon using the same password for user orange on wordpress.

And, we are in.

Then, we can go plugins -> add new -> upload plugins.

Tried to create a payload using msfvenom and upload it but it failed.

Try it, and it works!

Thenm place reverse shell on it.

And we get reverse connection.

Exploring!

From there, I can see there is a wp-config.php. This credentials were obtained previously.

After checking for a while, the user.txt is located at /var/www.

Then, time to escalate.

To admin!

Now I download linpeas to the machine and run it.

After checking the results, it looks like we have something interesting here running.

Now we look at the file content.

We can edit the file and we will get the root access!

Then we get the shell as root!

And its done!

Thank you for reading my write-up. I would like to improve my write-up skills in the future and can reach me through Twitter or comments. Any sponsors also welcomed.

Twitter: https://twitter.com/curse_jk

Buy me coffee:http://buymeacoffee.com/Cursemagic

Other medium write-ups: https://cursemagic.medium.com

Lemonsqueezy
Walkthrough
Vulnhub Walkthrough

--

--

Cursemagic
Cursemagic

Written by Cursemagic

15 Followers
1 Following

Just learning, together we are strong.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams