Extplorer 🔸

Enumeration

The web server has a brand new wordpress without any configuration, using feroxbuster we find /filemanager/index.php

Testing admin:admin we got inside

We find a user dora

And the version

Upload a php reverse shell to /wordpress

And we are in as www-data

Looking the files we find

And using hashcat

So we can pivot to dora

The the flag

Dora belongs to disk group

So we can read root files using debugfs

Getting shadow and passwd

Using

And john

We have the password: explorer