Skip to content

Extplorer 🔸

Enumeration

The web server has a brand new WordPress without any configuration. Using feroxbuster, we find /filemanager/index.php.

Testing admin:admin, we get inside.

We find a user dora.

And the version.

Initial Access

Upload a PHP reverse shell to /wordpress.

And we are in as www-data.

Privilege Escalation

Looking at the files, we find:

And using hashcat:

So we can pivot to dora.

Then the flag.

dora belongs to the disk group.

So we can read root files using debugfs.

Getting shadow and passwd.

Using:

And john:

We have the password: explorer.

Post Exploitation