PINKY’S PALACE: V2 Walkthrough

Description: A realistic Boot2Root. Gain access to the system and read the /root/root.txt.

Note From VulnHub: Wordpress will not render correctly. You will need to alter your host file with the IP shown on the console: echo 192.168.x.x pinkydb | sudo tee -a /etc/hosts

Enumeration

Let’s enumerate, 4655 7654 31337

Nothing from those ports.

More Enumeration…

whatweb http://192.168.103.172
Apache[2.4.25], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[192.168.103.172], JQuery[1.12.4], MetaGenerator[WordPress 4.9.4], PoweredBy[WordPress,WordPress,], Script[text/javascript], Title[Pinky's Blog – Just another WordPress site], UncommonHeaders[link], WordPress[4.9.4]

  1. Manual Exploration

Nothing critical

2. Nikto

  • /wp-links-opml.php
  • /wp-login.php

3. Gobuster

Some thing is given here 🤔

Let’s Enumerate Wordpress,

📌 Found a user: pinky1337

and No critical plugin or theme.

Finding Point Of Intrusion (POI)

let’s brute-force the username we got.

  1. cewl http://pinkydb -w pass.txt -> to generate the password

wpscan — url http://pinkydb -U pinky1337 -P pass.txt

  • No password found

2. Rockyou

wpscan — url http://pinkydb -U pinky1337 -P /usr/share/wordlists/rockyou.txt

  • Not found in few mins….

Let’s try port knocking,

7000 666 8890 worked!!!
Ports been opened

There is a login page on 7654,

Lets brute force….

john — rules — wordlist=pass.txt — stdout | tee wordlist.txt

Credentials: pinky:Passione

python ssh2john.py id_rsa > id_rsajohn

john — wordlist=/usr/share/wordlists/rockyou.txt id_rsajohn

Stefano:secretz101

What could be more fun than breaking stuffs!!!