This turns up site. I add site.wekor.thm to /etc/hosts along with wekor.thm.
On the main wekor.thm robots.txt is mostly trolling apart from /comingreallysoon which directs us to /it-next. This is a page with lots of stuff on it; the SQLi is on /it-next/it_cart.php with the parameters coupon_code=asdsadsadasd&apply_coupon=Apply+Coupon. I use sqlmap and enumerate the databases; we have wordpress so I dump the contents with:
With this we get some user:password combinations, with a little help from John.
Wordpress is at site.wekor.thm/wordpress and using the credentials we gained from the SQLi we can login. One of our users is a WP admin, and I upload a plugin zipfile for a reverse shell.
On the box
We’re told to look for internal services and Linpeas finds memcache running on port 11211. I use telnet:
Now I can su Orka.
Privesc
A quick explanation. bitcoin was a binary that called a python script called transfer.py. Neither were writeable, both were owned by root. I couldn’t delete or rename either of them. Initially I tried messing with the things they were calling like the python modules being imported, but that wasn’t working. So I just renamed the entire Desktop directory, made another one and created my own bitcoin file. Face-palmingly simple in the end.