This is SHENRON: 2 from Vulnhub. It says difficulty is ‘beginner’. It took me about an hour.
SSH on 22, plus HTTP on ports 80 and 8080 - hey, that’s a lot like the last one!
Looks to be a pretty basic template page with nothing juicy. Moving on…
Wordpress. I add shenron to /etc/hosts and run wpscan; trivial password hmmm.
Okay well that was easy, now what? We can’t upload a plugin (can’t copy it to the destination directory), and we can’t edit the templates (all set as non-writeable). There are several non-standard plugins installed, being:
Checking out searchsploit reveals issues with Site Editor and Elementor, but for the version we have it’s only Site Editor, which has an LFI vulnerability. I check /etc/passwd first and then look for SSH keys, nope. Can’t read any logs, no /proc/self/environ, can’t read wp-config. I run Turbo Intruder with a nice big list of files and get plenty of hits but nothing that will leverage into RCE. Now what - this was supposed to be beginner level?
Well, we’ve got two users - Jenny and Shenron. Surely we can’t just SSH in with the username as the password?
Oh wait yes we can. Not sure how I feel about this. Anyway….
Well, there’s nothing useful in wp-config.php anyway. Linpeas doesn’t highlight it, but it does find a non-standard SUID binary: