This is SHENRON: 2 from Vulnhub. It says difficulty is ‘beginner’. It took me about an hour.
Ports
SSH on 22, plus HTTP on ports 80 and 8080 - hey, that’s a lot like the last one!
HTTP/80
Looks to be a pretty basic template page with nothing juicy. Moving on…
HTTP/8080
Wordpress. I add shenron to /etc/hosts and run wpscan; trivial password hmmm.
Okay well that was easy, now what? We can’t upload a plugin (can’t copy it to the destination directory), and we can’t edit the templates (all set as non-writeable). There are several non-standard plugins installed, being:
Classic Editor
Elementor, and
Site Editor
Checking out searchsploit reveals issues with Site Editor and Elementor, but for the version we have it’s only Site Editor, which has an LFI vulnerability. I check /etc/passwd first and then look for SSH keys, nope. Can’t read any logs, no /proc/self/environ, can’t read wp-config. I run Turbo Intruder with a nice big list of files and get plenty of hits but nothing that will leverage into RCE. Now what - this was supposed to be beginner level?
Well, we’ve got two users - Jenny and Shenron. Surely we can’t just SSH in with the username as the password?
Oh wait yes we can. Not sure how I feel about this. Anyway….
Shenron
Well, there’s nothing useful in wp-config.php anyway. Linpeas doesn’t highlight it, but it does find a non-standard SUID binary: