Room - tryhackme.com/r/room/smol
00:00:00 - Fixing network issue
00:05:18 - Basic enumeration
00:09:15 - WordPress Enumeration
00:20:25 - WordPress Plugin enumeration
00:29:00 - WordPress Admin BruteForce
00:43:00 - Looking up vulnerabilities
00:54:20 - Exploring wysija source code
00:53:00 - Looking up wysija vulnerabilities
00:56:33 - BuddyPress vulnerabilities
00:58:40 - Further wysija exploring
01:37:20 - Further WordPress Panel BruteForcing
01:49:07 - Enumerating "all" plugins(Almost)
01:51:10 - Looking up jsmol2wp vulnerabilities
01:54:35 - Exploiting LFI vulnerability
02:03:50 - Gaining MySQL DataBase credentials
02:07:00 - Checking port 3306(MySQL) and high ports
02:08:30 - Attempt to find even more plugins
02:21:13 - Attempt to exploit Wysija Unauthenticated file upload
02:28:30 - Looking up akismet again
02:31:15 - Further attempt to find plugins
02:47:40 - All Plugins enumeration with WPScan. (speed X4200)
02:50:00 - Further exploring akismet
02:58:20 - Further attempt to find even more holes in jsmol2wp
03:39:20 - DB credentials turned out to be WP creds as well
03:43:00 - Trying to upload a shell
03:46:08 - Finding interesting TO-DO notes
03:47:25 - Exploring Hello Dolly plugin
03:50:20 - Checking Hello-Dolly backdoored source code on target machine
03:55:12 - Exploiting RCE in hello.php
04:10:30 - Gaining reverse shell
04:11:35 - Executing linpeas.sh, manual checks
04:24:00 - Checking mysql backup to find users password hashes
04:33:50 - Cracking password hashes
04:36:56 - Escalating privileges to diego
04:38:35 - FLAG user.txt
04:39:00 - Further privilege escalation
04:40:20 - Finding interesting wordpress.old.zip
04:41:13 - Finding SSH private key of think
04:44:50 - think's SSH shell
04:50:55 - Unexpected flow in pam.d/su allowing to access gege with no password
04:52:00 - wordpress.old.zip is encrypted
04:55:30 - Cracking wordpress.old.zip
04:57:35 - Exploring wordpress.old
05:02:40 - Finding xavi credentials
05:03:30 - Root Shell
05:03:45 - FLAG root.txt