Whale

Nmap Scan Result

WordPress site running on port 80. vhost (bluewhale.net) seen from nmap scan and added to /etc/hosts file.

One of the catchy blogs as seen below is the implementation of an HTML to PDF feature.

Playing around with this feature, it seen that DOMPDF was implemented for the conversion. The plugin location was also observed from the source code.

Navigating to the plugin location, we know the exact plugin name is "post-pdf-export". A few minutes of Google search and a well-known LFI vulnerability was found...https://wpscan.com/vulnerability/1d64d0cb-6b71-47bb-8807-7c8350922582/

Using this exploit. I was able to dump the /etc/passwd file in base64 format using the PHP filter function and decode it using the base64 Linux tool

Same Method was used to obtain the wp-config file which contains the wordpress login credentials

The below broken image hinted to the webapp installation path

With valid credential, I was able to login to MySQL and change the user password

After changing password, I was then able to Login and get reverse shell using well-known pentest-monkey PHP reverse shell script.

Using Linpeas.sh, We see Whale user SSH backup private key is readable. Using linpeas again as whale we see Privilege Escalation Vector to be Docker.