Whale
Nmap Scan Result
WordPress site running on port 80. vhost (bluewhale.net) seen from nmap scan and added to /etc/hosts file.
One of the catchy blogs as seen below is the implementation of an HTML to PDF feature.
Playing around with this feature, it seen that DOMPDF was implemented for the conversion. The plugin location was also observed from the source code.
Navigating to the plugin location, we know the exact plugin name is "post-pdf-export". A few minutes of Google search and a well-known LFI vulnerability was found...https://wpscan.com/vulnerability/1d64d0cb-6b71-47bb-8807-7c8350922582/
Using this exploit. I was able to dump the /etc/passwd file in base64 format using the PHP filter function and decode it using the base64 Linux tool
Same Method was used to obtain the wp-config file which contains the wordpress login credentials
The below broken image hinted to the webapp installation path
With valid credential, I was able to login to MySQL and change the user password
After changing password, I was then able to Login and get reverse shell using well-known pentest-monkey PHP reverse shell script.
Using Linpeas.sh, We see Whale user SSH backup private key is readable. Using linpeas again as whale we see Privilege Escalation Vector to be Docker.