From nmap, there are ssh and http service opened.

Local Picture

This is the web page.

Local Picture

From the post, we can get the username Takis.

Local Picture

With wpscan, seems like there is a vulnerability in job-manager plugin.

Local Picture

In this blog post, it tells about how to trigger this vulnerability.

Local Picture

Local Picture

I tried to upload a php file, but it didn’t work.

Local Picture

Local Picture

I found that I can access different posts with different id. I used a shell script to get some posts' titles.

Local Picture

Local Picture

No.13 HackerAccessGranted is quite weird, so I use the cve python script to look for its CV.

Local Picture

Local Picture

This is a .jpg file. With steghide and john the ripper, I got id_rsa with its passphrase superpassword.

Local Picture

Local Picture

I ssh to the server as takis, and get a shell as root with a sudo permission to a special binary.

Local Picture