External Entity Injection to read passwd file and grab id_rsa keys.
Root user logs into the application with plaintext credentials, modifying the wp-login.php page to dump passwords to disk reveals a root password.
This is a strange request so build a post request to /hosts and test for external entity injection and you will find it is vulnerable to lfi
Found the user.txt
Can't bruteforce ssh as it does not allow password authentication.
Grab the ssh key file
Download and chmod 400 the file and login via ssh as florian who we found in the /etc/passwd file.
Mysql password located in wp-config file
This password gives you access to the mysql database
Found admin hash
Also found a comment from cliff to florian:
Now we need to access the webpage so map it locally with ssh -L and access it (add 10.10.10.78 aragog to your hosts file).
Now you can visit the wordpress application
We know from the database that the username is administrator so lets see if there are any wordpress exploits.
WPscan doesn't bring anything back and ultimately there is no way into the application.
Checking running processes every few seconds shows cliff running a python script called wp-login.py.
We can assume from this that he may be logging into the application.
We can modify wp-login.php so add the following lines under the submit button.
Wait around 1 minute and you will see that loginData.txt has appeared in the /var/www/html dir
Cat the file and you will have some credentials
Run su root to get a root shell with the password disclosed.
Vulnerable programs/ scripts: