Find with your eyes.
Really nice box, as always I seem to have an issue with release arena boxes when connecting via release arena OpenVPN. The website on 80 does not load. It only seems to work with pwnbox which is what I used. (Seems to be an issue that others are facing as well, based on some of the comments above)
Initially spent a lot of time brute forcing, since the thing that I needed to do did not show when I used the common scanner for this type of site. Play around with what you can do on the site and then google that function for any potential issues. From there its finding more site issues to get more information to take user.
Root was interesting as I havenāt seen that before.
Any hint for root ?
Iām still trying to get a footholdā¦ Iāve managed to make it up to using the blind *** injection to get files off the serverā¦ but not really sure where to go from there? Iāve found a user from /etc/passwd and thatās about it.
Am I looking for a config file somewhere?
EDIT: Nevermind, got root XD
Nice easy box! DM me on discord (n3hal#1527) if you need a hint!
If you use the scan tool WPScan for wordpress but found nothing to use, you could check for vunerable plugins only with some paramters.
Nice box ! Now I have to submit the flags but itās not working for both.
Hello. I can read some files on server (ex. /etc/passwd). But i cant read id_rsa or any flagā¦ What is I need for a reverse shell?
Iām stuck on the same place 
PM me if you wish, good luck!
PM me for helpif you wish, good luck!
1 Like
Finally got root. Excellent machine!
A few hints:
USER:
- Look at the installed plugins. Maybe in some kind there is sqli.
- When you get into the admin panel, look at your capabilities. Maybe you can download something like XXE. Check the versions for CVE.
- What is the juiciest file in wordpress?
ROOT: - Take a close look at the directories of the available user. You will need the skill of using encryption utilities and even john. itās easy and interesting.
I also want to say thank you @PwnerSec for his patience despite the time difference.
3 Likes
Got arbitrary file read via XXE but FTP kinda donāt allow to write data while logged as metapress.htb, and Iām kinda stuck because of that, any hints 
?
Edit: Nvm this mailer is configured
The hints on this forum are not helpful at all. I can tell you that burpsuite allowed me to connect to the website. Editing the hosts file did not do anything for me. If you use burpsuite and intercept the request, you might find something useful
got root
Need help? pm me
So as this is a Wordpress website, by instinct I checked to see if there was an admin dashboard. There is, and so I suspect this will be the foothold, but from here Iām a bit stuck. dirb reveals many subdirectories but they all need authentication, a few others on here have mentioned searching for vulnerable plugins, but I donāt know how to find what plugins the web server is using
Any advice?
maybe thereās some utility that will scan wordpress?
Try using WPScan or look at request interception in Burp - it also becomes clear which plugins work there.
I am trying to understand my current working directory to get the juicy WP file and then potentially get access to the MySQL DB. However, I am legit stuck in this step and I have no clue how to go forward.