What an adventure… the foothold drove me crazy. I still can’t believe I missed it for so long.
The privesc part was cool, I figured out pretty quickly how to get the flag but getting an actual shell took me a bit longer.
Cool box overall, thanks @egre55 
Type your comment> @AbuQasem said:
i spent hours trying to get a revshell and still cant get a connection back!
tried php,msfconsole,bash and even made my own pl**n but cant get a shell !!!
Make sure you’ve the URI in msfconsole set to right path!
Rooted. Fairly easy box as marked.Enough hints on here to get you through.
@umar0x01 said:
Type your comment> @AbuQasem said:i spent hours trying to get a revshell and still cant get a connection back!
tried php,msfconsole,bash and even made my own pl**n but cant get a shell !!!Make sure you’ve the URI in msfconsole set to right path!
Must admit i had the same problem with the usual methods of rev shell with wordpress .Both template and plugin methods but wouldnt connect but had no problem with msf way.
Type your comment> @foalma321 said:
@umar0x01 said:
Type your comment> @AbuQasem said:i spent hours trying to get a revshell and still cant get a connection back!
tried php,msfconsole,bash and even made my own pl**n but cant get a shell !!!Make sure you’ve the URI in msfconsole set to right path!
Must admit i had the same problem with the usual methods of rev shell with wordpress .Both template and plugin methods but wouldnt connect but had no problem with msf way.
I used a script from Github for this task since I couldn’t get my usual way either. While I am not chasing OSCP, I wanted to bring it up since I know there’s people here that are and using MSF, while it’s an amazing tool, is limited in OSCP.
Spoiler Removed
Okay, so got the initial foothold at midnight and wasn’t able to escalate privileges to the first user to get the flag.
Slept and woke up with a fresh mind and with some hints from the thread and from @ShreKy, started looking at everything from the very beginning.
Initial foothold: Lookout for almost all the files, if not the files, their source?
User: This took me some time. Remember to check all system dirs!
Root: Easiest one, just modify some files and run some scripts and you’re gtg
Foothold: Basic Enumeration, the user might be different from what you think.
User: That was new to me, took some time to find the right “thing” 
Root: Simple LPE, do your default playbook and you should quickly find where to start.
Thanks for the good machine to the author
thx for the box. if anyone need a hint, just pm me.
Rooted this box after a good while… big shout out to @ShreKy for the help!
Type your comment> @dutchinho said:
got root, nice box. Has someone done it without ***?
Please pm me if you have…
Do you mean getting foothold with it?
Done and Dusted!!!
This was a fun box …thnx @egre55
Done the OSCP way … a.k.a No MSF
-
Foothold
We all know how 2020 was a shitty year… same here! so maybe try going back a year or three ( your preference)… once there, nothing works!..yes! you can see the “id”, look around and that’s about it … don’t be heart broken…As the saying goes… All roads lead to Rome … just think out of the box… probably you could use a "Trojan Horse Technique (If you watched Troy, you know what am talking about
) … and thats it… and it starts raining shells -
User
Don’t waste your time on the enum scripts… basic enumerations will suffice. The path is unusual, so once you spot it, your spider instincts will automatically kick in -
Root
See what you can do… it might be your first time experiencing it (just like me)… go and read about it… learn how it works and where its config files reside… from there, its a piece of cake.
Hope nothing is too revealing… tried to keep it as cryptic and fun as possible … Hope it helps those in search for a nudge or two…
I have rooted the box but interested to know if anyone got initial shell without using metasploit ? I found my usual ways of shelling wordpress ( theme template editing or uploading plugin) failed.
Type your comment> @foalma321 said:
I have rooted the box but interested to know if anyone got initial shell without using metasploit ? I found my usual ways of shelling wordpress ( theme template editing or uploading plugin) failed.
I got my shell without using MSF. I couldn’t get my usual attempts to get a shell to work either. I found an interesting script on GitHub to generate a plugin and start a listener and that worked.
Type your comment> @foalma321 said:
I have rooted the box but interested to know if anyone got initial shell without using metasploit ? I found my usual ways of shelling wordpress ( theme template editing or uploading plugin) failed.
I did it without MSF using one of the ways you used. It works
Type your comment> @seiyathesinx said:
Type your comment> @foalma321 said:
I have rooted the box but interested to know if anyone got initial shell without using metasploit ? I found my usual ways of shelling wordpress ( theme template editing or uploading plugin) failed.
I did it without MSF using one of the ways you used. It works
UPDATE found a workable script on Github.
Type your comment> @foalma321 said:
Type your comment> @seiyathesinx said:
Type your comment> @foalma321 said:
I have rooted the box but interested to know if anyone got initial shell without using metasploit ? I found my usual ways of shelling wordpress ( theme template editing or uploading plugin) failed.
I did it without MSF using one of the ways you used. It works
UPDATE found a workable script on Github.
There is an easier way using one kind of jewel… found in the sea
Type your comment> @foalma321 said:
Type your comment> @seiyathesinx said:
Type your comment> @foalma321 said:
I have rooted the box but interested to know if anyone got initial shell without using metasploit ? I found my usual ways of shelling wordpress ( theme template editing or uploading plugin) failed.
I did it without MSF using one of the ways you used. It works
UPDATE found a workable script on Github.
I did it raw, the hard way I guess.
worked like a charm
spectra ~ #
root
uid=0(root) gid=0(root) groups=0(root)
Type your comment> @sicario1337 said:
Type your comment> @foalma321 said:
Type your comment> @seiyathesinx said:
Type your comment> @foalma321 said:
I have rooted the box but interested to know if anyone got initial shell without using metasploit ? I found my usual ways of shelling wordpress ( theme template editing or uploading plugin) failed.
I did it without MSF using one of the ways you used. It works
UPDATE found a workable script on Github.
There is an easier way using one kind of jewel… found in the sea
Have managed it 3 ways now but your cryptic clue has me stumped 