Hi All. Lets break CK:00… literally …. 
When i lunched machine it immediately give me ip address. SO that time no masscan.
I lunch nmap,,,
and dirb right after that. I thinking to switch to different tools to give some “feel” for different tools…
From screenshot I can see this site is using wordpress. Let quickly enumerate this site. I always enumerate for users and there was one…admin . I decide to try use rockyou wordlist..
Got hit. I remembered that there is a metasploit exploit for wordpress if you are admin. Let give it try..
I got shell. Look for home folders of all users and found first flag
After poking around i decided to look for some config files. Wp-config has this password as password for database blah_is_my_password.
Try use this password to log in as one of users….
I was in… when i runned sudo -l i was able to lunch scp with bla1 privilege. I used few tricks from gtfobins but that did not work for me. Them i decide to upload my ssh key to blah1 folder under authorized keys.
I was in. Did some command and not rbash what there. I never heard of rbash before.. Well everyday you will learn something new right?
I was able to login but few commands did not work. One of them was cd. Well i log out move my bla1 user to tmp folder and sudo as ck00. Now this user is in tmp folder where he can work. Used ck00 has access to dd as root. After some reading i end up on some manual where user create password with openssl and insert it to /etc/passwd file and use dd to overwrite it.
For create hash for your login i used this command:
openssl passwd -1 -salt <username> <password>
them i copied /etc/passwd to my current folder
cp /etc/passwd passwd
and them i used nano to append my username there
<username>:<your_hash_from_openssl>:0:0:root:/root/:/bin/bash
them i used cat and dd to moved this file pack
cat passed | sudo dd of=/etc/passwd
Now you all screamed at me that i have typo above. Well yes i did this… Now have a minute and think what this command did. Well passed doesn’t exit so there is nothing in descriptor and that is moved to dd to write it into /etc/passwd. As result…you will have empty passwd file. From that point i had to start from scratch as this machine was dead. Learning tips: be careful with dd and make sure you have notes.
And when I typed everything correctly… I was in
Thanks and i hope you like it…