In this guide I’ll show you how to get the 3 flags for this VM.

You can download the VM here:,515/ load the .ova to VirtualBox and once it boots it greets us with the IP:

An awesome ASCII tux

Running NMAP on it will reveal port 80 and 22:

We don’t have much info for SSH so I’ll go after 80 first:

A very discrete message with nothing else

To speed things up I fire up openVAS (It might seem as overkill but I had it open when I started working on this VM) and scan the site, this gives me that there is a wordpress instance set up in a folder:

If OpenVAS is too much, you can use dirb and reach the same point

We run wpscan to get a first pass:

The Social-Warfare plugin is outdated:

And exploit-db has an exploit for that version ( |

If you read through the script (I like seeing how things are done…) you’ll notice it is crafting a url like this:

where .151 is the victims url and .102 is the attackers IP, so I set up a local webserver and used the payload from the example to see all users:

We have max and steven as users

Running ls will reveal that we’re inside /wordpress/wp-admin, so I’ll have it download p0wny-shell to that folder.

Once that is up, we can look around the server:

I love p0wnyShell …

the wordpress base folder contains secretkey.txt:

Digging through the “max” user’s folder:

That won’t work
That’s a flag!

If we go into the .ssh folder we can extract his RSA key and use it to authenticate via SSH:

LinEnum didn’t reveal much so we check sudo permissions with sudo -l and max can run service as steven, so we use that to launch bash:

Following the same pattern, we see that steven can run a .sh as root:

We setup a netcat listener and run a python reverse shell:

we have now managed to get to root:

And we got the flag!

And the final flag for this challenge!

Thank you for reading!