I navigate to it in my browser and find a wordpress installation present.
I immediately go to the admin login and get through with "admin/admin" credentials. The description did say this was a very easy VM after all.
After logging in I navigated to "plugins > editor" and selected the "Mail Masta" plugin (since it was already active) and added a php reverse shell to one of the files. Simply clicking "update" gave me a shell.
I immediately noticed a "wpadmin" user in the /etc/passwd/ file and found the password to be "wpadmin" so I decided to ssh to that user for a more stable shell and I found the first flag.
Going through a file in the "/upload/" directory of the web root, I found a "config.php" file containing root credentials for the MySQL server.
Going along with the "very easy" theme, I tried logging into root with these credentials and was successful!
According to the VM description on VulnHub there is a post exploitation flag on the VM, however I have not been able to find it. I went through the MySQL database and searched through the file system for anything resembling a flag and had no luck. Other than that, this was a very easy VM that was still somewhat satisfying in a weird way. I will be sure to make time for the other two, more difficult hackfest VMs.
