# BTRSys2.1

## Nmap

```
sudo nmap 192.168.120.50 -p- -sS -sV

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
```

I was able to login with FTP on anonymous login. However, no files are listed and was unable to upload anything. Moving onto port 80 the default page take us to a GIF:

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4f013b221f1da92032cf5542f33753ad755b9698%2Fimage.png?alt=media)

Running `dirsearch.py` against the the target machine reveals robots.txt

```
python3 dirsearch.py -u http://192.168.120.50/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -r -t 60 --full-url 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ae075a809473a1dc10570c150e7613aa43448dc2%2Fimage.png?alt=media)

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e0e4fb0d8c36b7ebd4fe7b2403e919ac5c5c55d0%2Fimage.png?alt=media)

Which advises on the Wordpress directory as being allowed.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-7c17bfc946eae05201c5378fd595f5f7e32e508d%2Fimage.png?alt=media)

Running `WPScan` against the target soon reveals two users of which one is admin.

```
 wpscan --url http://192.168.120.50/wordpress/ -t 40 -e u1-1000 --passwords /usr/share/wordlists/rockyou.txt --force 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-db5405541e88966cbbe8b18520781167cca36356%2Fimage.png?alt=media)

`WPScan` reports the credentials `admin:admin` are valid. Heaving over to /wordpress/wp-admin we can sign in with these credentials to access the Wordpress dashboard.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2732bc45f0093e4a3b2b87472dd9af09b8fa335c%2Fimage.png?alt=media)

We now head over to Appearance > Editor and select the index.php. From here we can remove the PHP contents and replace it with a [PHP reverse shell](https://github.com/pentestmonkey/php-reverse-shell).

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-80f3c28223a544fac205cf4cafb665c0c6002688%2Fimage.png?alt=media)

Once updated we can set a `netcat` listener and then reload the main page on:[ http://192.168.120.50/wordpress/index.php](http://192.168.120.50/wordpress/). This should hang the page and we should then receive a reverse shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c0a34c64884ec94409932af4467d79f3e1daac1f%2Fimage.png?alt=media)

I then transferred over `linpeas` to the target machine and soon after running linpeas identifies database credentials in /var/www/html/wordpress/wp-config.php.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f1531b988ba527d547f0f856cc57b79ccd1fc9e1%2Fimage.png?alt=media)

From here we can connect to MYSQL and then enter the Wordpress database. We can then extract users information from the table wp\_users as shown below.

```bash
# Connect to mysql
mysql -u root -p
rootpassword!

# Extract user information from Wordpress
show databases;
select wordpress;
select * from wp_users;
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-adc193318d55e71659d34d2851c497c0268cbb53%2Fimage.png?alt=media)

I was unable to crack the root MD5 hash so run I it against some online databases and got a hit on [crackstation.net](https://crackstation.net).

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0af4727fdd0744d6a2662da6b7c769675e0e8a87%2Fimage.png?alt=media)

We now have the credentials `root:roottoor`. We can `su` to the root user for a root shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c3c36a0cf9fea2f35200203437aef970a3bb123c%2Fimage.png?alt=media)