BTRSys2.1
Last updated
Was this helpful?
Last updated
Was this helpful?
I was able to login with FTP on anonymous login. However, no files are listed and was unable to upload anything. Moving onto port 80 the default page take us to a GIF:
Running dirsearch.py against the the target machine reveals robots.txt
Which advises on the Wordpress directory as being allowed.
Running WPScan against the target soon reveals two users of which one is admin.
WPScan reports the credentials admin:admin are valid. Heaving over to /wordpress/wp-admin we can sign in with these credentials to access the Wordpress dashboard.
I then transferred over linpeas to the target machine and soon after running linpeas identifies database credentials in /var/www/html/wordpress/wp-config.php.
From here we can connect to MYSQL and then enter the Wordpress database. We can then extract users information from the table wp_users as shown below.
We now have the credentials root:roottoor. We can su to the root user for a root shell.
We now head over to Appearance > Editor and select the index.php. From here we can remove the PHP contents and replace it with a .
Once updated we can set a netcat listener and then reload the main page on:. This should hang the page and we should then receive a reverse shell.
I was unable to crack the root MD5 hash so run I it against some online databases and got a hit on .
