search
GitHubPsMapExec

BTRSys2.1

hashtag
Nmap

sudo nmap 192.168.120.50 -p- -sS -sV

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

I was able to login with FTP on anonymous login. However, no files are listed and was unable to upload anything. Moving onto port 80 the default page take us to a GIF:

Running dirsearch.py against the the target machine reveals robots.txt

Which advises on the Wordpress directory as being allowed.

Running WPScan against the target soon reveals two users of which one is admin.

WPScan reports the credentials admin:admin are valid. Heaving over to /wordpress/wp-admin we can sign in with these credentials to access the Wordpress dashboard.

We now head over to Appearance > Editor and select the index.php. From here we can remove the PHP contents and replace it with a PHP reverse shellarrow-up-right.

Once updated we can set a netcat listener and then reload the main page on: http://192.168.120.50/wordpress/index.phparrow-up-right. This should hang the page and we should then receive a reverse shell.

I then transferred over linpeas to the target machine and soon after running linpeas identifies database credentials in /var/www/html/wordpress/wp-config.php.

From here we can connect to MYSQL and then enter the Wordpress database. We can then extract users information from the table wp_users as shown below.

I was unable to crack the root MD5 hash so run I it against some online databases and got a hit on crackstation.netarrow-up-right.

We now have the credentials root:roottoor. We can su to the root user for a root shell.

Last updated