> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/hackerfest2019.md).

# HackerFest2019

## Nmap

```
sudo nmap   192.168.152.32 -p- -sS -sV

PORT      STATE SERVICE  VERSION
21/tcp    open  ftp      vsftpd 3.0.3
22/tcp    open  ssh      OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
80/tcp    open  http     Apache httpd 2.4.25 ((Debian))
10000/tcp open  ssl/http MiniServ 1.890 (Webmin httpd)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
```

First up checking FTP we have anonymous access. In what appears to be a Wordpress directory. First we can grab the wp-config.php as this will likely contain credentials we can use.

![](/files/-MXT2Gp0m3v1_02UJ4k9)

Reading the contents of wp-config.php shows some credentials we can use later. The credentials are: `wordpress:nvwtlRqkD0E1jBXu`

![](/files/-MXT2UWgEOv08dysLBPu)

Running `dirsearch.py` against port 80 reveals the directory /phpmyadmin

```
python3 dirsearch.py -u http://192.168.152.32  -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 --full-url
```

![](/files/-MXT8kuZkpUL9GgwAKry)

I then tried to login with simple credentials such as `root:root` and was informed by the web server we cannot use root as a login.

![](/files/-MXT8y6hTTYI_l-BuexI)

I tried the database credentials from earlier and was permitted access: `wordpress:nvwtlRqkD0E1jBXu`

![](/files/-MXT9Gv1p39rnp-OarlP)

Opening up the Wordpress database we find a password hash for the user webmaster.

![](/files/-MXT9onWbJd8mJPaGIgI)

This hash was cracked with `hashcat` on Windows.

![](/files/-MXT9xC005SPdfr3Bx5E)

We have the credentials: `webmaster:kittykat1` We can then browse to <http://192.168.152.32/wp-admin/> and login with the credentials above.

Once logged in we notice we are working in a language other than English. Follow the image below to change this back to English if required.

![](/files/-MXTBMhZ0pMHsf4gz9yt)

After doing so we can head over to Appearance > Theme Editor and replace the contents of index.php with a [PHP Reverse shell](https://github.com/pentestmonkey/php-reverse-shell).

![](/files/-MXTBy6A7bkmNQXj7gNP)

Once completed start a `netcat` listener then browse to the main index.php page to execute the shell.

![](/files/-MXTCOHZtzW9_fdtGcvw)

From here the path to root is super simple. As the user webmaster exists on this machine we can simply `su` into the user with the credentials we obtained earlier. Check `sudo -l` and then run /bin/bash using sudo.

```
su webmaster
sudo -l
sudo /bin/bash
```

![](/files/-MXTIlbFVezBmC-R3Bs9)
