# HackerFest2019

## Nmap

```
sudo nmap   192.168.152.32 -p- -sS -sV

PORT      STATE SERVICE  VERSION
21/tcp    open  ftp      vsftpd 3.0.3
22/tcp    open  ssh      OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
80/tcp    open  http     Apache httpd 2.4.25 ((Debian))
10000/tcp open  ssl/http MiniServ 1.890 (Webmin httpd)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
```

First up checking FTP we have anonymous access. In what appears to be a Wordpress directory. First we can grab the wp-config.php as this will likely contain credentials we can use.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d624acb458a0196f96ba9b2340d2becea0305f07%2Fimage.png?alt=media)

Reading the contents of wp-config.php shows some credentials we can use later. The credentials are: `wordpress:nvwtlRqkD0E1jBXu`

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-de9dfb13f05ec5bde6862bcf7ce6e34336ff04c3%2Fimage.png?alt=media)

Running `dirsearch.py` against port 80 reveals the directory /phpmyadmin

```
python3 dirsearch.py -u http://192.168.152.32  -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 --full-url
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6c6d7467c65e78ee7a099a5e15b276b7009c2db5%2Fimage.png?alt=media)

I then tried to login with simple credentials such as `root:root` and was informed by the web server we cannot use root as a login.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-555d9cc23c6f660f593f46987b2d2411af26b090%2Fimage.png?alt=media)

I tried the database credentials from earlier and was permitted access: `wordpress:nvwtlRqkD0E1jBXu`

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-7c6a26e9832952b121029506a6426044b9800686%2Fimage.png?alt=media)

Opening up the Wordpress database we find a password hash for the user webmaster.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-16cad0f8e86cdfcd53ede27a505f92fb0303187a%2Fimage.png?alt=media)

This hash was cracked with `hashcat` on Windows.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ce72a508e1a2262396bb3debacfb29b85a45e8c7%2Fimage.png?alt=media)

We have the credentials: `webmaster:kittykat1` We can then browse to <http://192.168.152.32/wp-admin/> and login with the credentials above.

Once logged in we notice we are working in a language other than English. Follow the image below to change this back to English if required.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a0d89fa2187461da367fdb75d7151f8a02125855%2Fimage.png?alt=media)

After doing so we can head over to Appearance > Theme Editor and replace the contents of index.php with a [PHP Reverse shell](https://github.com/pentestmonkey/php-reverse-shell).

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c53b5d6dbbd331c95be390abf913ad587ec51383%2Fimage.png?alt=media)

Once completed start a `netcat` listener then browse to the main index.php page to execute the shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3ddf00aa1427fd59b85d5e4797feeadb1d7c2211%2Fimage.png?alt=media)

From here the path to root is super simple. As the user webmaster exists on this machine we can simply `su` into the user with the credentials we obtained earlier. Check `sudo -l` and then run /bin/bash using sudo.

```
su webmaster
sudo -l
sudo /bin/bash
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-85653538cb15d0d935a46525a99bd9dd9bbc2466%2Fimage.png?alt=media)