HackerFest2019
Nmap
First up checking FTP we have anonymous access. In what appears to be a Wordpress directory. First we can grab the wp-config.php as this will likely contain credentials we can use.
Reading the contents of wp-config.php shows some credentials we can use later. The credentials are: wordpress:nvwtlRqkD0E1jBXu
Running dirsearch.py
against port 80 reveals the directory /phpmyadmin
I then tried to login with simple credentials such as root:root
and was informed by the web server we cannot use root as a login.
I tried the database credentials from earlier and was permitted access: wordpress:nvwtlRqkD0E1jBXu
Opening up the Wordpress database we find a password hash for the user webmaster.
This hash was cracked with hashcat
on Windows.
We have the credentials: webmaster:kittykat1
We can then browse to http://192.168.152.32/wp-admin/ and login with the credentials above.
Once logged in we notice we are working in a language other than English. Follow the image below to change this back to English if required.
After doing so we can head over to Appearance > Theme Editor and replace the contents of index.php with a PHP Reverse shell.
Once completed start a netcat
listener then browse to the main index.php page to execute the shell.
From here the path to root is super simple. As the user webmaster exists on this machine we can simply su
into the user with the credentials we obtained earlier. Check sudo -l
and then run /bin/bash using sudo.
Last updated