pg-btrsys2.1-play

BTRSys2.1

Nmap
sudo nmap 192.168.120.50 -p- -sS -sV
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

I was able to login with FTP on anonymous login. However, no files are listed and was unable to upload anything. Moving onto port 80 the default page take us to a GIF:

Running dirsearch.py against the the target machine reveals robots.txt

python3 dirsearch.py -u http://192.168.120.50/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -r -t 60 –full-url

Which advises on the WordPress directory as being allowed.

Running WPScan against the target soon reveals two users of which one is admin.

wpscan –url http://192.168.120.50/wordpress/ -t 40 -e u1-1000 –passwords /usr/share/wordlists/rockyou.txt –force

WPScan reports the credentials admin:admin are valid. Heaving over to /wordpress/wp-admin we can sign in with these credentials to access the WordPress dashboard.

We now head over to Appearance > Editor and select the index.php. From here we can remove the PHP contents and replace it with a PHP reverse shell.

Once updated we can set a netcat listener and then reload the main page on: http://192.168.120.50/wordpress/index.php. This should hang the page and we should then receive a reverse shell.

I then transferred over linpeas to the target machine and soon after running linpeas identifies database credentials in /var/www/html/wordpress/wp-config.php.

From here we can connect to MYSQL and then enter the WordPress database. We can then extract users information from the table wp_users as shown below.

# Connect to mysql
mysql -u root -p
rootpassword!
# Extract user information from WordPress
show databases;
select wordpress;
select * from wp_users;

I was unable to crack the root MD5 hash so run I it against some online databases and got a hit on crackstation.net.

We now have the credentials root:roottoor. We can su to the root user for a root shell.

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *