pg-hackerfest2019-play

HackerFest2019

Nmap
sudo nmap 192.168.152.32 -p- -sS -sV
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
80/tcp open http Apache httpd 2.4.25 ((Debian))
10000/tcp open ssl/http MiniServ 1.890 (Webmin httpd)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

First up checking FTP we have anonymous access. In what appears to be a WordPress directory. First we can grab the wp-config.php as this will likely contain credentials we can use.

Reading the contents of wp-config.php shows some credentials we can use later. The credentials are: wordpress:nvwtlRqkD0E1jBXu

Running dirsearch.py against port 80 reveals the directory /phpmyadmin

python3 dirsearch.py -u http://192.168.152.32 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 60 –full-url

I then tried to login with simple credentials such as root:root and was informed by the web server we cannot use root as a login.

I tried the database credentials from earlier and was permitted access: wordpress:nvwtlRqkD0E1jBXu

Opening up the WordPress database we find a password hash for the user webmaster.

This hash was cracked with hashcat on Windows.

We have the credentials: webmaster:kittykat1 We can then browse to http://192.168.152.32/wp-admin/ and login with the credentials above.

Once logged in we notice we are working in a language other than English. Follow the image below to change this back to English if required.

After doing so we can head over to Appearance > Theme Editor and replace the contents of index.php with a PHP Reverse shell.

Once completed start a netcat listener then browse to the main index.php page to execute the shell.

From here the path to root is super simple. As the user webmaster exists on this machine we can simply su into the user with the credentials we obtained earlier. Check sudo -l and then run /bin/bash using sudo.

su webmaster
sudo -l
sudo /bin/bash
Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *