VULNHUB MACHINE: HACKER FEST: 2019
- I’ll start again
netdiscoverto see what the machine’s IP address is: 192.168.178.81
- With an nmap scan I view the open ports and the software versions:
nmap -sV -sC -A -p- 192.168.178.81
- I see that port 80 is open so I first check what is running on it:
- A wordpress site 🙂 so I run wpscan right away:
wpscan --url http://192.168.178.81/wp-admin -e u vp
- The scan does not indicate much exciting. The scan does retrieve 1 user: webmaster. The scan also indicates a metasploit module to perform a dictionary attack on this wordpress installation.
- I run this module for the user “webmaster” and the rockyou.txt wordlist.
- After half an hour, the password is cracked: User: webmaster Password: kittykat1
- At the same time I log in to the ftp with anonymous access and download wp-config.php. It says DB_USER: wordpress and DB_PASSWORD: nvwtlRqkD0E1jBXu
- I try to crack this hashed password with John:
john /usr/share/wordlists/rockyou.txt hash.txt
- Now that I have the user webmaster and the password, I log in to the wordpress site. That works!
Then I adjust the language setting and then go to the only active plugin: akismet.
- I am grabbing a php reverse shell.php. Adjust the IP address and port and paste the code in akismet.php:
- I put a netcat listener:
nc -lnvp 1234. I open the modified wordpress page and I get a shell.
- I can open the / etc / passwd and see that the user webmaster exists there:
- Now as a webmaster I can try to set up an SSH with the password kittykat1.
- That works! And there I also find the user flag: 83cad236438ff0c0dbce55d7f0034aee18f5c39e
- And now the root flag is nearby because as a webmaster I can do anything and with
sudo bashmy root!
Root flag: 3dcdf93d2976321d7a8c47a6bb2d48837d330624
- Ps. meanwhile John is still trying to crack the password (already 2 hours). I canceled this one 😉