HackerFest 2019 Walkthrough

Tushar Kulkarni
3 min readNov 19, 2019

--

Box Name : Hackerfest 2019

Source : VulnHub

Difficulty : Easy

Recon

First I ran the following command :

nmap -sV -sC -oA -F 192.168.0.110

Here 192.168.0.110 was the ip of the box hosted in the VM.After scanning we get the following result

Fig.1 Nmap Scan

I saw an http service is running on port 80.Tried visiting the page and got a webpage hosted as follows:

Fig.2 Website Homepage

A quick view at the page source revealed that it is a wordpress site.Now the real point is the wordpress site might be having a lot of plugins.Most of which are vulnerable.

I ran a “wpscan ”on the host , didn’t get much that could be exploited or maybe it was a rabbit hole .The other information that I got from the recon is that the ftp service is running on port 21.

I didn’t really have to try and access because as soon as I entered the address with ftp protocol prefix(ftp://).I got to know it was an unauthenticated one.

BOOM!!

Fig.3 Wordpress Files through FTP

After some search I learnt I should go for wp-config.php file ,which consists the credentials used to make a DB connection Ofcourse maximum sites need a DB or Should I say:

“ Vulnerable sites need a DB ”

Think about it :-P

Fig.4 wp-config.php source

I logged in through /phpmyadmin portal and went to the users table and found one user.But the password was a hash (A WP I guess).

Fig.5 PHPMyAdmin Portal

Cracking

So I used JTR(John the Ripper) to crack it through existing rockyou.txt password list and got the password to the user of the Wordpress.

Fig.6 John The Ripper

Now ,there is an auxiliary exploit available in Metasploit which lets to gain a meterpreter shell through Wordpress credentials by uploading a shell on its own.

Fig.7 Metasploit Console

After gaining Meterpreter shell we escalate privileges

meterpreter>python -c ‘import pty;pty.spawn(“/bin/bash”)’

You can find alternative methods here : https://guif.re/linuxeop

Thats it.Read the /root/flag.txt

Thanks for reading!

--

--