Box Name : Hackerfest 2019
Source : VulnHub
Difficulty : Easy
First I ran the following command :
nmap -sV -sC -oA -F 192.168.0.110
Here 192.168.0.110 was the ip of the box hosted in the VM.After scanning we get the following result
I saw an http service is running on port 80.Tried visiting the page and got a webpage hosted as follows:
A quick view at the page source revealed that it is a wordpress site.Now the real point is the wordpress site might be having a lot of plugins.Most of which are vulnerable.
I ran a “wpscan ”on the host , didn’t get much that could be exploited or maybe it was a rabbit hole .The other information that I got from the recon is that the ftp service is running on port 21.
I didn’t really have to try and access because as soon as I entered the address with ftp protocol prefix(ftp://).I got to know it was an unauthenticated one.
After some search I learnt I should go for wp-config.php file ,which consists the credentials used to make a DB connection Ofcourse maximum sites need a DB or Should I say:
“ Vulnerable sites need a DB ”
Think about it :-P
I logged in through /phpmyadmin portal and went to the users table and found one user.But the password was a hash (A WP I guess).
So I used JTR(John the Ripper) to crack it through existing rockyou.txt password list and got the password to the user of the Wordpress.
Now ,there is an auxiliary exploit available in Metasploit which lets to gain a meterpreter shell through Wordpress credentials by uploading a shell on its own.
After gaining Meterpreter shell we escalate privileges
meterpreter>python -c ‘import pty;pty.spawn(“/bin/bash”)’
You can find alternative methods here : https://guif.re/linuxeop
Thats it.Read the /root/flag.txt
Thanks for reading!