HackerFest 2019 Walkthrough

Box Name : Hackerfest 2019

Source : VulnHub

Difficulty : Easy

Recon

nmap -sV -sC -oA -F 192.168.0.110

Here 192.168.0.110 was the ip of the box hosted in the VM.After scanning we get the following result

Fig.1 Nmap Scan

I saw an http service is running on port 80.Tried visiting the page and got a webpage hosted as follows:

Fig.2 Website Homepage

A quick view at the page source revealed that it is a wordpress site.Now the real point is the wordpress site might be having a lot of plugins.Most of which are vulnerable.

I ran a “wpscan ”on the host , didn’t get much that could be exploited or maybe it was a rabbit hole .The other information that I got from the recon is that the ftp service is running on port 21.

I didn’t really have to try and access because as soon as I entered the address with ftp protocol prefix(ftp://).I got to know it was an unauthenticated one.

BOOM!!

Fig.3 Wordpress Files through FTP

After some search I learnt I should go for wp-config.php file ,which consists the credentials used to make a DB connection Ofcourse maximum sites need a DB or Should I say:

“ Vulnerable sites need a DB ”

Think about it :-P

Fig.4 wp-config.php source

I logged in through /phpmyadmin portal and went to the users table and found one user.But the password was a hash (A WP I guess).

Fig.5 PHPMyAdmin Portal

Cracking

Fig.6 John The Ripper

Now ,there is an auxiliary exploit available in Metasploit which lets to gain a meterpreter shell through Wordpress credentials by uploading a shell on its own.

Fig.7 Metasploit Console

After gaining Meterpreter shell we escalate privileges

meterpreter>python -c ‘import pty;pty.spawn(“/bin/bash”)’

You can find alternative methods here : https://guif.re/linuxeop

Thats it.Read the /root/flag.txt

Thanks for reading!

Security Enthusiast | A Web App Developer Sometimes

Security Enthusiast | A Web App Developer Sometimes