Sunday, October 29, 2017

Vulnhub Walkthrough: BTRSys v2.1


uid=0(root) gid=0(root) groups=0(root)

Initial nmap reveals ports on 21, 22, and 80

Nothing special on web page or in the source

robots.txt reveals a wordpress instance

Crude implementation of wordpress and nothing special after some enumeration

Throwing it at wpscan it reveals an older version with lots of vulns, but I suspect it's a ruse

Enumerating users we find btrisk and admin

Brute forcing admin using wpscan reveals admin is the password as well

We're able to login to wordpress

First thing is to get our php reverse shell into footer.php and haha! Someone already left one on the style.css page. Not sure if this was intentional or not...

After prepping netcat, we pull up the wordpress instance and we have a reverse shell and confirm username btrisk

Couldn't find much on enumeration so I grab mysql root password from wp-config.php

Next we dump the wordpress database using mysql oneliners revealing usernames and passwords

We throw the hash for btrisk at findmyhash and a password is revealed

We're able to ssh using the username btrisk and the found password

Simple sudo -i elevates us to root

No comments:

Post a Comment