Friday, October 11, 2019

Hacker Fest 2019



The machine was part of Martin Haller workshop for Hacker Fest 2019 at Prague. There are two ways to exploit it.

Download : https://www.vulnhub.com/entry/hacker-fest-2019,378/
Difficulty : Beginners
Format : OVA (VirtualBox)

To find the IP address of the box in the network by running nmap.

s1_001.png

Further scan all ports of the box.

s1_002.png

Solution #1

There is a webmin running on port 10000 with SSL. The version is 1.890. This version is vulnerable to remote command execution by a backdoor as root (http://www.webmin.com/exploit.html).

s1_003.png

To launch Metasploit.

s1_004.png

Select "exploit/unix/webapp/webmin_backdoor".

s1_005.png

s1_006.png

Run "exploit" and got root.

s1_007.png

However, you cannot go to other directories.

s1_008.png

Run "shell" to get an interactive shell.

s1_009.png

Go to "/root" and got the "flag.txt". Root is dancing!

s1_010.png

s1_011.png

Solution #2

It is running a Wordpress site at port 80.

s2_001.png

Run "wpscan" to check. Since I do not have API token, the vulnerabilities cannot be shown.

s2_002.png

It reports "wp-google-maps" plugin is out of date. The version may be 7.10.02 as "wpscan" do not sure. This plugin may be vulnerable to SQL injection with CVE-2019-10692 (https://www.cybersecurity-help.cz/vdb/SB2019040604?affChecked=1).

s2_004.png

Launch Metasploit.

s2_005.png

Select "auxiliary/admin/http/wp_google_maps_sqli".

s2_006.png

Run "run" and got the hash of the "webmaster" account.

s2_007.png

To brute force the password of "webmaster" with "john" and "rockyou.txt". Then got the password.

s2_008.png

Then login to the box with "ssh" with the getting username and password. To privilege escalation with "sudo" and got the "flag.txt". Root is dancing!

s2_009.png

After thought

It is a real case scenario and without tricky like Capture The Flag (CTF). Recommended.

Samiux
OSCE OSCP OSWP
October 11, 2019, China, Hong Kong


Posted by at