Walkthru
1. https://w01fier00t.com/2018/01/01/btrsys2-walkthrough/ [ priv escalation using looking thru wp-config.php file. Got DB/user/pwd. Login to mysql D to get root pwd hash which will need to be unhashed]
2. http://www.hackingarticles.in/hack-btrsys-v2-1-vm-boot2root-challenge/ [wpsan, use msfvenom to create the shell, use wpscan -u http://1.2.3.4/wordpress -eu to perform username enumeration -e [option(s)] Enumeration. option u is for username. source@https://wpscan.org/ ]
f. Now Browse to
http://192.168.0.29/wordpress/wp-content/themes/twentyfourteen/404.php
admin link http://192.168.0.29/wordpress/wp-admin/theme-editor.php
g. looked kernel vulnerabilities. Tried to copy first exploit and found out that gcc isnt present, also python not present so couldnt run priv cheker. Tried to compile the expoit on Kali and copied over and got system mismatch error. Tried https://www.exploit-db.com/exploits/41458/ compiled it on Kali , upload and ran it and got the prompt. Also checked the searchsploit and same expoit was there too. VM appears to be loosing connection after getting root access. at the root prompt and getting no response from host now.
1. https://w01fier00t.com/2018/01/01/btrsys2-walkthrough/ [ priv escalation using looking thru wp-config.php file. Got DB/user/pwd. Login to mysql D to get root pwd hash which will need to be unhashed]
2. http://www.hackingarticles.in/hack-btrsys-v2-1-vm-boot2root-challenge/ [wpsan, use msfvenom to create the shell, use wpscan -u http://1.2.3.4/wordpress -eu to perform username enumeration -e [option(s)] Enumeration. option u is for username. source@https://wpscan.org/ ]
1.
Ran scans
a.
Shows robot.txt and wordpress dir
b.
Login to Wordpress with default user/pwd
c. Added PHP revershell
d. With this and a little help from PentestMonkey reverse php shell I edited the 404.php with this shell.
e. Next we setup a listener.
nc -nvlp 1234 [Re pasted the shell helped. It wasn't giving any error but just wasn't working. While going to the 404 page, it would show a white page but didn't give us a shell]c. Added PHP revershell
d. With this and a little help from PentestMonkey reverse php shell I edited the 404.php with this shell.
e. Next we setup a listener.
f. Now Browse to
http://192.168.0.29/wordpress/wp-content/themes/twentyfourteen/404.php
admin link http://192.168.0.29/wordpress/wp-admin/theme-editor.php
g. looked kernel vulnerabilities. Tried to copy first exploit and found out that gcc isnt present, also python not present so couldnt run priv cheker. Tried to compile the expoit on Kali and copied over and got system mismatch error. Tried https://www.exploit-db.com/exploits/41458/ compiled it on Kali , upload and ran it and got the prompt. Also checked the searchsploit and same expoit was there too. VM appears to be loosing connection after getting root access. at the root prompt and getting no response from host now.
Comments
Post a Comment