BTRSys v2: CTF walkthrough
As usual, we use arp-scan to retrieve the IP address of the targeted system in the same local network.
Then, we use nmap to scan open ports, in order to find which services are publicly accessible.
Like the first one, the FTP service is useless. Only the port 80 and 22 will be use.
WordPress admin panel
In the home page we have a weird gif that link us to another gif. If we read the robots.txt file, the true website will appear.
The first thing that I did is to try to log me into the WordPress admin panel and surprisingly the good old admin:admin works.
We configure our Metasploit handler.
We change the content of the header.php file.
Finally, we have a low privilege reverse shell.
One more time, config files are rich of information.
Now, we can play with the MySQL, especially with the wp_users table of the wordpress database.
Let’s see if we can find passwords in the wp_users table.
Nice, we found MD5 passwords. We can easily crack them with the hashkiller website that you can find here.
We have the password of the root user, we need to try it.
Note, due to the fact that we don’t have a real shell, we can’t use the su command but SSH can be use.