Thursday 7 July 2016

Hackademic: RTB1 challenge

Hi all,
This is the first realistic hackademic challenge (root this box) by mr.pr0n

Scanning








Situation is not complicated, only one open port - HTTP. So, let's examine the web application.



















Hmm, let's click on target link




















OK, we know what is our goal. We know also NickJames username. Let's check a source code of the web page.










We can see that the web page utilize Wordpress CMS - in particular 1.5.1.1 version. AS far as I know, this version has several vulnerabilities and maybe we could find some exploit.
BINGO! I found SQL Injection epxloit and


























We see that this method works but we don't know the database structure. I used a sqlmap tool and we have got list of databases.






Good, let's penetrate this deeper.


















Excellent! I logged in as NickJames, but he has not special privileges to do something useful for us. Bingo! GeorgeMiller has privilege to add PHP script!















Great! We can write into the file our PHP backdoor. I did that and let's execute it








Wow! We have got limited shell! I examined Linux Kernel version and I have found effective exploit to escalate our privileges.



















Game over!