BTRSys: v2.1

[ vulnhub  boot2root  walkthrough  ]

Goal

uid=0(root) gid=0(root) groups=0(root)

Download

https://www.vulnhub.com/entry/btrsys-v21,196/

Walkthrough

Initial nmap reveals ports on 21, 22, and 80
alt text

Nothing special on web page or in the source
alt text

robots.txt reveals a wordpress instance
alt text

Crude implementation of wordpress and nothing special after some enumeration
alt text

Throwing it at wpscan it reveals an older version with lots of vulns, but I suspect it’s a ruse
alt text

Enumerating users we find btrisk and admin
alt text

Brute forcing admin using wpscan reveals admin is the password as well
alt text

We’re able to login to wordpress
alt text

First thing is to get our php reverse shell into footer.php and haha! Someone already left one on the style.css page. Not sure if this was intentional or not…
alt text

After prepping netcat, we pull up the wordpress instance and we have a reverse shell and confirm username btrisk
alt text

Couldn’t find much on enumeration so I grab mysql root password from wp-config.php
alt text

Next we dump the wordpress database using mysql oneliners revealing usernames and passwords
alt text
alt text
alt text

We throw the hash for btrisk at findmyhash and a password is revealed
alt text

We’re able to ssh using the username btrisk and the found password
alt text

Simple sudo -i elevates us to root
alt text

Written on October 29, 2017
Share on: