Hacker Fest 2019

The machine was part of Martin Haller workshop for Hacker Fest 2019 at Prague. There are two ways to exploit it.



Download : https://www.vulnhub.com/entry/hacker-fest-2019,378/

Difficulty : Beginners

Format : OVA (VirtualBox)



To find the IP address of the box in the network by running nmap.







Further scan all ports of the box.







Solution #1



There is a webmin running on port 10000 with SSL. The version is 1.890. This version is vulnerable to remote command execution by a backdoor as root (http://www.webmin.com/exploit.html).







To launch Metasploit.







Select "exploit/unix/webapp/webmin_backdoor".











Run "exploit" and got root.







However, you cannot go to other directories.







Run "shell" to get an interactive shell.







Go to "/root" and got the "flag.txt". Root is dancing!











Solution #2



It is running a Wordpress site at port 80.







Run "wpscan" to check. Since I do not have API token, the vulnerabilities cannot be shown.







It reports "wp-google-maps" plugin is out of date. The version may be 7.10.02 as "wpscan" do not sure. This plugin may be vulnerable to SQL injection with CVE-2019-10692 (https://www.cybersecurity-help.cz/vdb/SB2019040604?affChecked=1).







Launch Metasploit.







Select "auxiliary/admin/http/wp_google_maps_sqli".







Run "run" and got the hash of the "webmaster" account.







To brute force the password of "webmaster" with "john" and "rockyou.txt". Then got the password.







Then login to the box with "ssh" with the getting username and password. To privilege escalation with "sudo" and got the "flag.txt". Root is dancing!







After thought



It is a real case scenario and without tricky like Capture The Flag (CTF). Recommended.



Samiux

OSCE OSCP OSWP

October 11, 2019, China, Hong Kong