Hacker Fest 2019 — Vulnhub.com

Andrew Hilton
Nov 2 · 7 min read

I had a few hours free this morning so thought I would take a look on Vulnhub for a nice VM to try and complete over my coffee.

I found this one, Hacker Fest 2019 created by Martin Haller and is the first VM in the Hacker Fest Series it was designed for a CTF and is rated as VERY EASY. So let’s dive straight in and see how long it’ll take us to root it.

The VM isnt showing us it’s IP address on the logon screen, we can run netdiscover to find it though.

Awesome so now that we have the IP address we can move onto the intial first step in all of these CTF challenges and fire up NMAP against the box to see what ports/services etc it is running.

Nice and easy, those first 3 ports are the “basic” ports to have open when you’re building an easy CTF.

Let’s just start at the top of list and try to connect first to the FTP server and then move on from there.

We can try to connect to the FTP server using the “anonymous” user.

Perfect, it has allowed us to connect to the server, now we can take a look around and see if we can find the next piece of the puzzle.

So we can see the website (thats probably on port 80) is running word press. Whilst we are taking a look around the FTP server we can spin up WP-Scan and see if it can help us get into the admin console.

We’ll come back to this in a few minutes, whilst we are on the FTP server we can grab the wp-config.php file as that usually has some admin creds in it.

After trying these creds on the WP login page and the ssh service on the box and failing (which I didnt expect from an easy box).
Let’s make a note of them and move on for now. We should try to find any other hidden dirs on the webserver. Lets check back in on our WPscan results before moving on to dirb.

What is going on!!, this is starting to feel weird now. But fair enough, I love a challenge so let’s move on.

Another “dead end”. Something doesnt feel right with this.

Let’s go back to the FTP server and see if we can upload files, maybe we can get lucky and upload a rev shell or or ssh keys and just log onto the box that way.

I can see we have access to the mkdir and put cmds on the FTP server but I am just getting errors when trying to run them. I am going to reset the box and see if that helps.

So that didnt help and I was still seeing all the same issues as before.
It was at this stage that I headed over to google to see what was up I decided to start with WPscan. After a couple of minutes reading a few blog posts I came across this one https://blog.wpscan.org/wpvulndb/2019/07/12/lots-of-wpvulndb-changes.html which explains why I was not having any luck up to this point.

Essentially WPScan has been updated and no longer shows you the vulnerabilities it has detected unless you submit your registered user API token. So I signed up, got my token and now we can rescan it and see if the results are different than the first time.

The results were indeed better this time around. These look interesting. Quickly scanning down the highlighted vulnerabilities and considering we currently have no access to the site the WP Google Maps 7.11.00–7.11.17 — Unauthenticated SQL Injection one looks the most promising, let’s do a bit of research on the exploit to see if we can indeed use it to gain access to the box.

If we look up the CVE number of the exploit it talks us through the attack but more interestingly is links to a rapid7 blog post about it, https://www.rapid7.com/db/modules/auxiliary/admin/http/wp_google_maps_sqli the very interesting thing about about rapid7 is that they are the makers of Metasploit and this vulnerability actually has a metasploit module available for it. So lets fire it up and get some access.

We can just use the default settings and see what happens

Nice so it seems like we have some creds that have been saved in a .bin file. Lets cat the file and see what we have.

The module was actually super helpful as it told us these creds in the output already.

webmaster $P$BsqOdiLTcye6AS1ofreys4GzRlRvSr1

So we have a username and a password hash. Let’s use JOHN to crack the hash. After letting JOHN run for ages with the default wordlist and getting nothing I tried again with the rockyou list and got a hit instantly.

There we have it, after all that we have ended up with the creds

webmaster:kittykat1

Lets see if we can use them to log in to the wp panel or maybe even better the SSH service.

We’re in, not so straight forward as this CTF was designed for a polish audience, but we have google translate so we can still make use of it, and hopefully we wont be in here too long. I’m thinking we upload a rev shell and then jump straight into the box itself. Just before we do this lets just try the SSH service with the same creds before moving on.

And thats why it’s always worth trying!! We’re in. We can forget about the WP panel and switch to enumerating the box, for this we have some trusty enum scripts that we can upload now we have access.

Sweet, whilst this doesnt exactly scream out ROOT at us (unless you know what you’re looking for) this is really promising, we can slightly expand on this by running the cmd

sudo -l

That is exactly the news we wanted, it seems like webmaster can run ALL the cmds they want!! So at this point the easiest and quickest way to root is with the cmd

sudo su

Thats Game Over for this VM. Lets grab the flags and we’re done.

That started out WAY harder than it needed to be due to the update to WPscan which stopped us from seeing the vulnerable path, but once we gave it our API Token it was all easy from there.

It turned out to be a really fun little CTF thanks to Martin Haller for creating it, and as always thanks to vulnhub for hosting VM and all the others on their site.


If you found this article helpful, please give it some 👏 and share it with anyone who you think might find it helpful! + Feedback and coffees are always welcome! 😄

Take care and hopefully I’ll see you back here soon for more content and walkthroughs.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade