Professional Documents
Culture Documents
Solving Hackademicrtb1
Solving Hackademicrtb1
Solving Hackademicrtb1
After downloading and importing Hackademic.RTB1 into VirtualBox, I changed the network
adapter to "Host Only" and started nmap:
Further enumeration yielded no open ports. ssh is closed so off to the webserver it is. Scanning
with nikto.pl gave some info, but not a whole lot.
I briefly looked into XST, but this did not seem to get me anywhere. Back to the website itself
then. DirBuster came up with http://192.168.56.101/Hackademic_RTB1/, which is a Wordpress
1.5.1.1 installation. A google search showed me that it is susceptible to SQL injection. I could
not get that SQL exploit to work in a browser. I was, however, able to replicate some SQL
injection from here. It allowed me to view at least /etc/passwd:
Pretty cool and useful for future challenges!
The main blog had a few links that contained parameters, so I chose the one in the exploit
(category) and ran sqlmap:
$ ./sqlmap.py -u http://192.168.56.101/Hackademic_RTB1/?cat=1
This quickly retrieved logins and password hashes, which sqlmap politely offered to crack. Go
ahead! It spew out wp_users.csv, including cracked passwords. At this point I fell for the decoy:
I tried logging in as the first user, thinking he was admin because his password was admin...
d'oh. I realized my mistake after a while, as I wasn't able to post anything. I looked at the csv file
again and found GeorgeMiller is admin (user_level = 10), so I logged in using his credentials.
After looking around, enabling uploads and hoping to upload a custom php file, I noticed that I
could change the source of plugins located on the Wordpress server.
From there, it was easy. The box is running a vulnerable kernel (2.6.31), so after transferring,
compiling and running linux-rds-exploit, I had a root shell. I transferred the .c file using $ python
-m SimpleHTTPServer on my box and getting the file with wget on the target. Compile and run
gave a blinking cursor, but lo and behold: