Solving Hackademic #1

After downloading and importing Hackademic.RTB1 into VirtualBox, I changed the network
adapter to "Host Only" and started nmap:

$ Starting Nmap 5.21 ( http://nmap.org ) at 2013-12-14 19:49 CET

Nmap scan report for 192.168.56.101
Host is up (0.62s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.15 ((Fedora))
|_html-title: Hackademic.RTB1
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.41 seconds

Further enumeration yielded no open ports. ssh is closed so off to the webserver it is. Scanning
with nikto.pl gave some info, but not a whole lot.

$ perl nikto.pl -host http://192.168.56.101

- ***** SSL support not available (see docs for SSL install) *****
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2013-12-14 19:50:57 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (Fedora)
+ Server leaks inodes via ETags, header found with file /, inode: 12748, size: 1475, mtime: 0x4996d177f5c3b
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64
are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2013-12-14 19:51:04 (GMT1) (7 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

I briefly looked into XST, but this did not seem to get me anywhere. Back to the website itself
then. DirBuster came up with http://192.168.56.101/Hackademic_RTB1/, which is a Wordpress
1.5.1.1 installation. A google search showed me that it is susceptible to SQL injection. I could
not get that SQL exploit to work in a browser. I was, however, able to replicate some SQL
injection from here. It allowed me to view at least /etc/passwd:
Pretty cool and useful for future challenges!

The main blog had a few links that contained parameters, so I chose the one in the exploit
(category) and ran sqlmap:

$ ./sqlmap.py -u http://192.168.56.101/Hackademic_RTB1/?cat=1

$ ./sqlmap.py -u http://192.168.56.101/Hackademic_RTB1/?cat=1 -t cat -a

This quickly retrieved logins and password hashes, which sqlmap politely offered to crack. Go
ahead! It spew out wp_users.csv, including cracked passwords. At this point I fell for the decoy:
I tried logging in as the first user, thinking he was admin because his password was admin...
d'oh. I realized my mistake after a while, as I wasn't able to post anything. I looked at the csv file
again and found GeorgeMiller is admin (user_level = 10), so I logged in using his credentials.
After looking around, enabling uploads and hoping to upload a custom php file, I noticed that I
could change the source of plugins located on the Wordpress server.

That's mighty nice of you. I changed the plugin located at

http://192.168.56.101/Hackademic_RTB1/wp-content/plugins/hello.php to a small php script that
allowed command exec.
Nice, but I wasn't able to read key.txt or spawn a reverse shell. Instead, I replaced the contents of
hello.php with pentestmonkey's reverse php shell. This beautiful script did the heavy-lifting and
soon I had shell access.

From there, it was easy. The box is running a vulnerable kernel (2.6.31), so after transferring,
compiling and running linux-rds-exploit, I had a root shell. I transferred the .c file using $ python
-m SimpleHTTPServer on my box and getting the file with wget on the target. Compile and run
gave a blinking cursor, but lo and behold:

Final step is to read /root/key.txt.

Game over! This was a nice and short challenge. Let's see if I can solve #2...