grotesque: hackmyvm | vulnhub

fast-paced walkthrough from machine maker

i started with nmapautomator as usual: grotesqueip all. open ports: 80 and 66. rest of the scan is not interesting.

looks like there's nothing on port 80.

dirbuster scan returns nothing. for now..

port 66 welcomes me with a project, vvmlist. nothing interesting in source code and doing dirbuster is futile. there's a download link for project, which is not appears in original vvmlist, so i downloaded and unzipped project to my local.

there are a lot of files to inspect. sshpasswd.png looks promising because there's no port for ssh is open.

just a little prank by gigachad. let's back to one step above. there are a lot of files but most of them last edited on jan 16 while some of them last edited on jan 18. so, why shouldn't i start with latest ones?

cat assets/* | sort | uniq >>> nothing
cat >>> nothing

cat _vvmlist/* | sort | uniq command reveals the secret location on port 80.

http://grotesqueip/lyricsblog looks like it's just a song lyrics wordpress blog.

inspecting source code of the page giving a png image location.

http://grotesqueip/lyricsblog/yesman.png welcomes me with gigachad again. but this time it doesn't looks like a prank because one of the lyrics is by hakan taşıyan.

since i don't want to be panked by gigachad again, i did wpscan: wpscan --url http://grotesqueip/lyricsblog -e ap,cb,dbe,u1-999 --plugin-detection aggressive --plugins-version-detection aggressive there's nothing so moving back to hakan taşıyan would be good. yes, bruteforce is futile again.

page looks quite ordinary. this point exactly reflecting machine's name, grotesque, and i have one shot. so what if i just copy hakan taşıyan - doktor lyrics to a file then md5sum it? remember, it's not a real world scenario and there's no shame to create wacky machines.

copying from wordpress adds blank lines and i removed them.

md5sum'd the text file.

there's a text on wp-login page that says "password should be uppercase".

easy, just uppercase it.

i finally logged in to wordpress.

everyone knows this part but.. appearance > edit theme > 404.php (my favorite) > paste phpreverseshell.php > get reverse shell as www-data.

i always check wp-config.php in wordpress installed boxes. db credentials written there. i also check if these credentials are user credentials. so su raphael, enter password and i'm now in user shell.

ls -la in homefolder and found two .kdbx files. getting it to local is a good way to inspect.
note: i forgot to remove chad.kdbx before submitting machine. both are same file but intended one is .chadroot.kdbx because it's semi-hidden.

chadroot.kdbx is a keepass db file, which can be confirmed by file chadroot.kdbx command. i need it's password so bruteforcing with john going to work. john offers keepass2john to make it crackable by john. keepass2john chadroot.kdbx > chadjohn

password cracked by john with rockyou.txt

i'm using for keepass files i encountered in boxes. upload chadroot.kdbx and enter password. four entries in db and i copied all.

su root > try passwords > root.

if you have questions: contact