Home BTRSys2.1 Medium box on Offensive Security Proving Grounds - OSCP Preparation.
Post
Cancel

BTRSys2.1 Medium box on Offensive Security Proving Grounds - OSCP Preparation.

By bing0o
Posted 2021-12-10 1 min read

Hello,

We are going to exploit one of OffSec Proving Grounds Medium machines which called BTRSys2.1 and this post is not a fully detailed walkthrough, I will just go through the important points during the exploit process.

Enumeration:

  • Nmap: nmap

Getting Shell:

  1. Wordpress running on port 80, you can login with Creds:
    • User: admin
    • Pass: admin

  2. Edit the theme and add your payload to any writable php file: wp-shell

  3. Access the shell: rce

Privilege Escalation:

  • Mysql Creds:

found in wp-config.php for wordpress:

1
2
3
4
5

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');

Enumerating Mysql:

  • Databases:
    1
2
3
4
5
6
7
8
9
10
11

    +--------------------+
| Database           |
+--------------------+
| information_schema |
| deneme             |
| mysql              |
| performance_schema |
| phpmyadmin         |
| sys                |
| wordpress          |
+--------------------+
  • Explore wordpress DB:
    1
2
3
4
5
6
7
8
9
10
11
12

    mysql> use wordpress;
mysql> show tables;
+----------------------------+
| Tables_in_wordpress        |
+----------------------------+
| wp_abtest_experiments      |
.
.
.
| wp_usermeta                |
| wp_users                   |
+----------------------------+
  • Getting password for btrisk user then getting root: root

Happy Hacking!

OSCP, Proving Grounds
oscp medium box PG medium box enumeration misc mysql privilege escalation sudo linux
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents

Sar Easy box on Offensive Security Proving Grounds - OSCP Preparation.

Tools - Reverse Shell Generator Bash Script.

Comments powered by Disqus.