Open in app

Sign in

Write

Sign in

Hackacademic.RTB-1: Vulnhub Solution

Russell Murad
4 min readFeb 7, 2021

Hello Guys! It’s me, Russell Murad, working as a Junior Security Engineer at Enterprise Infosec Consultants (EIC).

In this writeup, we’ll solve a vulnerable box called “Hackacademic.RTB-1”.

It’s a beginner-level box.

You can download it from here.

I’ve configured both the Vulnhub machine and my kali machine on the VMWare Workstation NAT connection.

So, let’s begin –

  1. First, we’ll use arp-scan to check our victim machine’s IP address. Command –
arp-scan -l

2. After that we need to find some open port and service enumeration. So, we’ll use Nmap for that. Command –

nmap -sC -sV -A -O -p- -T4 --script http-enum 192.168.136.157

Here, we can see that we’ve got only one open port — 80, which is HTTP.

3. Now enumerating server vulnerability, we’ll use Nikto.

nikto -h 192.1nikto -h 192.168.136.15768.136.157

4. Now let’s use wpscan for enumerating the WordPress site.

wpscan --url http://192.168.0.153 --api-token <token>

wpscan has detected 16 vulnerabilities so far!

One of them is SQL Injection.

Let’s exploit this vulnerability manually.

5. We’ll go to the site and check the vulnerable parameter. In this case, it is “cat=1”.

6. For making the work easier, we’ll fire up the burp and send the request to the repeater. When we put a single quote (‘) to the request, it’ll show the error message into the request.

7. Now, we’ll use “order by” clause to find out column numbers.

8. After that, we’ll retrieve the table’s information.

9. Here, we can find out the database version, username if we like.

10. Now we’ll retrieve user_id, user_pass from the wp_user table.

11. Let’s decrypt those encrypted passwords from the website called “hashes.com”.

12. We’ve found those password for each respected users–

NickJames:adminJohnSmith:kernelGeorgeMiller:q1w2e3TonyBlack:maxwellJasonKonnor:napoleonMaxBucky:PUPPIES

13. Only two of those will work. Except for those two, every user : pass combination will produce either username error or password error.

14. Now, if we log in with user GeorgeMiller, then we’ll find out the file section. Let’s place there our reverse shell.

15. If we open up netcat with port 4444, then we’ll find a response.

16. After getting a shell, I’ve searched for exploit online, most of them didn’t work. But here is an exploit found in security focus that will work for our version.

17. Let’s compile with gcc and run it. Command –

gcc RDS.c -o exploit

And here you can see, we’ve just gained our root privilege and find the key.txt file!!!

So, guys, that’s it for today.
Thank you for reading this writeup. Cheers!

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Vulnhub

Russell Murad
Russell Murad

Written by Russell Murad

27 Followers
523 Following

No responses yet

Write a response

What are your thoughts?

More from Russell Murad

See all from Russell Murad

Recommended from Medium

Lists

Staff picks

826 stories1649 saves

Stories to Help You Level-Up at Work

19 stories948 saves

Self-Improvement 101

20 stories3355 saves

Productivity 101

20 stories2818 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams