Exploiting Pippin - 5huckle/OFFICIALTECHJOURNAL GitHub Wiki
Recon
Open services
- SSH
- HTTP
- FTP
FTP
The FTP server was left anonymous and vulnerable. I was able to leverage power on the system by uploading the simple-backdoor.php script via the anonymous FTP server and call upon this script via http. Using this combination, I was able to reveal the contents of /etc/passwd.
MySQL
Settings located in /var/www/html/LocalSettings.php. This gives us the root password for MySQL.
After logging into MySQL, new databases will be available
Use the following commands:
-
USE mediawiki;
-
SELECT * FROM user; # user is the name of the database. SELECT * is saying select everything
This should reveal the user hash. This is due to unsecured MySQL servers by the system administrator