Recon

One of the earliest stages of any pen test is the recon stage. This involves gaining all available relevant information that could help you compromise a system.

Service Enumeration

Service enumeration is one of the earliest stages of a pen test. This is the stage where the attacker does reconnaissance on the target to determine running / open services that may be useful, interesting, or relevant. This may also involve IP addresses, ports,

Services

nslookup to determine the IP address of the target, nmap scan to determine running services, ping to check connectivity

---

Among the running services were http (port 80), and ssh (port 22). These were the ones I was interested in.

---

HTTP web site of nancurunir

Next I ran dirb, a Kali-native tool used to uncover hidden web pages, against the target web server and uncovered a phpmyadmin page. This was how I gained a foothold.

The output of dirb made me aware of the existence of a myphpadmin page. After browsing to this page, it required credentials to log in. I took a wild guess and made the user Gandalf, and I used the web page to provide clues to what the password could be. In previous labs, the password was hidden on the website and needed to be mangled to find the correct variation of it. I took inspiration from there and used the many individualized words on the web page to guess the password. I eventually found the right combination of Gandalf:shallnotpass.

The phpmyadmin page contained information about users within one of the mysql databases. From this user database, I was able to determine a named user on the target system: Gandalf.

---

What I found especially interesting was what information was associated with the Gandalf user

---

Within the information about the user was the hashed password! I utilized an online hash cracker and it spewed out a result at me instantly.

Using my newly found credentials, I attempted to use the other interesting service I found, ssh.

I was unable to ssh directly to nancurunir, however I did have access to other boxes on the same network. This was successful. I was able to log in using the credentials I just found.

---

This next part is probably the most rewarding thing of the entire assignment.

---

After SSHing into the target and doing my regular deliverables. Running the ID command showed me that this user I found actually had sudo privileges! I was able to find the user flag, elevate to root, then get the root flag all with a single user compromised from an unsecured mysql server,