Pippin exploit - Robertsegee/SEC335 GitHub Wiki
In this lab, we broke into a box called Pippin using various methods such as exploiting ftp, file uploading and transferring, hashcat, and mariadb abuse.
Active Recon
The first step of this lab was to do some active reconnaissance to gain information about the system. This was done by using the tool nmap along with its associated flags -sS and -sV. The purpose of this was to identify services and their versions running on the system. From this I was able to identify various services such as http and ssh. The next step I took was to test how the ip interacted with the browser. After that I identified potential services that could be exploited in order to gain access to the box.
Remote Code Execution
For this, I wanted to test if I was able to remotely execute code in the machine. THis was done by using ftp which is file transfer protocol. Once I entered as anonymous into ftp for the machine, I uploaded my own php script which when navigated to from the browser would allow me to view /etc/passwd in order to gain information about accounts on the system. Some interesting information I found was that mariadb and mysql were on the machine and also a user account on the system. While in ftp I pulled a file from their system to my own box called LocalSettings. This file gave me valuable information about default passwords for accounts on the system.
Gaining Root Access
Once I was logged in as the user account with limited permissions, I accessed MariaDB on the system because it could hold some valuable information about elevated users. Once in MariaDB I was able to navigate to a field where I was able to indicate both user_name and user_password. There were many other fields such as real name and email which could provide valuable information if this was not a simulated scenario. In the user_name and user_password sections, I was provided the Admin account and the associated hash and encryption method. I copied the information back to my home virtual box so that I could crack the hash. One challenge I was presented with was the format of the hash. I needed to set the hash mode of hashcat to 12100 along with editing the hash to be in the correct format or else it would just return errors. The correct format, in this case, was achieved by removing everything before the sha512 but also removing the 64 after it. The next challenge I face was how intensive hashcat would be along with how long it would take. In order to speed the process up so it could be done in a reasonable amount of time, I ported it onto a home box with better hardware along with editing my password list. I used the rockyou password list but with prior information that was provided in the lab I was able to narrow down the password list to only things that began with lower case p. THis was done by using grep to find all instances where it began with p and then outputted it to a new text file. Once I had that I was ready to run hashcat with the following syntax:
sudo hashcat -m 12100 -a 0 loot.txt(this was where has was stored) rockp.txt(new rockyou list)
After waiting for about a hour for it to finish I ran the same command but with --show at the end which returned to me the password for the root account. After gaining the password I was able to ssh into the box as root.