Lab 7.1 - Zacham17/my-tech-journal GitHub Wiki

Lab 7.1 : Exploiting Pippin

Active Recon on Pippin Host

  • The IP address of the Pippin host is 10.0.5.25
  • A command that I used for recon on the pippin host was sudo nmap -A -sV -O -p 1-6000 10.0.5.25
  • The command revealed that the FTP is running on port 21, SSH on port 22 and HTTP on port 80.
  • The command also revealed that the FTP server allowed anonymous login and some files and directories that are accessible to the anonymous user
  • I also browsed to the ip address of the server in a browser to view the web page
  • I dug a little deeper into FTP on the host using the command sudo nmap -Pn -sV -p 21 --script=ftp-anon 10.0.5.25 which revealed even more files and directories that are accessible to an anonymous user. Some notable files and directories were the the LocalSettings.php file and the "upload" directory
  • Lastly I was able to use the command ftp -i 10.0.5.25 to log into the FTP server form the terminal as an anonymous user. I used "anonymous" as the username and "password" as the password to keep it simple

Remote Code Execution

  • I created a simple text file called zmor.txt to upload as a test for file uploading to the FTP server
  • I logged in anonymously to the FTP server, navigated to the "upload" directory using cd upload, and used the command put zmor.txt to add the file to the FTP server
  • Then, in a browser, I navigated to http://10.0.5.25/upload/zmor.txt, to verify that the file was uploaded. This was confirmed when I saw the contents of the file in the browser.
  • Back in the terminal, I copied the /usr/share/webshells/php/simple-backdoor.php into a file that I called zmor.php
    • More on the simple-backdoor.php file and webshells can be found in Assignment 7.1
  • I then used the same strategy that I used for zmor.txt to upload zmor.php into the uploads directory on the FTP server.
  • Using zmor.php, I could now execute commands on the FTP server form the browser through the URL.
  • I was able to use the URL, "10.0.5.25/upload/zmor.php?cmd=cat+/etc/passwd" to show the contents of the /etc/passwd file on the pippin host.
    • In this file, I noticed the peregrin.took user, which I gain access to later on.

Accessing the Database

  • The Pippin user is also running a Mysql database
  • In the LocalSettings.php file discovered earlier, the root database credentials can be found.
  • Using ssh, I logged into the host with the peregrin.took user and the password found in the LocalSettings.php file. I then used the command mysql -u root -p and entered the password when prompted to log into the database as the root user.
  • In the database, I found a table that has information regarding the username and password of the admin user on the FTP server. The username is Pippin and the password was hashed.

Cracking Pippin's Password

  • Before attempting to crack the hashed password for Pippin, I had to edit the hash. I removed everything before the "sha512" in the hash and I removed the ":64:", which left me with a hash that I could use with hashcat to crack the password, which I saved in a file called new_hash.txt.
  • Using a wordlist, called passlist.txt, that I created from all the words beginning with a lowercase "p" in rockyou.txt, I used the command sudo hashcat -m12100 new_hash.txt -w4 -a0 passlist.txt to crack the password.
  • I was able to crack the password for the Pippin user and log into the FTP server on the browser using the credentials I found.
  • I was also able to login as root via ssh on the host using the password I cracked

Reflection

Pippin’s administrators made crucial mistakes, which I was able to exploit in this lab. For one, anonymous FTP users were able to see and access too much on the system, and they could even upload files and executable scripts, which I was able to exploit to remotely execute commands through URLs in the browser. By doing this, I was able to view the /etc/passwd file. I was also able to find database root user credentials as an anonymous user using ftp, which led to me eventually gaining root access to the database which ended up with me reaching root access on the system after cracking a password in the database. The system administrators for the pippin host should have put more restrictions in place for anonymous users and they should have been using better passwords, since I was able to crack the one they set.

For this lab, I used the hint videos mostly to check my work and see if there was anything that I missed. I also used the video to progress when it came to navigation of the database. I mostly wanted to make sure that I was viewing the correct tables in the database. I did have some difficulty in this lab when it came to cracking the hashed password for the Pippin(admin) user. I knew to edit the original hash, which I did, but I accidentally left in the “:64:” in the hash so the hashcat command didn’t accept it as an input. After having a classmate proofread the hash, they noticed my mistake and pointed it out to me. I was then able to fully finish the lab.

Notes/Related Assignments