Lab7.1 Overview - jwells24/Tech-Journal GitHub Wiki

Lab 7.1 - Walkthrough

In the lab for this week, we tackled exploiting a new system from no access all the way to root privilege's. The system we were exploiting this week was called "Pippin".

The first stage of the lab was reconnaissance. The first objective was to find any open ports that we would be able to exploit, as well as service versions. I did this using the nmap command below, and from this scan we were able to find three open ports running OpenSSH, ftpd, and Apache respectively.

The next step of reconnaissance was to explore these three ports and understand how they could be exploited. The Apache server was running mediawiki and providing an webpage for said wiki. The ssh was locked, but the ftp port was running an anonymous FTP server. This would allow us our point of entry into the system and a lot more information.

Using the ftp server as our initial vector of exploitation, we are able to read and upload different files to the ftp server. This allowed me to create a script containing a backdoor and upload it to the /upload directory of the web server. Once the script was there, we were able to access the script from the web page and gain access to the /etc/passwd file. This file contained useful information such as usernames and other hidden services.
Once we have a valid username and some services from the /etc/passwd file, we are able to go back to the ftp server and look for a password. In this specific lab, we were able to download the LocalSettings.php for the mySql database and find a password and user. This password, combined with a username from /etc/passwd, allowed us to gain intitial access into Pippin. However, we don't have root access quite yet.

Now that we have access to the system, the goal is to find more passwords to try and gain access to the root user and allow us full access of the system. In order to do that, we examine the hidden services and in this case that is mysql. We are able to log into the mysql database using the login information we found from LocalSettings.php. Once inside the mysql database, we can look for unique information and databases such as the mediawiki database. Inside of the mediawiki database, we can search through tables to find information that might be of use to us such as usernames and passwords. By selecting the user table in the mediawiki database, we find three usernames with three different hashes for their passwords. Now, our job is to crack the hash of these passwords and try to use them to gain root access.
We used hashcat in this lab to crack the password hash, which we knew was a password from rock you. Here is a link to the hashcat page I created for using hashcat: https://github.com/jwells24/Tech-Journal/wiki/Hashcat. Once we cracked the password, we were able to ssh into the machine as the root user and successfully gain root access to Pippin.

The first mistake made my Pippin's adminstrator was allowing public access to the files located on the ftp server. With such sensitive information there, not just anyone should have been able to download and upload files. Allowing anyone to upload files to all of the directories located in the /var/www/html directory allowed for us to create a webshell and gain a lot more information. I think that another mistake the administrator made was making the root password the same as the mysql password for Pippin. Root passwords should be unique and complicated, and none of the passwords in this lab were complicated. I used a hint video for the mysql database portion of the lab because I got stuck on where to look, and needed help navigating to the hashes located in the mediawiki database. Besides that, I was able to use the ftp server to my advantage and utilize hashcat to crack the password hash.