Exploiting Gloin - morgan-hanrahan/Tech-Journal GitHub Wiki

Target IP Address

I first ran my dns-reslover.sh script that I created in week three using the command sh ./dns-resolver.sh 10.0.5 10.0.5.22. From here I was able to identify that the target globin.shire.org has the ip address of 10.0.5.31.

ss1

Open Ports

The next thing I did was check for open ports running on the target IP. I did this using the command sudo nmap –sV 10.0.5.31. I found that ports 22, 443, and 3389 were open and running ssh, http, and ms-wbt-server. This allowed me to see that 10.0.5.31 should have a website.

ss2

Vulnerability Discovered

I navigated to https://10.0.5.31/ and was redirected to http://10.0.5.31/entrance_exam/login.php. This could potentially be vulnerable to SQL injection.

ss3

Achieving a Foothold

To test if the site is vulnerable to SQLi I entered in the reference box 1’ OR 1=1 –. This is a basic SQL injection that I learned in my web application and security class. It prompted me that the login was successful and signed me in as a user named John D Smith and redirected me to https://10.0.5.31/entrance_exam/.

ss4

Achieving Root/Administrative Level Compromise

Using dirbuster, a kali tool I have used in the past, I scanned the web server to find all of its directories, using sudo dirbuster -l /usr/share/wordlists/dirb/common.txt -u https://10.0.5.31:443/. This allowed me to find potential directories that I could gain root access through. I navigated to the admin directory I found by going to the site https://10.0.5.31/entrance_exam/admin I was able to find that there was a php in this directory titled view_enrollee.php.

Using the union SQL command: https://10.0.5.31/entrance_exam/admin/view_enrollee.php?id=1%27+UNION+SELECT+1,2,3,4,5,6,password,username,9,10,11,12,13,14,15+FROM+admin_list; I was able to gain access to a page that contained sensitive information about the administrator including a hashed password.

ss6

Now that I have a password hash I used hashcat in order to crack the password hash. The command I used was hashcat -a 0 -m 0 gloinHash.txt /usr/share/wordlists/rockyou.txt. I was able to successfully crack the password hash and find that the password was: Moria2Featon6.

-a: specifies attack mode. 0 = straight
-m: specifies hash type. 0 = md5
 gloinHash.txt: File contains the contents of the password hash

ss7

Root Flag

Because the password hash I found earlier was in an admin directory, my first guess was that the password would belong to an admin user. I tried the password attempting to ssh into admin, however it didn't work, so then I tried the password using ssh [email protected] and the password worked for this user. All I had to do from here was ls and cat root-flag.txt.

ss8

User Flag

Once I had access to the admin account all I had to do was cd C:\Users\gloin, ls, and cat user-flag.txt, in order to view the user-flag.txt.

ss9

Mitigating Vulnerabilities

System administrators and developers should make it so SQLi commands can't be run. They must also modify it so that user inputs are validated before they can interact with the database. Finally, they might make specific characters invalid, preventing all common SQLi statements from working.

Reflection

This lab was rather simple for me. When it comes to obtaining the admin password hash, I ran across some difficulties. I tried a few things before getting the union SQLi to work, but they were primarily syntax mistakes. I was also unaware at first that I could simply change the directory to gloin from Admin without needing to login.