Exploiting Nancurunir - samuel-richardson/Sam-Tech-Journal GitHub Wiki
Exploiting nancurnir
Refer to the saved report. No new methods were used on this system.
Reflection
The first thing I had issues with was trying to guess the password of the phpmyadmin user. Using hydra or fuzz was not working even though I had the right password. Further research indicates how phpmyadmin uses tokens to validate logins. Further research found a python script made by a GitHub user that saved to token from the request so authentication would be successful. Using this script, I guessed the password using the wordlist created by cewl. Mangling the list was not necessary. I also wasted some time while trying to gain a reverse shell as bash was not working. I eventually tried a PHP reverse shell which gave me an interactive console. The next section that took some time was trying to get root access. I started by looking for files that I might be able to exploit permissions on but I didn't find any. I didn't have any success with this, so I figured I would poke around with the phpmyadmin to see if I could find anything. I eventually found the user's table and root MySQL password. After finding this I was able to complete the lab.