Exploiting Pippin - samuel-richardson/Sam-Tech-Journal GitHub Wiki

Active Recon

  • Ran an nmap scan on target nmap -sV -A --top-ports 100 10.0.5.25
  • This revealed 3 open ports and services
    • FTP on port 21
    • ssh on port 22
    • HTTP on port 80
  • The web server was hosting a MediaWiki page with login page and create account page.
  • The FTP server allowed anonymous logon which can be exploited.

FTP

  • Exploiting FTP
  • I was able to login to the FTP with username anonymous and no password.
  • The upload folder has permissions allowing other to write to and use it.
  • I upload a test file to this to test it initially and was able to add the file.

Reversehell PHP

  • At first, I tried to upload a bash reverse shell but I could not give it execute permissions.
  • I then after noticing some PHP files in the parent directory thought to try a PHP reverse shell.
  • I uploaded the cmd PHP reverse shell from revshells.com to the upload folder.
  • By accessing it through the browser on HTTP://10.0.5.25/upload/revshell.php I was able to remotely execute commands and dump the /etc/passwd file.

Reverseshell bash

  • In favor of a more interactive terminal I set up a reverse bash shell.
  • I set up an NC listener on port 6669 and then using my PHP reverse shell created a bash reverse shell so I could interact more interactively with the target.

Sensitive information.

  • Using my reverse shell I searched through the directories and files I had access to.
  • I searched through the httpd config before finding critical information in the LocalSetting.php file.
  • This file contained the information for the MySQL db used by the webpage including the root password and db name.
  • The password specified here worked for the peregrin.took account specified in the /etc/passwd file.
  • Using this password I ssh'ed into the peregrin.took acount.

Root compromise

  • Using my ssh access to peregrin.took I started looking for ways to get root compromise.
  • I thought if the root password for the SQL db worked for a user perhaps the db might have other saved passwords I could use to login.

Getting hashes from DB

  • login in to the db mysql -u root -p
  • use the MediaWiki db. use mediawiki;
  • get user names passwords select user_name,user_password from user;
  • This gives the username and password hash of the MediaWiki users.
  • I copied this to my machine for hash cracking.

Cracking hashes with hashcat

  • To crack the hashes with hashcat the hashes had to be modified.
  • This was done using the format provided here where some filed were removed and shortened to work with hashcat.
  • To crack hashcat -m 12100 -a 0 -o cracked.txt dump-mod.txt rockyou.txt
  • This needed to be done with a GPU due to the size of the hash.

Login as root

  • After the crack finished the password cracked could be used to login to the root account on pippin.
  • Using ssh as root I retrieved the flag.

Reflection

  • The administrator should disable anonymous logon for the FTP server preventing easy access to the system.
  • The administrator should handle and check for PHP code execution to prevent accessing the system that way.
  • The administrator should move the localsetting.php file to somewhere it can not be seen and change the peregrin.took password to be different from the db. Additionally, the webserver should have its own account to access the db.
  • The administrator should not use the same passwords for root and peregrin.took in the db or media wiki.
  • The administrator should also disable root logon to prevent direct logon as root.
  • Making the above changes should drastically increase security.
  • During this assignment I asked if I had the right hashes to crack because it would have taken days to use the vm.