Module 9 - skyleroriordan/my-tech-journal GitHub Wiki

Lab 9.2 - Exploiting Gloin

Target IP Address

To find the IP I used the script dnslookup.sh which I created in a previous lab.

image

This showed that the IP of gloin.shire.org is 10.0.5.31

Open Ports

Doing an nmap scan revealed that ports 22 (ssh), 433 (https), and 3389(ms-wbt-server) are open.

image

Discovered Vulnerability

Went to https://10.0.5.31 and found this webpage with a box to enter a reference code image

Used searchsploit and found 4 possible exploits

image

How you achieved a foothold

Decided to try out exploit 50390 image

Going to https://10.0.5.31/entance_exam/admin/login.php gives the option to login as admin. If admin' or '1'='1 is entered as the username then it logs in as admin. image image

This got me into the system but I still didn't have the root password

How you achieved root/Administrative level compromise

Exploit 50398 should give out the admin password image

Using the SQL injection https://10.0.5.31/entrance_exam/admin/view_enrollee.php?id=1'+UNION+SELECT+1,2,3,4,5,6,password,username,9,10,11,12,13,14,15+FROM+admin_list; displayed the hashed admin password Screenshot 2024-10-31 000123

The hash looked like md5. Ran hash-identifier to check. image

used hashcat to decrypt the password using -m 0 to indicate md5 image

the output showed the password was Moria2Featon6'

image

User Flag

![image](h image

Root Flag

image

How might the vulnerabilities be mitigated by the systems administrator and developer?

First, the admin password should be much more complex and not an easily crackable default one. The site should also make use of prepared statements.

Reflection

The biggest trouble I encountered was figuring out where to start after doing the Nmap scan. After I got rolling and searching for exploits I didn't have too much trouble