Vulnhub virtual machine; On the path to OSCP this box offered enumeration of services with enum4linux and credential extraction via SQL-i. The main escalation occurs from within MySQL through manipulating the sys_exec function. This was a well rounded crafted box.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Locate VM on network
Interesting of note, standard SSH port open, Apache web-server on HTTP with PHP/5.2.4, Samba on Netbios leaking a workgroup: WORKGROUP and script results yielding potential doorways into the network.
Searchsploit Performing a quick search of vulnerabilies based off information from nmap
Nothing quite useable.
few interesting finds for samba
Investigate the HTTP server navigate to 192.168.56.106
Interesting login page
Discovered application is using a ‘checklogin.php’ page to validate credentials.
admin' OR '1=1--
Returned wrong username… there might be content filtering occurring.
Perform enumeration of samba with enum4linux
Samba version has no public vulnerabilities but we did discover users
Brute-Force SSH (hydra) added list of users to a file name ‘users’
Hydra was not able to break into the front door. Time head back to the HTTP server.
Noticing that during the web-login it prompted that I was not the correct user with my SQL injection. Lets try to repeat with usernames discovered.
SQL-injection Part deux
' or 1=1 --
Well that an improvement - logout button
' or 1=1 --
Bingo-bango! we have a username and password
quickly to the SSH.
Let the enumeration begin
well that escalated quickly…
Escaping the restricted shell
Lets see whats on this web-server
You know what I want
We discovered MySql database usernames and passwords. No impressed by this administrator and choices for passwords.
MySQL server enumeration
Acquired another password for john.
MySQL running as root
just the avenue we can use to Priv-Esc
Using mysql to give us a nice entryway to root
Bring me the root!
MySQL Root to System Root with lib_mysqludf_sys for Windows and Linux - link