Vulnhub virtual machine; On the path to OSCP this box offered enumeration of services with enum4linux and credential extraction via SQL-i. The main escalation occurs from within MySQL through manipulating the sys_exec function. This was a well rounded crafted box.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risk/responsibilities.
Locate VM on network
1 |
|
Enumeration
Nmap Scan
1 |
|
Interesting of note, standard SSH port open, Apache web-server on HTTP with PHP/5.2.4, Samba on Netbios leaking a workgroup: WORKGROUP and script results yielding potential doorways into the network.
Searchsploit Performing a quick search of vulnerabilies based off information from nmap
1 |
|
Nothing quite useable.
1 |
|
few interesting finds for samba
Investigate the HTTP server navigate to 192.168.56.106
Interesting login page
checking source:
Discovered application is using a ‘checklogin.php’ page to validate credentials.
Perform SQL-injection
entered username: admin' OR '1=1--
Returned wrong username… there might be content filtering occurring.
Perform enumeration of samba with enum4linux
1 |
|
Samba version has no public vulnerabilities but we did discover users
Users: nobody
,robert
,root
,john
, and loneferret
Brute-Force SSH (hydra) added list of users to a file name ‘users’
1 |
|
Hydra was not able to break into the front door. Time head back to the HTTP server.
Noticing that during the web-login it prompted that I was not the correct user with my SQL injection. Lets try to repeat with usernames discovered.
SQL-injection Part deux
Username: john
Password: ' or 1=1 --
Well that an improvement - logout button
Username: robert
Password: ' or 1=1 --
Bingo-bango! we have a username and password
Username | robert |
---|---|
Password | ADGAdsafdfwt4gadfga== |
quickly to the SSH.
Remote Access/SSH
1 |
|
Let the enumeration begin
1 |
|
1 |
|
1 |
|
1 |
|
well that escalated quickly…
Escaping the restricted shell
1 |
|
Escaped!
Lets see whats on this web-server
You know what I want
1 |
|
We discovered MySql database usernames and passwords. No impressed by this administrator and choices for passwords.
MySQL server enumeration
1 |
|
Investigating
1 |
|
1 |
|
Acquired another password for john.
1 | john | MyNameIsJohn |
2 | robert | ADGAdsafdfwt4gadfga== |
MySQL running as root
just the avenue we can use to Priv-Esc
Priv-Esc
Using mysql to give us a nice entryway to root
1 |
|
1 |
|
Root
1 |
|
Bring me the root!
-exec
Further Reading/Sources:
MySQL Root to System Root with lib_mysqludf_sys for Windows and Linux - link