I setup this VM using vmware, creating a lan segment and putting both my kali box and the Vuln vm on it. I then issued “ifconfig eth0 10.10.10.125 netmask 255.255.255.0” on kali
I then ran an nmap scan
nmap -sV -Pn -vv -T4 –A -p- 10.10.10.100 –script=auth,brute,discovery,exploit,vuln -oN 10.10.10.100nmap.scan
The scan found SSH, a webserver, and some sites to check out
Wasn’t much more, so I browsed to the webserver to found a webapp
I clicked through the pages, and got to a login site, so I tried some basic sqli “‘ or 1=1– ” and it seemed to log me in!
Since the site was vulnerable to sqli, I intercepted a request in burp, saved it to a file “login4real” and ran a sqlmap dump
Sqlmap was able to identify an injection point!
It found some usernames and passwords, but I wasn’t able to do much about cracking the hashes
I wasn’t able to do much with this info, so I moved away from mysql (I suppose I could have attempted to create a php reverse listener via “into dumpfile”… )
I enumerated the website more by running dirbuster, which found some interesting pages
I checked a couple of the sites, then landed on what seemed like another webapp, /blog/
I clicked around on the site and tried some basic passwords on the login page, but no go…
I then decided to run a nikto scan, which found some additional pages
as well as a potential config file 🙂
I browsed to the config.txt sire and found some files of interest
I wasn’t sure how to use the config file, and I tried cracking the password with various tools to no avail. I looked more closly at the new web app to determine what was running on the backend. I selected “view page info” in Firefox and found it was running Simple PHP Blog 0.4.0
I looked up associated exploits
And downloaded loaded the first, a perl sciript to file “simplephp.pl”
I started with -e 1, this created a cmd.php file which should have allowed me to enter commands
The file even uploads to the dir mentioned in the exploit
Although the file uploaded, I couldn’t get the page to work. I then used the exploit to create a new user on the site, and was then able to login!
I noticed an upload image link, so I clicked it, maybe I could upload a reverse shell with some workarounds
I started with the php reverse shell from pentestmonkey with no modifications to the extension or contents. Surprisingly the file uploaded! I browsed to /blog/images to confirm
I opened a netcat listener on my Kali box, and clicked on the php-reverse-shell.php link to get a shell!
I was user “www-data” so I had to look for a way to escalate privileges. I tired to check vulnerabilities with the kernel, but nothing jumped out at me.. I looked at folder/file permissions, but again nothing was a good target at first glace. I looked around the file system and found some mysql files in the /var dir
I also found another similar file in the /var/www/ dir
I know this was mysql usernames and passwords, but it’s all I had at the time. I tried the two different passwords for the root user..
And we got root! I looks like the admin reused his mysql password for the local root password. Something that’s it far to typical…