gmack
Blockchain Consensus Architect
LEVEL 1
300 XP
Today we are going to take a new challenge Library1 which is a first lab of the series Library. The credit for making this VM machine goes to âAvraham Cohenâ and it is a boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.
Security Level: Beginner
Penetrating Methodology:
Walkthrough:
Scanning:
Letâs start off with the scanning process. This target VM took the IP address of 192.168.1.103 automatically from our local Wi-Fi network.
We used our favourite tool Nmap for port scanning. We found that port 21 and 80 are open.
Enumeration:
As we can see port 80 is open, we opened the IP address in our browser, but we didnât find anything useful on the webpage.
Firstly, we tried dirb in default mode but didnât find any directory. Then we looked with .php extension and got one directory /library.php
After accessing the URL http://192.168.1.103/library.php we got a webpage listing the name of few countries.
We thought of capturing the request using burpsuite and there is a lastviewed parameter in the cookie section. And if you remember the creator has given a hint to look for the countries history.
Keeping that in mind we decoded the contents of âlastviewedâ parameter using the decoder tab of burpsuite.
Exploitation:
The cookie parameter might be vulnerable to SQL injection, so we put a â* in the captured request and saved the file as file.txt.
Then we used sqlmap on the file.txt to look for any databases and got a database named library.
Further enumerating the library database for usernames and passwords.
We found a username globus and password AroundTheWorld for the ftp service.
We connected to the target system through ftp but couldnât find something useful for us and we were also not able to cat the library.php file.
So what we did is we grabbed a php-reverse-shell from /usr/share/webshells/php and modified the listener IP as ours and named it as shell.php.
Then we uploaded the shell in the target system using the put command and gave it executable permissions.
Now we executed the shell by just browsing to the URL http://192.168.1.103/shell.php and at the same time started a netcat listener on our Kali machine.
Privilege Escalation:
We successfully got the netcat session with a limited user privilege. Had a look inside the library.php file using cat and got the database credentials.
We checked for the password reuse of password for user root and were successfully able to login as root.
Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here
Security Level: Beginner
Penetrating Methodology:
- Scanning
- Netdiscover
- NMAP
- Enumeration
- Web Directory Search
- Burpsuite
- Exploitation
- Sqlmap
- FTP
- Shell Upload
- Netcat
- Privilege Escalation
- Password reuse for root
Walkthrough:
Scanning:
Letâs start off with the scanning process. This target VM took the IP address of 192.168.1.103 automatically from our local Wi-Fi network.
We used our favourite tool Nmap for port scanning. We found that port 21 and 80 are open.
Code:
nmap -A 192.168.1.103Enumeration:
As we can see port 80 is open, we opened the IP address in our browser, but we didnât find anything useful on the webpage.
Firstly, we tried dirb in default mode but didnât find any directory. Then we looked with .php extension and got one directory /library.php
Code:
dirb http://192.168.1.103 -X .phpAfter accessing the URL http://192.168.1.103/library.php we got a webpage listing the name of few countries.
We thought of capturing the request using burpsuite and there is a lastviewed parameter in the cookie section. And if you remember the creator has given a hint to look for the countries history.
Keeping that in mind we decoded the contents of âlastviewedâ parameter using the decoder tab of burpsuite.
Exploitation:
The cookie parameter might be vulnerable to SQL injection, so we put a â* in the captured request and saved the file as file.txt.
Then we used sqlmap on the file.txt to look for any databases and got a database named library.
Code:
sqlmap -r file.txt --dbs âbatch --risk 3 --level 5Further enumerating the library database for usernames and passwords.
Code:
sqlmap -r file.txt -D library --dump-all --batchWe found a username globus and password AroundTheWorld for the ftp service.
We connected to the target system through ftp but couldnât find something useful for us and we were also not able to cat the library.php file.
Code:
ftp 192.168.1.103
cd /var/www/html
lsSo what we did is we grabbed a php-reverse-shell from /usr/share/webshells/php and modified the listener IP as ours and named it as shell.php.
Then we uploaded the shell in the target system using the put command and gave it executable permissions.
Code:
put shell.php
chmod 777 shell.phpNow we executed the shell by just browsing to the URL http://192.168.1.103/shell.php and at the same time started a netcat listener on our Kali machine.
Privilege Escalation:
We successfully got the netcat session with a limited user privilege. Had a look inside the library.php file using cat and got the database credentials.
Code:
nc -lvp 1234
python -c 'import pty;pty.spawn("/bin/bash")'
cd /var/www/html
cat library.phpWe checked for the password reuse of password for user root and were successfully able to login as root.
Code:
su root
idAuthor: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here