Objective

Engage in enumeration, web enumeration, and exploiting SQL injection techniques to identify vulnerabilities. Utilize password cracking methods and implement privilege escalation strategies to enhance your access. This lab is designed to capitalize on your skills in vulnerability exploitation.

Enumeration

Nmap

Initially, I conducted an Nmap scan on the target host, which revealed that several common services were accessible, including HTTP, SSH and FTP services.

000 - nmap

FTP Anonymous

I discovered that the FTP service allows login with the anonymous user account. However, this access did not lead to any further avenues for exploitation or sensitive data disclosure.

001 - ftp anon

Directory Brute Force

After performing directory brute-forcing, I discovered several accessible pages, including phpMyAdmin, webmail, monitoring, and news interfaces.

PHPMyAdmin

I was able to identify a valid username for phpMyAdmin; however, the account only had access to the information_schema database, which did not provide any useful or exploitable information.

002 - pma sql

003 - pma_null login

News

The news page disclosed a username, otis, which could potentially be used for further enumeration or authentication attempts.

004 - otis

Using the previously discovered otis username, I conducted a brute-force attack and successfully obtained valid login credentials.

005 - brute force otis

006 - webmail otis login

007 - monitoring otis login

Exploitation

After logging into the monitoring page, I discovered that submitting a name for a health check triggered an email notification if the system failed to resolve the associated IP address. By examining the contents of these email notifications, I inferred that the input might be interacting with a backend database. After multiple attempts, I confirmed the presence of a SQL injection vulnerability. Notably, the injection syntax that worked was: “ or 1=1 # instead of the more common ‘ OR 1=1 –

008 - sqli0

Through further exploitation of the SQL injection vulnerability, I was able to enumerate database tables and extract usernames along with their corresponding hashed passwords.

008 - sqli4

One of the extracted password hashes was weak and easily cracked, which provided valid SSH credentials. Using these, I successfully gained SSH access to the target system.

009 - hash cracks

010 - ssh

Privilege Escalation

Within the SSH session, I found a .mozilla directory in the user’s home folder.

011 - mozilla

011 - mozilla json

Using a Firefox decryption tool on the stored credentials, I was able to extract the root user’s password, ultimately gaining full system access. The target system did not have Python installed, which prevented local execution of the Firefox decryption tool. To work around this, I transferred the entire .mozilla directory from the target to my local machine and ran the decryption tool there. This successfully revealed the root user’s password, allowing me to escalate privileges and gain full system access.

012 - moved all files

012 - decrypt

012 - flag

<
Previous Post
Election - OffSec Proving Grounds
>
Next Post
Monitoring - OffSec Proving Grounds