Providing Ground "BANZAI" - Walkthrough

In this blog, we are going to learn about SSH brute force attack and MySQL exploitation to gain root access.

  CTF Challenges   Jun 5, 2023   0  Add to Reading List
Providing Ground "BANZAI" - Walkthrough

Foothold :

  • Initial network scan reveals that our target has list of open ports. Enumerating the services accessible via port 8080. The pages all return a 403 Forbidden status message.
  • When port 5432 is tested , the "BANZAI" home page is displayed. But there is no much information gathered in source code and home page content as well.
  • Enumerating the directory using "dirb" aslo returns zero clue.
  • A working FTP service is visible. By bruteforcing the ftp service, I was able to gain legitimate credentials.

  • We found a valid creds as "uname:admin" and "passwd:admin".Tried login was successful.

  • We can see from the output above that this is the home directory for any active web services on port 5432.
  • We can attempt triggering a reverse shell by uploading a php reverse shell to this folder.
  • Altering our IP address and port while copying the php-reverse-shell to the current directory.

  • After uploading the "php" code to the home directory, try execute the php file in website and gaining the reverse shell.
  • By opening the file from the directory on the online service, we obtain a reverse shell.

Privilege Escalation:

  • Transfering the file from local to target machines will not work by using wget due to some configuration. Lets use the same FTP service to upload the "linpeas" script to run privilage escalation. 
  • I notice an interesting config.php file in /var/www that contains root's database credentials.

  • Utilize that to further list the database. There aren't any interesting databases or tables at this place. We could try to track out a privilege escalation vulnerability for it.

  • Version number is 5.7.30. Looks "MySql 4.x/5.x (linux) - UDF Dynamic Library(2) suitable for the exploitation.

  • And this article was quite useful. I did as instructed to gain root access.

  • Once the exploit was successfully compiled , we should upload the exploit to the target machine using the same FTP service.

  • Of create a new table with the path of the shared object and load the exploit object file and construct a "do_system" function, use the MySQL commands listed below

  • Copy the same file to /usr/lib/mysql/plugin.

  • In this manner, it functions properly when inserted into MySQL. 
  • Lets start gain the root using this exploit object.
  • I wrote the function and changed the permission of /etc/passwd.

  • Now we can add our own user in there and get root access. If someone has trouble adding a new root user into /etc/passwd, refer

  • Now we have a root. 

Note: Only for educational purpose. Happy Hacking!!!

Tags

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow