Home Uncategories Break into Billu Box

Break into Billu Box

Add Comment Edit

Hello All

Once again I am back with one more walk through of  a new vulnerable lab challenge “Billu Box” .Where  attacker need to escalate privileges to gain root access. You can download it from here.
Once I have downloaded the box and ascertain its IP,launched my nmap to detect port and available services with box.A simple nmap command reveals port 22 and port 80 of box.


Launching the application URL on browser presented the box web page to me.

 


Now as box says it is based on sqli challenge I tried with basic sqli payload to bypass the authentication presented before me..but no avail…

So though to look the problem other way by enumeration more about the application.



So application is based on php and with  is phpmyadmin installed in box as well.
Launching the url:
http://192.168.0.104/phpmy/ presented me the  phpyadmin panel to me

So if some how we break into the panel then we can have all details of databases and other details from here. But question still remains how???

I started checking all files path which I have enumerated one by one and I stumbled upon the file path:
http://192.168.0.104/test
Accessing the page throw an error.as “file parameter is empty” Which itself a hint that it needs a parameter as file


So I fired two request with method :GET and POST
GET http://192.168.0.104/test?file=
POST http://192.168.0.104/test
File=
Response to above page is given below(GET didn’t worked)

POST yield result and it shows that There is  LFI in application.


So I included the “index.php” to see the content of file: Which exposes two file
1.c.php
2.head.php
Content of c.php exposes the database configuration file which exposes the password ,username,database name.
·        billu & b0x_billu


Using the credentials I tried to login to the phpmyadmin panel shown above .which exposes the login credentials of authentication page shown above.


But still the challenge lies only that how to get root privledge in the box? So I explored the file structure of phpmyadmin installed in my system to find out the files which contains the password for root.quickly exploring the files I got the file which I want.


Its time to access this config.inc.php using lfi exploited above.so I fired request once again to dump the file shown above.

Username :root
Password:roottoor
I sshed into box using the credentials to get into  box.There we go!!!



SHARE
  • Image
  • Image
  • Image
  • Image
  • Image
    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment

Subscribe to: Post Comments ( Atom )