Billu_b0x Walkthrough
Hi Guys,
So this Friday I thought of solving a machine to kill time and got Billu-B0x from Vulnhub by Manish Kishan Tanwar. I immediately downloaded it and started to explore it.
The description about machine said that I had to break into machine using the Web Application and then we had to escalate the privilege to root.
As soon as I booted the machine I ran nmap and found only 2 ports opened.
As I saw port 80 being open I tried to access it through a web browser and found a login page. I had to perform SQL Injection
I tried all tricks in the book but this authentication system didn't let me in so I knew I had to try something else I didn't know what to do. I ran dirb on the site.
I also ran dirb with big.txt for wordlist and it gave a lot of information. As it showed that the phpmyadmin setup file were saved on the server.
Using the information I tried to access the phpmyadmin page but this also needed a password to login. I tried default username and password.
username = root
password = <blank>
It didn't work.
Again to square 1. I reached out to Martijn Weterings for help. He helped me and guided me from here on. When I ran dirb I got add, show and test files on the server. I tried to access it but was not able to as it gave me an error for a file parameter.
Martijn told me use curl command to get read access of the server which I didn't know I could do. So I took his advice to get a file. I choose password file located in /etc/passwd.
This made the job easier for me. I accessed the index.php using the same command. I got to know 2 things First that includes 2 file
c.php
head.php
Second that for login authentication it was using auth table in the database.
I immediately opened the c.php file and found out the username to phpmyadmin page.
But then I thought why not just get the username and password of root from the config file of phpmyadmin instead of uploading a shell and taking reverse shell (lazy to work) as I have the access to the setup files of phpmyadmin. So I access to the config.inc.php in the /var/www/phpmy/ directory.
I got the username and password now its time to check if it works or not. I knew that the SSH port was open so I tried connecting through it.
Voila!!! I got root access work done.
Thank you Manish and Vulnhub for the machine.
Thank you Martijn for helping out.
Leave your comments, queries, suggestion on how can I improve.
So this Friday I thought of solving a machine to kill time and got Billu-B0x from Vulnhub by Manish Kishan Tanwar. I immediately downloaded it and started to explore it.
The description about machine said that I had to break into machine using the Web Application and then we had to escalate the privilege to root.
As I saw port 80 being open I tried to access it through a web browser and found a login page. I had to perform SQL Injection
I tried all tricks in the book but this authentication system didn't let me in so I knew I had to try something else I didn't know what to do. I ran dirb on the site.
I also ran dirb with big.txt for wordlist and it gave a lot of information. As it showed that the phpmyadmin setup file were saved on the server.
Using the information I tried to access the phpmyadmin page but this also needed a password to login. I tried default username and password.
username = root
password = <blank>
It didn't work.
Again to square 1. I reached out to Martijn Weterings for help. He helped me and guided me from here on. When I ran dirb I got add, show and test files on the server. I tried to access it but was not able to as it gave me an error for a file parameter.
Martijn told me use curl command to get read access of the server which I didn't know I could do. So I took his advice to get a file. I choose password file located in /etc/passwd.
This made the job easier for me. I accessed the index.php using the same command. I got to know 2 things First that includes 2 file
c.php
head.php
Second that for login authentication it was using auth table in the database.
I immediately opened the c.php file and found out the username to phpmyadmin page.
But then I thought why not just get the username and password of root from the config file of phpmyadmin instead of uploading a shell and taking reverse shell (lazy to work) as I have the access to the setup files of phpmyadmin. So I access to the config.inc.php in the /var/www/phpmy/ directory.
I got the username and password now its time to check if it works or not. I knew that the SSH port was open so I tried connecting through it.
Voila!!! I got root access work done.
Thank you Manish and Vulnhub for the machine.
Thank you Martijn for helping out.
Leave your comments, queries, suggestion on how can I improve.
Very nice writeup.I too learned the method of using curl
ReplyDeleteThanks bro...
DeleteNicely written. In my view it was quite easy than expected. He shouldn't have configured mysql with root.
ReplyDeletehow do you know the IP address?
ReplyDeleteRun ifconfig command on your Pentest Machine (i.e. Kali) to find out your IP Address (e.g. 192.168.22.123)
DeleteThen run the arp-scan command:
arp-scan 192.168.22.0/24
This will give a (possible) list of entries of different IP addresses in your subnet - one of which should be the billu b0x IP Address :D