In this Lab we will use the Main Office access to attack the CUPS Server located on IP 172.16.0.14 using credentials located from the previous Lab. For this and the previous labs to work, you need a ssh connection and live openvpn connection to Office2;
-ssh -L 3389:192.168.13.1:3389 -i tech.key tech@192.168.101.11 -p2222
- ./openvpn_brute_force.sh starwars_lst Office-2.conf
nmap scan reveals only two ports open- Tcp/80 and Tcp/22. Visiting IP 172.16.0.14:80 in our web browser, we find an admin panel with a username and password prompt. We are unable to login because it's protected by htaccess and a bruteforce will be time consuming without a definite username.
Local storage tab gives us a login prompt which to my surprise is bypassed by a simple SQL Injection with the username as admin and password admin' or 1=1 --. We scroll through the Local Storage page on the CUPS Server and one image stands out as it has a string as a name.
We decode the string and get our CUPS token.
At the bottom of the page is a picture of a ssh key for user Morgan which we collect for possible future use.
Comments
Post a Comment