When I run the first sqlmap script as specified in the walkthrough, including the PHPSESSID from the browser, it finishes fine. When I run the second command, which just adds ‘–os-shell’ to the last script, it gets to “Testing if user is DBA” and then times out. Ive tried it many times with different cookies, I updated my sqlmap but still doesnt work (It should bring up a shell). Any thoughts?
Instead of doing all of that you can ssh to the machine with the first user and password and then escalate privileges
had the same issue.
I fix it, there was a lock on Create Table, now it works !
Type your comment> @JanDuinkerken said:
Instead of doing all of that you can ssh to the machine with the first user and password and then escalate privileges
I’ve been having so much trouble keeping access to this machine that I’ve been wondering if that’s kind of the point—are we meant to be so frustrated by the guide that we explore other options ourselves? If that’s the case I can see the point… But as a total noob it’s tough!
Anyway I like the idea of using ssh instead; I noticed that I can cd around more that way which seems potentially very useful, but I’m struggling with the next step (I don’t think I’ve found any useful information inside of files yet, so I think I need to get better at this).
After doing the ssh you can jump to the part of privilege escalation from the walk-through, in the directory stated there you can get another username and password that you can ssh into, and then you just need to keep following the guide
Type your comment> @stevebytheway said:
I’ve been having so much trouble keeping access to this machine that I’ve been wondering if that’s kind of the point—are we meant to be so frustrated by the guide that we explore other options ourselves? If that’s the case I can see the point… But as a total noob it’s tough!
Good point. I also start believing that this is the lesson to be learned with Vaccine.
what password do i use for ssh? I’ve tried everything starting from megacorp, also tried the ftp pass as well as the the login pass for admin…
PS: i was once able to connect to the server magically with sqlmap but just doesn’t happen again.
BTW. did anyone have this problem that, after i try a cookie with sqlmap for os-shell, i can’t open the website anymore till i flush that cookie from browser.
This machine stucks always after --os-shell command. A friend said he fixed it, but if that machine was reset, it goes to its original state: stuck for the command.
So, if you want to exploit this machine, change your mindset and look for a SSH Brute Force. We have found some users and passwords 'till this point. One of them really works fine. Think about explore with that collected data. Once inside of the machine by SSH BForce, go to the PrivEsc movement. Cya!