let's let's move on to, uh, another method of gathering information from
our target host. So we saw that we were running my sequel database
as part of the scan I shot. Could just see that easier
go back to service is
it's thinking about it.
the service is that are closed or showing up.
So what up again? I will try my command line option.
I can say Service's dash You That's just shows me the ones that are up
my sequel. Here we go
and it automatically came back and did the banner Graham and showed me my version number. But I could also try to get this in different ways. For instance, I could
do a search for my sequel, see what's available.
Something simple, like the version number here ago.
Auxiliary scanner. My sequel in my sequel version.
All right, Mouse is misbehaving a little bit there.
I already have this information just proving the point that it actually does work
as a standalone tool by our host. Value is set
and I can just run, exploit.
All right, good. It matches up 5051 eh?
I've got other things to liken. There's an excellent, uh,
exploit for my sequel. Payload.
There's lots of other things to think about here,
Engineer queries. So trying to do some kind of arbitrary query on a system trying to log into the my sequel Instance. If you could gather credentials for that, that would be a good
So you have other options inside for things like databases. So we know we also have a post rest database on this system
so I can do a search for Post Crest.
I want to gather some more information about that database.
Should give me a bunch of things to consider.
All right. So I've got some
modules here also have some skinners,
so I could start with something simple. Start with something simple, like the version. Even though I have this information just proving that you can get it in other ways.
And I want to use post press version
now. I already know what the password is, so I could set that here,
and I think I will so set password
I can run the exploit and see what it gives me.
So I get a really nice, detailed in from a bit of information about,
uh, this particular database.
Uh, let's see if I can do a hash dump
now. It's only gonna
probably give me the
well. Not probably will give me the the hashes of passwords that I'm out that I'm allowed to see with my privilege level.
So let's see what that gets us.
Show my options again. Always getting a habit of doing this so you don't leave something out. All right again, I can see that I want to send my password.
This is the danger of having default configurations.
This system could be running for years like this without anybody knowing that this default passport is a big vulnerability.
All right, so now I've been able to get the hash
for the post crest user.
What else can I get since I have credentials,
uh, scheme a dump? That looks interesting. We'll see if that works.
I know what the scheme it looks like now. I can
certainly have more opportunities for
interacting with that database, changing it or doing other things which may be
to the advantage of the Manchester.
All right again, I have to set my password.
Everything else looks to be correct,
so I'll run the exploit.
All right. So ridiculous scheme about that. Looks like the database is just very simple. Maybe one table or something. Very basic. If it was more complicated than I would see more tables being shown,
but you get some idea of what's possible here.