**UPDATE 5/5/2021**

Since I have more experience and have another chance to visit this room. I’ll update a lot of things to my walkthrough

This is the list of major points:

  • More manual SQL injection query for testing
  • SQL injection w/ SQLmap
  • Port forwarding (SSH tunneling alternative)
  • Non-metasploit method

[Initial Enumeration]

  1. Port scan

There’re 2 ports: 22 and 80.

2. OS and service scan

There’re 2 services:

  • 22/tcp ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
  • 80/tcp http Apache httpd 2.4.18 ((Ubuntu))

The OS is linux.

3. Vuln scan

[Service Enumeration]

  1. SSH

Connect to the service

I can connect and there’s no banner.

2. HTTP

nikto scan

Find directories

Access HTTP Site

View page source

After clicking on the site, there’s only a login form that I may be able to exploit.

Access “/images”, nothing

Access “/portal.php”. It redirected me back to the index page.

[Exploitation]

  1. Bypass login

I’ll do manual SQLi.

I put these in both username and password fields.

Failed w/ “Incorrect Login” message

Succeeded w/

I’m redirected to portal.php

An alternative way is using SQL Map, however It’s very slow (in my opinion).

Supplying input

Intercept the request w/ Burp Suite and save the request as login-request.txt

Run sqlmap to get current database

The database is ‘db’.

Get tables

I have tables: post and users.

Get column from users tables

I have pwd and username.

Dump all data

The result, you can crack the hash w/ crackstation and use it to login as same as #2.

2. SQLi in portal.php

Test the injection

The failed one.

There’s an error. This is error-based SQLi

The succeeded one:

There aren’t any errors. I probably proceeded the right way.

Find the number of columns

Error!!!

Error!!!

Success!!!

Get table name

There’re 2 tables: post and users.

Get column name from table “username”

There’re 2 columns: username and pwd.

Get data from table “users”

Crack the hash with crackstation.

You can also use SQLMap in this case

Now I have a credential, let’s use it on SSH.

[Privilege escalation]

  1. Search for interesting files in these directories as listed:

There’s webmin directory in /var, which I can’t access.

Try to login as root

Failed!!!

2. Sudo

I can’t run sudo.

Verify CVE-2019–18634

The version number is less than 1.8.26.

Buffer overflow to verify it

I can’t use this CVE.

3. LinEnum.sh

Prepare attacker machine to be HTTP server

On victim machine, download LinEnum.sh

Change permission and run the script

Here’s the one that got my attention.

lxd group

Port 10000 is open

4. lxd privilege escalation

On attacker machine, prepare image file

On victim machine, download image file

Import image

Verify importing

Get root shell

Explore root directory

5. Port 10000

Verify what socket connections are running.

Back to attacker machine, create reverse SSH tunnel

Combining result from directory enumeration and open port no.10000. It’s possible that webmin service is running internally.

Access site from our machine

An alternative way to use port forwarding

Back to attacker machine, open ssh service

In victim machine, forward port 10000 to attacker machine

Access the site

Try to log in using the credential of agent47

It’s webmin version 1.580.

6. Search for exploits

There’s metasploit module.

7. Exploit with metasploit.

No session created, I need to set LHOST

I’m root.

8. Alternative to metasploit

Searching w/ google, I came across this script

Clone the script

Before running the script, create listener on port 443

Run the script

Back to listener, now I for root shell.