Initial foothold

  1. Network discovery

My target is 10.0.2.49.

2. Port scan

There’re 1 filtered port, 22 and 1 open port, 80.

3. OS and service scan

There’s Apache httpd 2.4.38 on port 80.

4. Vuln scan

Nothing.

Service Enumeration

HTTP service

  1. Nikto scan

2. Directory scan

3. Access HTTP site

/index.php

/display.php

/search.php -> possible SQL injection

/manage.php -> possible SQL injection

It’s funny that when I accessed session.php and logout.php. I was redirected to manage.php and had admin session.

Conclusion:

There’re two possible SQLi vulnerabilities to test in search.php and manage.php

If you do a very good reconnaissance and discover that logout.php is redirected to manage.php w/ admin session. It will save a lot of time. However, I will demonstrate how to test for SQLi starting from search.php.

Exploitation

  1. Supply an input

2. Intercept w/ Burp Suite

3. Send to the intruder

At the right panel -> Clear $

Double click at “test” and click “add $” at the right panel

Set up the payload. This payload is based on my experience. I already uploaded it on Github.

Here’s my Github link.

Start the attack. Here’s the result. In this case, you will see the difference in length. Let’s check it out.

Test the payload. I will use:

Here’s the result.

4. Next is to test the union query to find columns

Change the value to be:

Add $ on “1”

Load the payload

Here’s the GitHub link.

Start the attack, the column number is six.

Test the payload

Succeeded!!!

5. Find the version, hostname, current database

Note it.

6. Get other databases

I don't have any results.

Fix by change comment according from Intruder attack

I will change from:

Here’s the new query:

Result.

Note it.

7. “Staff” schema

Get table name

Note it

Get columns

Note it

Get data

Note it

Crack the hash w/ crackstation

8. “users” schema

Get tables

Get columns

Get data

View page source

Copy, organize and save it as raw.txt

Extract only usernames and save as users.txt

Extract only passwords and save as passwords.txt

Conclusion:

This database has data structure like this:

Database -> Tables -> Columns

  • Staff -> StaffDetails, Users ->UserID, Username, Password

Data:

Crack the hash -> transorbital1

  • users -> UsersDetails -> id,firstname,lastname,username,password,reg_date

Data is saved as raw.txt

9. Searching for expoit in manage.php

You will see the “File does note exist” string. I bet this is a hint about LFI.

View page source, nothing much.

I will find the parameter w/ wfuzz, but first I need to intercept the page request and copy the Cookie value.

Fuzz w/ wfuzz

You will see that there’re much non-related strings and their length is 100.

Hide string w/ length value is 100. by supplying “--hw 100”.

Nothing.

Change index.php to “../../../../../etc/passwd”

Now I got the result.

Test the parameter

Comparing w/ credential from raw.txt I may use these to login, but SSH is filtered. The possibility is there’s a port-knocking function.

The typical port-knocking configuration is located in:

Supply in w/ LFI. There’s a result.

View page source for easier sequence identification.

10. Open filtered port by using the sequence result.

Test SSH connection, now I can connect the SSH service.

11. Brute-forcing for the credentials.

I got 3 credentials.

Privilege Escalation

  1. I will start w/ janitor

Lucky me, I found a hidden directory.

Now I got another set of passwords.

Save it as janitor_password.txt

2. Another SSH brute-forcing.

Starting from “fredf”. Login to SSH service.

I can run this binary.

Test the command

Test the usage

Next, I will append another user w/ password in /etc/passwd

Create password

Add the data as shown in the screenshot.

Append /etc/passwd

Verify /etc/passwd

Now I got “newuser”.

Login as new user

Now I got the flag.