Siunam's Website

My personal website

Home About Blog Writeups Projects E-Portfolio

DC-9 | Aug 27, 2022

Background

The war wages onward

In this machine, I’m not using Offensive Security’s Proving Grounds Play to interact with this machine, as I have some trouble the VPN. Hence, I downloaded the virtual machine image and imported to my VMWare Workstation.

Service Enumeration

Since we don’t know the target machine’s IP yet, I’ll confirm my attacker machine IP and subnet:

Then, we can use nmap to do ping sweep:

Found the target machine’s IP: 192.168.183.129

Then, we can scan the machine for open ports via rustscan!

Rustscan Result:

According to rustscan result, we have 1 port is opened:

Ports Open Service
80 Apache httpd 2.4.38

HTTP on Port 80

In the search.php, it’s vulnerable to SQL Injection!

Since I’m practicing OSCP Exam environment, I’ll do this manually, as SQLMap is prohibited in OSCP Exam.

First, let’s test it suffers which type of SQL Injection, such as Union-based, Time-based, Error-based, etc.

Full SQL Query:

' UNION ALL SELECT 1,2,3,4,5,6-- -

Looks like it suffers Union-based SQL Injection!

Let’s enumerate the entire DBMS(Database Management System) via SQL Injection!

First, let’s find out which DBMS is running on the target machine!

' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,@@version-- -

We can confirm that the DBMS that the target machine’s running is MySQL.

Then, we can list the current database name:

' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,database()-- -

Next, we can list all database names:

' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,concat(schema_name) FROM information_schema.schemata-- -

Since database users seems to be interesting, let’s enumerate it’s tables first:

' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,concat(TABLE_NAME) FROM information_schema.TABLES WHERE table_schema='users'-- -

List database users’s column names:

' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,concat(column_name) FROM information_schema.COLUMNS WHERE TABLE_NAME='UserDetails'-- -

Hmm… username and password seems interesting, let’s retrieve their data:

' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,concat(username,0x3a,password) FROM users.UserDetails-- -

Note: 0x3a means :.

Credentials:

marym:3kfs86sfd
julied:468sfdfsd2
fredf:4sfd87sfd1
barneyr:RocksOff
tomc:TC&TheBoyz
jerrym:B8m#48sd
wilmaf:Pebbles
bettyr:BamBam01
chandlerb:UrAG0D!
joeyt:Passw0rd
rachelg:yN72#dsd
rossg:ILoveRachel
monicag:3248dsds7s
phoebeb:smellycats
scoots:YR3BVxxxw87
janitor:Ilovepeepee
janitor2:Hawaii-Five-0

In the manage.php, there is a login form:

I’ll use hydra to do password spraying:

userlist.txt:

marym
julied
fredf
barneyr
tomc
jerrym
wilmaf
bettyr
chandlerb
joeyt
rachelg
rossg
monicag
phoebeb
scoots
janitor
janitor2

passlist.txt:

3kfs86sfd
468sfdfsd2
4sfd87sfd1
RocksOff
TC&TheBoyz
B8m#48sd
Pebbles
BamBam01
UrAG0D!
Passw0rd
yN72#dsd
ILoveRachel
3248dsds7s
smellycats
YR3BVxxxw87
Ilovepeepee
Hawaii-Five-0

Nothing?? Alright, I should missed something at the beginning. I’ll scan the target machine again in order to prevent missing some important ports:

According to rustscan result, we have 2 ports are opened:

Ports Open Service
22 OpenSSH 7.9p1 Debian
80 Apache httpd 2.4.38

Hmm… I missed the SSH port!

Now, let’s password spraying to SSH then.

After I rooted this machine, I found that there is a Local File Inclusion(LFI) vulnerability in welcome.php, and I found that it has a “port knocking”. You can do it when you enumerated the Staff database.

The SSH port will be open when we “knocked” port 7469,8475,9842. To do so, we can use the knock command:

So I wasn’t missed the SSH port, but missed the LFI part, and my rustscan accidentally “knocked” those ports, thus SSH port was opened when I scan the machine again.

Initial Foothold

Password Spraying to SSH:

Let’s ssh into them!

Privilege Escalation

janitor to fredf

In /var/www/html/config.php, we can find there is a MySQL credentials:

Let’s find out what the database Staff has!

Seems like it’s a hash! Let’s use crackstation to crack it:

Nothing after logged in as admin in manage.php.

In the /opt directory, there are 2 uncommon directories:devstuff, scripts:

We can only access devstuff, so let’s check it out:

Let’s look at test.py:

So, this python script allows me to read a file, then output to a file. Just like cp in Linux:

Hmm… Not useful for privilege escalation.

Okay. Take a step back. Since we found 3 users that we can login to ssh, we should really enumerate their home directory, as all home directory are not world-readable.

Let’s login to joeyt first:

Nothing in joeyt.

How about janitor?

Found .secrets-for-putin hidden directory!!

Password spraying again!

Found user fredf credentials!

Let’s Switch User to fredf:

fredf to root

Sudo Permission:

User fredf is able to run /opt/devstuff/dist/test/test as root!

This time however, we can escalate to root! Since we have root privilege to overwrite /etc/passwd!

And we’re root! :D

Rooted

theflag.txt:

Conclusion

What we’ve learned:

  1. MySQL Union-based SQL Injection
  2. Local File Inclusion
  3. Port Knocking
  4. Password Spraying
  5. Privilege Escalation via Cleartext Crendentials
  6. Privilege Escalation via Misconfigured Sudo Permission